Nginx Config Sites Available With Redirect Non Www To Www

block.conf

location ~* "(eval\()"  { deny all; }
location ~* "(127\.0\.0\.1)"  { deny all; }
location ~* "([a-z0-9]{2000})"  { deny all; }
location ~* "(javascript\:)(.*)(\;)"  { deny all; }
location ~* "(base64_encode)(.*)(\()"  { deny all; }
location ~* "(GLOBALS|REQUEST)(=|\[|%)"  { deny all; }
location ~* "(<|%3C).*script.*(>|%3)" { deny all; }
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { deny all; }
location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; }
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; }
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { deny all; }
location ~* "(https?|ftp|php):/" { deny all; }
location ~* "(=\\\'|=\\%27|/\\\'/?)\." { deny all; }
location ~* "/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$" { deny all; }
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { deny all; }
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { deny all; }
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { deny all; }
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { deny all; }
location ~* "\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { deny all; }
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { deny all; }

defaut

server {
    listen 80 default_server;

    root /home/nginx/domains/default/public_html;

    access_log off;
    error_log /home/nginx/domains/default/logs/error.log;

    # Add index.php to the list if you are using PHP
    index index.php index.html;

    server_name _;

    include snippets/block.conf;
    include snippets/php.conf;
    include snippets/locations.conf;
}

domain-ssl.conf

server {
    listen 80;

    server_name domain.com www.domain.com;

    return 301 https://www.domain.com$request_uri;
}

server {
    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

    include snippets/openssl.conf;

    server_name domain.com;

    return 301 https://www.domain.com$request_uri;
}

server {
    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

    root /home/nginx/domains/domain.com/public_html/public;

    access_log off;
    error_log /home/nginx/domains/domain.com/logs/error.log;

    # Add index.php to the list if you are using PHP
    index index.php index.html;

    server_name www.domain.com;

    include snippets/block.conf;
    include snippets/php.conf;
    include snippets/locations.conf;
    include snippets/openssl.conf;
}

domain.conf

server {
    server_name domain.com;

    return 301 $scheme://www.domain.com$request_uri;
}

server {
    listen 80;

    root /home/nginx/domains/domain.com/public_html;

    access_log off;
    error_log /home/nginx/domains/domain.com/logs/error.log;

    # Add index.php to the list if you are using PHP
    index index.php index.html;

    server_name www.domain.com;

    include snippets/block.conf;
    include snippets/php.conf;
    include snippets/locations.conf;
}

locations.conf

location = /favicon.ico {
    access_log off;
    log_not_found off;
    expires max;
}

location = /robots.txt {
    # Some WordPress plugin gererate robots.txt file
    # Refer #340 issue
    try_files $uri $uri/ /index.php?$args;
    access_log off;
    log_not_found off;
}

# Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
    add_header "Access-Control-Allow-Origin" "*";
    access_log off;
    log_not_found off;
    expires max;
}

# Security settings for better privacy
# Deny hidden files
location ~ /\.well-known {
    allow all;
}

location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
}

# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
    deny all;
    access_log off;
    log_not_found off;
}

# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
    return 403;
}

openssl.conf

ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

php-dynamic.conf

location / {
    try_files $uri $uri/ /index.php?$args;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;

    # With php5-fpm:
    fastcgi_pass unix:/var/run/php$php_version-fpm.sock;
}

php.conf

location / {
    try_files $uri $uri/ /index.php?$args;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;

    # With php5-fpm:
    fastcgi_pass unix:/var/run/php5-fpm.sock;
}

php56.conf

location / {
    try_files $uri $uri/ /index.php?$args;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;

    # With php5-fpm:
    fastcgi_pass unix:/var/run/php5.6-fpm.sock;
}

php71.conf

location / {
    try_files $uri $uri/ /index.php?$args;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;

    # With php5-fpm:
    fastcgi_pass unix:/var/run/php7.1-fpm.sock;
}

proxy-params.conf

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

well-known.conf

location /.well-known {
    alias /var/www/.well-known;
}

nginx: How To Block Exploits, SQL Injections, File Injections, Spam, User Agents, Etc.

https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc

dr cemola 👍

Test add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

https://gist.github.com/plentz/6737338

https://cipherli.st/

https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8

Remove Index.php

# Remove index.php$
if ($request_uri ~* "^(.*/)index\.php$") {
    return 301 $1;
}

location / {
    try_files $uri $uri/ /index.php?$query_string;

    # Remove from everywhere index.php
    if ($request_uri ~* "^(.*/)index\.php(/?)(.*)") {
        return 301 $1$3;
    }
}

# Remove trailing slash.
if (!-d $request_filename) {
    rewrite ^/(.+)/$ /$1 permanent;
}

# Clean Double Slashes
if ($request_uri ~* "\/\/") {
    rewrite ^/(.*) /$1 permanent;
}

Page Cache

location / {
    error_page 418 = @nocache;

    # bypass POST requests
    if ($request_method != GET) {
        return 418;
    }

    # bypass if has query string
    if ($query_string != "") {
        return 418;
    }

    # bypass sitemap
    if ($request_uri ~* "(sitemap(.+)?.xml)") {
        return 418;
    }

    try_files "/page-cache/$request_uri/index.html" $uri $uri/ /index.php?$query_string;
}

location @nocache {
    try_files $uri $uri/ /index.php?$query_string;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;

    # With php5-fpm:
    fastcgi_pass unix:/var/run/php5-fpm.sock;
}