You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
312 lines
9.7 KiB
312 lines
9.7 KiB
#--MULTISITE--if (!-e $request_filename) {
|
|
#--MULTISITE--rewrite /wp-admin$ $scheme://$host$uri/ permanent;
|
|
#--MULTISITE--rewrite ^__PATH__(/[^/]+)?(/wp-.*) __PATH__$2 last;
|
|
#--MULTISITE--rewrite ^__PATH__(/[^/]+)?(/.*\.php)$ __PATH__$2 last;
|
|
#--MULTISITE--}
|
|
|
|
# fallback for robots.txt with default wordpress rules
|
|
location @robots {
|
|
return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
|
|
}
|
|
|
|
location @empty_gif {
|
|
empty_gif;
|
|
}
|
|
|
|
add_header X-fastcgi-cache $upstream_cache_status;
|
|
|
|
#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
|
|
location __PATH__/ {
|
|
|
|
# Path to source
|
|
alias __FINALPATH__/;
|
|
|
|
index index.php;
|
|
if (!-e $request_filename)
|
|
{
|
|
rewrite ^(.+)$ __PATH__/index.php?q=$1 last;
|
|
}
|
|
|
|
# Force usage of https
|
|
if ($scheme = http) {
|
|
rewrite ^ https://$server_name$request_uri? permanent;
|
|
}
|
|
|
|
client_max_body_size 1G;
|
|
location ~ [^/]\.php(/|$) {
|
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
|
fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
|
|
fastcgi_index index.php;
|
|
include fastcgi_params;
|
|
fastcgi_param REMOTE_USER $remote_user;
|
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
fastcgi_param SCRIPT_FILENAME $request_filename;
|
|
try_files $uri =404;
|
|
fastcgi_cache_bypass $skip_cache;
|
|
fastcgi_no_cache $skip_cache;
|
|
fastcgi_cache __NAME__;
|
|
fastcgi_cache_valid 60m;
|
|
}
|
|
|
|
##### CACHE CONFIGURATION #####
|
|
|
|
set $skip_cache 0;
|
|
|
|
# POST requests and urls with a query string should always go to PHP
|
|
if ($request_method = POST) {
|
|
set $skip_cache 1;
|
|
}
|
|
if ($query_string != "") {
|
|
set $skip_cache 1;
|
|
}
|
|
|
|
# Don't cache uris containing the following segments
|
|
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
|
|
set $skip_cache 1;
|
|
}
|
|
|
|
# Don't use the cache for logged in users or recent commenters
|
|
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
|
|
set $skip_cache 1;
|
|
}
|
|
|
|
location ~ /purge(/.*) {
|
|
fastcgi_cache_purge __NAME__ "$scheme$request_method$host$1";
|
|
}
|
|
|
|
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
|
|
access_log off; log_not_found off; expires max;
|
|
}
|
|
|
|
location ~ /\. { deny all; access_log off; log_not_found off; }
|
|
|
|
##### SECURITY CONFIGURATION #####
|
|
|
|
location = /wp-login.php {
|
|
limit_req zone=one burst=1 nodelay;
|
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
|
fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
|
|
fastcgi_index index.php;
|
|
include fastcgi_params;
|
|
fastcgi_param REMOTE_USER $remote_user;
|
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
fastcgi_param SCRIPT_FILENAME $request_filename;
|
|
try_files $uri =404;
|
|
fastcgi_cache_bypass $skip_cache;
|
|
fastcgi_no_cache $skip_cache;
|
|
fastcgi_cache __NAME__;
|
|
fastcgi_cache_valid 60m;
|
|
}
|
|
# Prevent DoS attacks on wp-cron
|
|
location = /wp-cron.php {
|
|
limit_req zone=two burst=1 nodelay;
|
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
|
fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
|
|
fastcgi_index index.php;
|
|
include fastcgi_params;
|
|
fastcgi_param REMOTE_USER $remote_user;
|
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
fastcgi_param SCRIPT_FILENAME $request_filename;
|
|
try_files $uri =404;
|
|
fastcgi_cache_bypass $skip_cache;
|
|
fastcgi_no_cache $skip_cache;
|
|
fastcgi_cache __NAME__;
|
|
fastcgi_cache_valid 60m;
|
|
}
|
|
# Prevent DoS attacks with xmlrpc.php
|
|
location = /xmlrpc.php {
|
|
limit_req zone=two burst=1 nodelay;
|
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
|
fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
|
|
fastcgi_index index.php;
|
|
include fastcgi_params;
|
|
fastcgi_param REMOTE_USER $remote_user;
|
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
fastcgi_param SCRIPT_FILENAME $request_filename;
|
|
try_files $uri =404;
|
|
fastcgi_cache_bypass $skip_cache;
|
|
fastcgi_no_cache $skip_cache;
|
|
fastcgi_cache __NAME__;
|
|
fastcgi_cache_valid 60m;
|
|
}
|
|
# Disable wp-config.txt
|
|
location = /wp-config.txt {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
location = /robots.txt {
|
|
# Some WordPress plugin gererate robots.txt file
|
|
# Refer #340 issue
|
|
try_files $uri $uri/ /index.php?$args @robots;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
# webp rewrite rules for jpg and png images
|
|
# try to load alternative image.png.webp before image.png
|
|
location /wp-content/uploads {
|
|
location ~ \.(png|jpe?g)$ {
|
|
add_header Vary "Accept-Encoding";
|
|
more_set_headers 'Access-Control-Allow-Origin : *';
|
|
more_set_headers "Cache-Control : public, no-transform";
|
|
access_log off;
|
|
log_not_found off;
|
|
expires max;
|
|
try_files $uri$webp_suffix $uri =404;
|
|
}
|
|
location ~* \.(php|gz|log|zip|tar|rar|xz)$ {
|
|
#Prevent Direct Access Of PHP Files & Backups from Web Browsers
|
|
deny all;
|
|
}
|
|
}
|
|
# webp rewrite rules for EWWW testing image
|
|
location /wp-content/plugins/ewww-image-optimizer/images {
|
|
location ~ \.(png|jpe?g)$ {
|
|
add_header Vary "Accept-Encoding";
|
|
more_set_headers 'Access-Control-Allow-Origin : *';
|
|
more_set_headers "Cache-Control : public, no-transform";
|
|
access_log off;
|
|
log_not_found off;
|
|
expires max;
|
|
try_files $uri$webp_suffix $uri =404;
|
|
}
|
|
location ~ \.php$ {
|
|
#Prevent Direct Access Of PHP Files From Web Browsers
|
|
deny all;
|
|
}
|
|
}
|
|
# enable gzip on static assets - php files are forbidden
|
|
location /wp-content/cache {
|
|
# Cache css & js files
|
|
location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ {
|
|
more_set_headers 'Access-Control-Allow-Origin : *';
|
|
access_log off;
|
|
log_not_found off;
|
|
expires 30d;
|
|
}
|
|
location ~ \.php$ {
|
|
#Prevent Direct Access Of PHP Files From Web Browsers
|
|
deny all;
|
|
}
|
|
}
|
|
# Deny access to any files with a .php extension in the uploads directory
|
|
# Works in sub-directory installs and also in multisite network
|
|
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
|
location ~* /(?:uploads|files)/.*\.php$ {
|
|
deny all;
|
|
}
|
|
# mitigate DoS attack CVE with WordPress script concatenation
|
|
# add the following line to wp-config.php
|
|
# define( 'CONCATENATE_SCRIPTS', false );
|
|
location ~ \/wp-admin\/load-(scripts|styles).php {
|
|
deny all;
|
|
}
|
|
# Protect Easy Digital Download files from being accessed directly.
|
|
location ~ ^/wp-content/uploads/edd/(.*?)\.zip$ {
|
|
rewrite / permanent;
|
|
}
|
|
|
|
##### ADDITIONAL LOCATIONS #####
|
|
|
|
# Basic locations files
|
|
location = /favicon.ico {
|
|
try_files /wp-content/uploads/fbrfg/favicon.ico $uri $uri/ /index.php?$args @empty_gif;
|
|
access_log off;
|
|
log_not_found off;
|
|
expires max;
|
|
}
|
|
|
|
# Cache static files
|
|
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp|json|webmanifest|cast)$ {
|
|
more_set_headers 'Access-Control-Allow-Origin : *';
|
|
more_set_headers "Cache-Control : public, no-transform";
|
|
access_log off;
|
|
log_not_found off;
|
|
expires max;
|
|
}
|
|
# Cache css & js files
|
|
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
|
|
more_set_headers 'Access-Control-Allow-Origin : *';
|
|
more_set_headers "Cache-Control : public, no-transform";
|
|
access_log off;
|
|
log_not_found off;
|
|
expires 30d;
|
|
}
|
|
# Security settings for better privacy
|
|
# Deny hidden files
|
|
location ~ /\.(?!well-known\/) {
|
|
deny all;
|
|
}
|
|
# letsencrypt validation
|
|
location /.well-known/acme-challenge/ {
|
|
alias /var/www/html/.well-known/acme-challenge/;
|
|
allow all;
|
|
auth_basic off;
|
|
}
|
|
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
|
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
|
|
deny all;
|
|
}
|
|
# Deny backup extensions & log files and return 403 forbidden
|
|
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf|gz|zip|bz2|7z|pem|asc|conf|dump)$" {
|
|
deny all;
|
|
}
|
|
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
|
deny all;
|
|
}
|
|
|
|
# block base64_encoded content
|
|
location ~* "(base64_encode)(.*)(\()" {
|
|
deny all;
|
|
}
|
|
|
|
# block javascript eval()
|
|
location ~* "(eval\()" {
|
|
deny all;
|
|
}
|
|
|
|
# Additional security settings
|
|
|
|
location ~* "(127\.0\.0\.1)" {
|
|
deny all;
|
|
}
|
|
location ~* "([a-z0-9]{2000})" {
|
|
deny all;
|
|
}
|
|
location ~* "(javascript\:)(.*)(\;)" {
|
|
deny all;
|
|
}
|
|
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
|
|
deny all;
|
|
}
|
|
location ~* "(<|%3C).*script.*(>|%3)" {
|
|
deny all;
|
|
}
|
|
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
|
|
deny all;
|
|
}
|
|
location ~* "(boot\.ini|etc/passwd|self/environ)" {
|
|
deny all;
|
|
}
|
|
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
|
|
deny all;
|
|
}
|
|
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
|
|
deny all;
|
|
}
|
|
location ~* "(https?|ftp|php):/" {
|
|
deny all;
|
|
}
|
|
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
|
|
deny all;
|
|
}
|
|
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
|
|
deny all;
|
|
}
|
|
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
|
|
deny all;
|
|
}
|
|
|
|
# Include SSOWAT user panel.
|
|
include conf.d/yunohost_panel.conf.inc;
|
|
}
|