-
Notifications
You must be signed in to change notification settings - Fork 40
/
joomla.nginx.conf
437 lines (394 loc) · 14.5 KB
/
joomla.nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
server {
######################################################################
## The Master .htaccess - NginX adaptation
##
## Version 3.3
##
## This file is designed to be the template NginX server configuration file
## for your Joomla! sites. You should go through all of its sections and
## modify it to match your site. Most notably, all instances of example.com
## and example\.com should be replaced with your real domain name.
##
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
##
## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.
##
## This is an adaptation of my Master .htaccess, a similar file which
## I have designed for Apache-based servers. This adaptation would not
## be possible without all the wonderful people who helped me write and
## test the original Master .htaccess, the Joomla! project which now
## recommends it in its official documentation wiki and the thousands
## of Admin Tools Professional subscribers who provided invaluable
## feedback on the Master .htaccess' performance across different servers.
##
## Have fun, stay safe.
##
## Nicholas K. Dionysopoulos
## Lead Developer, AkeebaBackup.com
##
######################################################################
######################################################################
## Basic server setup. Change to match YOUR system!
######################################################################
# -- Basic configuration
# ---- Port to listen to. For SSL sites change this to 443.
listen 80;
# ---- Domain name(s) of this site, separated by commas
server_name www.example.com example.com www.example.org example.org;
# ---- Site root path
root /home/web/domains/www.example.com/public_html;
# ---- Path to the access log
access_log /home/web/domains/www.example.com/logs/access.log;
# ---- Path to the error log
error_log /home/web/domains/www.example.com/logs/error.log;
# ---- Custom error pages. Each error page is four lines. The first one
# defines which page will be shown for each error code. The next
# three lines make sure that the error page cannot be accessed
# directly over the web.
error_page 404 /errors/404.html;
location /errors/404.html {
internal;
}
error_page 500 /errors/500.html;
location /errors/500.html {
internal;
}
error_page 403 /errors/403.html;
location /errors/403.html {
internal;
}
######################################################################
## SSL Configuration
##
## Only use this block if you are setting up the SSL (HTTPS) server
## definition of your site.
######################################################################
ssl on;
ssl_certificate /etc/ssl/localcerts/webserver.pem;
ssl_certificate_key /etc/ssl/localcerts/webserver.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
######################################################################
## The Kitchen Sink - An array of useful and performance-tuning options
######################################################################
# -- Timeout handling, see http://wiki.nginx.org/HttpCoreModule
client_header_timeout 10;
client_body_timeout 10;
send_timeout 30;
keepalive_timeout 40 20;
# -- Socket settings, see http://wiki.nginx.org/HttpCoreModule
connection_pool_size 8192;
client_header_buffer_size 4k;
large_client_header_buffers 8 8k;
request_pool_size 8k;
# -- Performance, see http://wiki.nginx.org/HttpCoreModule
sendfile on;
sendfile_max_chunk 1m;
postpone_output 0;
tcp_nopush on;
tcp_nodelay off;
# -- Output buffering, see http://wiki.nginx.org/HttpCoreModule
output_buffers 8 32k;
# -- Character encoding, see http://wiki.nginx.org/HttpCharsetModule
charset utf-8;
source_charset utf-8;
# -- Security options, see http://wiki.nginx.org/HttpCoreModule
server_name_in_redirect off;
server_tokens off;
ignore_invalid_headers on;
# You may have to comment out the next line on multi-site installations
disable_symlinks if_not_owner;
######################################################################
## Redirect non-www to www
##
## If you enable this, disable the "Redirect www to non-www" below!
######################################################################
if ($host = 'example.com' ) {
rewrite ^/(.*)$ http://www.example.com/$1 permanent;
}
######################################################################
## Redirect www to non-www
##
## If you enable this, disable the "Redirect non-www to www" above!
######################################################################
if ($host = 'www.example.com' ) {
rewrite ^/(.*)$ http://example.com/$1 permanent;
}
######################################################################
## Redirect example.org to example.com
##
## Your server_name must include both the old and new domain names!
######################################################################
if ($host ~ "(www\.)?example.org$" ) {
rewrite ^/(.*)$ http://www.example.com/$1 permanent;
}
######################################################################
## CloudFlare support - see http://wiki.nginx.org/NginxHttpRealIpModule
## Comment out if you are not using the CloudFlare CDN
######################################################################
set_real_ip_from 204.93.240.0/24;
set_real_ip_from 204.93.177.0/24;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
real_ip_header CF-Connecting-IP;
######################################################################
## Directory indices
## Forces index.php to be read before the index.htm(l) files
######################################################################
index index.php index.html index.htm;
