-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
6 changed files
with
102 additions
and
103 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,36 +1,31 @@ | ||
# favicon.ico | ||
location = /favicon.ico { | ||
log_not_found off; | ||
access_log off; | ||
log_not_found off; | ||
access_log off; | ||
} | ||
|
||
# robots.txt | ||
location = /robots.txt { | ||
log_not_found off; | ||
access_log off; | ||
log_not_found off; | ||
access_log off; | ||
} | ||
|
||
# assets, media | ||
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { | ||
expires 7d; | ||
access_log off; | ||
expires 7d; | ||
access_log off; | ||
} | ||
|
||
# svg, fonts | ||
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ { | ||
add_header Access-Control-Allow-Origin "*"; | ||
expires 7d; | ||
access_log off; | ||
add_header Access-Control-Allow-Origin "*"; | ||
expires 7d; | ||
access_log off; | ||
} | ||
|
||
# gzip | ||
gzip on; | ||
gzip_vary on; | ||
gzip_proxied any; | ||
gzip on; | ||
gzip_vary on; | ||
gzip_proxied any; | ||
gzip_comp_level 6; | ||
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; | ||
|
||
# brotli | ||
# brotli on; | ||
# brotli_comp_level 6; | ||
# brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; | ||
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,16 @@ | ||
# 404 | ||
try_files $fastcgi_script_name =404; | ||
try_files $fastcgi_script_name =404; | ||
|
||
# default fastcgi_params | ||
include fastcgi_params; | ||
include fastcgi_params; | ||
|
||
# fastcgi settings | ||
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; | ||
fastcgi_index index.php; | ||
fastcgi_buffers 8 16k; | ||
fastcgi_buffer_size 32k; | ||
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; | ||
fastcgi_index index.php; | ||
fastcgi_buffers 8 16k; | ||
fastcgi_buffer_size 32k; | ||
|
||
# fastcgi params | ||
fastcgi_param DOCUMENT_ROOT $realpath_root; | ||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; | ||
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/"; | ||
fastcgi_param DOCUMENT_ROOT $realpath_root; | ||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; | ||
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,12 @@ | ||
# security headers | ||
add_header X-Frame-Options "SAMEORIGIN" always; | ||
add_header X-XSS-Protection "1; mode=block" always; | ||
add_header X-Content-Type-Options "nosniff" always; | ||
add_header Referrer-Policy "no-referrer-when-downgrade" always; | ||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; | ||
add_header X-Frame-Options "SAMEORIGIN" always; | ||
add_header X-XSS-Protection "1; mode=block" always; | ||
add_header X-Content-Type-Options "nosniff" always; | ||
add_header Referrer-Policy "no-referrer-when-downgrade" always; | ||
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; | ||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||
|
||
# . files | ||
location ~ /\.(?!well-known) { | ||
deny all; | ||
} | ||
deny all; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,29 +1,32 @@ | ||
# WordPress: allow TinyMCE | ||
location = /wp-includes/js/tinymce/wp-tinymce.php { | ||
include kloudboy/php_fastcgi.conf; | ||
include nginxconfig.io/php_fastcgi.conf; | ||
} | ||
|
||
# WordPress: deny wp-content, wp-includes php files | ||
location ~* ^/(?:wp-content|wp-includes)/.*\.php$ { | ||
deny all; | ||
deny all; | ||
} | ||
|
||
# WordPress: deny wp-content/uploads nasty stuff | ||
location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ { | ||
deny all; | ||
deny all; | ||
} | ||
|
||
# WordPress: SEO plugin | ||
location ~* ^/wp-content/plugins/wordpress-seo(?:-premium)?/css/main-sitemap\.xsl$ {} | ||
|
||
# WordPress: deny wp-content/plugins (except earlier rules) | ||
location ~ ^/wp-content/plugins { | ||
deny all; | ||
deny all; | ||
} | ||
|
||
# WordPress: deny scripts and styles concat | ||
location ~* \/wp-admin\/load-(?:scripts|styles)\.php { | ||
deny all; | ||
deny all; | ||
} | ||
|
||
# WordPress: deny general stuff | ||
location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ { | ||
deny all; | ||
} | ||
deny all; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,50 +1,50 @@ | ||
user www-data; | ||
pid /run/nginx.pid; | ||
worker_processes auto; | ||
user www-data; | ||
pid /run/nginx.pid; | ||
worker_processes auto; | ||
worker_rlimit_nofile 65535; | ||
|
||
events { | ||
multi_accept on; | ||
worker_connections 65535; | ||
multi_accept on; | ||
worker_connections 65535; | ||
} | ||
|
||
http { | ||
charset utf-8; | ||
sendfile on; | ||
tcp_nopush on; | ||
tcp_nodelay on; | ||
server_tokens off; | ||
log_not_found off; | ||
types_hash_max_size 2048; | ||
client_max_body_size 100M; | ||
|
||
# MIME | ||
include mime.types; | ||
default_type application/octet-stream; | ||
|
||
# logging | ||
access_log /var/log/nginx/access.log; | ||
error_log /var/log/nginx/error.log warn; | ||
|
||
# SSL | ||
ssl_session_timeout 1d; | ||
ssl_session_cache shared:SSL:10m; | ||
ssl_session_tickets off; | ||
|
||
# Diffie-Hellman parameter for DHE ciphersuites | ||
ssl_dhparam /etc/nginx/ssl/dhparam.pem; | ||
|
||
# Mozilla Intermediate configuration | ||
ssl_protocols TLSv1.2 TLSv1.3; | ||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | ||
|
||
# OCSP Stapling | ||
ssl_stapling on; | ||
ssl_stapling_verify on; | ||
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s; | ||
resolver_timeout 2s; | ||
|
||
# load configs | ||
include /etc/nginx/conf.d/*.conf; | ||
include /etc/nginx/sites-enabled/*; | ||
} | ||
charset utf-8; | ||
sendfile on; | ||
tcp_nopush on; | ||
tcp_nodelay on; | ||
server_tokens off; | ||
log_not_found off; | ||
types_hash_max_size 2048; | ||
client_max_body_size 100M; | ||
|
||
# MIME | ||
include mime.types; | ||
default_type application/octet-stream; | ||
|
||
# Logging | ||
access_log /var/log/nginx/access.log; | ||
error_log /var/log/nginx/error.log warn; | ||
|
||
# SSL | ||
ssl_session_timeout 1d; | ||
ssl_session_cache shared:SSL:10m; | ||
ssl_session_tickets off; | ||
|
||
# Diffie-Hellman parameter for DHE ciphersuites | ||
ssl_dhparam /etc/nginx/dhparam.pem; | ||
|
||
# Mozilla Intermediate configuration | ||
ssl_protocols TLSv1.2 TLSv1.3; | ||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | ||
|
||
# OCSP Stapling | ||
ssl_stapling on; | ||
ssl_stapling_verify on; | ||
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] 208.67.222.222 208.67.220.220 [2620:119:35::35] [2620:119:53::53] valid=60s; | ||
resolver_timeout 2s; | ||
|
||
# Load configs | ||
include /etc/nginx/conf.d/*.conf; | ||
include /etc/nginx/sites-enabled/*; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters