VirtuBox · April 19, 2024 07:46
diff --git a/nginx.conf b/nginx.conf
 ##
 # Common security rules
 ##

 # Security settings for better privacy
 # Deny hidden files
 location ~ /\.(?!well-known\/) {
    deny all;
 }
 # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
 location ~*  "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
    deny all;
 }
 # Deny backup extensions & log files and return 403 forbidden
 location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf|gz|zip|bz2|7z|pem|asc|conf|dump)$" {
    deny all;
 }
 # block other common scans
 location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
    deny all;
 }

 # block base64_encoded content
 location ~* "(base64_encode)(.*)(\()" {
    deny all;
 }

 # block javascript eval()
 location ~* "(eval\()" {
    deny all;
 }

 ##
 # WordPress Specific
 ##

 # Prevent DoS attacks with xmlrpc.php
 location = /xmlrpc.php {
    # Whitelist Jetpack IP ranges, Allow all Communications Between Jetpack and WordPress.com
    allow 122.248.245.244/32;
    allow 54.217.201.243/32;
    allow 54.232.116.4/32;
    allow 192.0.80.0/20;
    allow 192.0.96.0/20;
    allow 192.0.112.0/20;
    allow 195.234.108.0/22;

    # Deny all other requests
    deny all;

    # Disable access and error logging
    access_log off;
    log_not_found off;

    # Limit the rate of requests to prevent DoS attacks
    limit_req zone=two burst=1 nodelay;

    # Pass the request to PHP-FPM backend
    include fastcgi_params;
    fastcgi_pass {{upstream}};
 }
 # Disable wp-config.txt
 location = /wp-config.txt {
    deny all;
    access_log off;
    log_not_found off;
 }

 # Deny access to any files with a .php extension in the uploads directory
 # Works in sub-directory installs and also in multisite network
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
 location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
 }

 ##
 # Allow web browser caching and disable logging
 ##

 # Cache static files
 location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp|json|webmanifest|cast)$ {
    more_set_headers 'Access-Control-Allow-Origin : *';
    more_set_headers "Cache-Control : public, no-transform";
    access_log off;
    log_not_found off;
    expires max;
 }
 # Cache css & js files
 location ~* \.(?:css(\.map)?|js(\.map)?)$ {
    more_set_headers 'Access-Control-Allow-Origin : *';
    more_set_headers "Cache-Control : public, no-transform";
    access_log off;
    log_not_found off;
    expires 1y;
 }
	##
	# Common security rules
	##

	# Security settings for better privacy
	# Deny hidden files
	location ~ /\.(?!well-known\/) {
	deny all;
	}
	# Return 403 forbidden for readme.(txt\|html) or license.(txt\|html) or example.(txt\|html) or other common git repository files
	location ~* "/(^$\|readme\|license\|example\|README\|LEGALNOTICE\|INSTALLATION\|CHANGELOG)\.(txt\|html\|md)" {
	deny all;
	}
	# Deny backup extensions & log files and return 403 forbidden
	location ~* "\.(old\|orig\|original\|php#\|php~\|php_bak\|save\|swo\|aspx?\|tpl\|sh\|bash\|bak?\|cfg\|cgi\|dll\|exe\|git\|hg\|ini\|jsp\|log\|mdb\|out\|sql\|svn\|swp\|tar\|rdf\|gz\|zip\|bz2\|7z\|pem\|asc\|conf\|dump)$" {
	deny all;
	}
	# block other common scans
	location ~* "/(=\|\$&\|_mm\|(wp-)?config\.\|cgi-\|etc/passwd\|muieblack)" {
	deny all;
	}

	# block base64_encoded content
	location ~* "(base64_encode)(.*)(\()" {
	deny all;
	}

	# block javascript eval()
	location ~* "(eval\()" {
	deny all;
	}

	##
	# WordPress Specific
	##

	# Prevent DoS attacks with xmlrpc.php
	location = /xmlrpc.php {
	# Whitelist Jetpack IP ranges, Allow all Communications Between Jetpack and WordPress.com
	allow 122.248.245.244/32;
	allow 54.217.201.243/32;
	allow 54.232.116.4/32;
	allow 192.0.80.0/20;
	allow 192.0.96.0/20;
	allow 192.0.112.0/20;
	allow 195.234.108.0/22;

	# Deny all other requests
	deny all;

	# Disable access and error logging
	access_log off;
	log_not_found off;

	# Limit the rate of requests to prevent DoS attacks
	limit_req zone=two burst=1 nodelay;

	# Pass the request to PHP-FPM backend
	include fastcgi_params;
	fastcgi_pass {{upstream}};
	}
	# Disable wp-config.txt
	location = /wp-config.txt {
	deny all;
	access_log off;
	log_not_found off;
	}

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}

	##
	# Allow web browser caching and disable logging
	##

	# Cache static files
	location ~* \.(ogg\|ogv\|svg\|svgz\|eot\|otf\|woff\|woff2\|ttf\|m4a\|mp4\|ttf\|rss\|atom\|jpe?g\|gif\|cur\|heic\|png\|tiff\|ico\|webm\|mp3\|aac\|tgz\|doc\|xls\|exe\|ppt\|tar\|mid\|midi\|wav\|bmp\|rtf\|swf\|webp\|json\|webmanifest\|cast)$ {
	more_set_headers 'Access-Control-Allow-Origin : *';
	more_set_headers "Cache-Control : public, no-transform";
	access_log off;
	log_not_found off;
	expires max;
	}
	# Cache css & js files
	location ~* \.(?:css(\.map)?\|js(\.map)?)$ {
	more_set_headers 'Access-Control-Allow-Origin : *';
	more_set_headers "Cache-Control : public, no-transform";
	access_log off;
	log_not_found off;
	expires 1y;
	}