######################################################################
## Status page - DISABLE THIS ON LIVE SITES!
######################################################################
location /nginx_status {
stub_status on;
access_log off;
# Remember to change this to your PC's IP address
allow 192.168.0.1;
}
######################################################################
## Google Apps redirection
## This also shows how to redirect a directory to an external server
######################################################################
location ~* /mail {
rewrite ^ http://mail.google.com/a/example.com permanent;
}
######################################################################
## Block some common exploits
######################################################################
set $common_exploit 0;
if ($query_string ~ "proc/self/environ") {
set $common_exploit 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $common_exploit 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $common_exploit 1;
}
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $common_exploit 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $common_exploit 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $common_exploit 1;
}
if ($common_exploit = 1) {
return 403;
}
######################################################################
## File injection protection
######################################################################
set $file_injection 0;
if ($query_string ~ "[a-zA-Z0-9_]=http://") {
set $file_injection 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $file_injection 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $file_injection 1;
}
if ($file_injection = 1) {
return 403;
}
######################################################################
## SQL injection first line of defence (NOT comprehensive!)
######################################################################
set $sql_injection 0;
if ($query_string ~ "concat.*\(") {
set $sql_injection 1;
}
if ($query_string ~ "union.*select.*\(") {
set $sql_injection 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $sql_injection 1;
}
if ($sql_injection = 1) {
return 403;
}
######################################################################
## Basic anti-spam
######################################################################
set $looks_like_spam 0;
if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
set $looks_like_spam 1;
}
if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
set $looks_like_spam 1;
}
if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
set $looks_like_spam 1;
}
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
set $looks_like_spam 1;
}
if ($looks_like_spam = 1) {
return 403;
}
######################################################################
## Advanced server protection rules exceptions
##
## You will DEFINITELY need to add exceptions for a lot of extensions
## to work. Yeah, I have to write an illustrated guide at some point.
## However, if you can use Firebug or Google Chrome Web Developer
## window then you can find out the exceptions all by yourself. Use the
## following as a guide.
######################################################################
# Allow direct access to a specific PHP file
location = /tmp/test.php {
fastcgi_pass $fastcgi_pass;
break;
}
# Allow direct access to a specific static (non-PHP) file
location = /administrator/test.png {
break;
}
######################################################################
## Server protection
##
## Nothing on my site runs unless I say so!
######################################################################
# Allow media files in select back-end directories
location ~* ^/administrator/(components|modules|templates|images)/.*.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|ico|mpe(eg?[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ {
break;
}
# Allow media files in select front-end directories
location ~* ^/(components|modules|templates|images|plugins|media|includes/js)/.*.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|ico|mpe(eg?[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ {
break;
}
# Allow access to the front-end index.php file
location = / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
location = /index.php {
fastcgi_pass $fastcgi_pass;
break;
}
# Allow access to the back-end index.php file
location = /administrator {
rewrite ^ /administrator/index.php last;
}
location = /administrator/ {
rewrite ^ /administrator/index.php last;
}
location = /administrator/index.php {
fastcgi_pass $fastcgi_pass;
break;
}
# Disable access to everything else.
location ~* /.*$ {
# If it is a file, directory or symlink and I haven't deliberetaly
# enabled access to it, forbid any access to it!
if (-e $request_filename) {
return 403;
}
# In any other case, just treat as a SEF URL
try_files $uri $uri/ /index.php?q=$uri&$args;
}
######################################################################
## PHP Setup
######################################################################
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
set $fastcgi_pass "unix:/var/run/php5-fpm-web.sock";
location ~ index.php$ {
fastcgi_pass $fastcgi_pass;
}
######################################################################
## Expiration control
##
## Optimises the expiration time
######################################################################
# CSS and JavaScript : 1 week
location ~* \.(css|js)$ {
expires 1w;
}
# Image files : 1 month
location ~* \.(bmp|gif|jpg|jpeg|jp2|png|svg|tif|tiff|ico|wbmp|wbxml|smil)$ {
expires 1m;
}
# Document files : 1 month
location ~* \.(pdf|txt|xml)$ {
expires 1m;
}
# Audio files : 1 month
location ~* \.(mid|midi|mp3|m4a|m4r|aif|aiff|ra|wav|voc|ogg)$ {
expires 1m;
}
# Video files : 1 month
location ~* \.(swf|vrml|avi|mkv|mpg|mpeg|mp4|m4v|mov|asf)$ {
expires 1m;
}
######################################################################
## User agent blocking
##
## Disables access to your site by user agent. Useful to block some
## bandwidth hoggers.
######################################################################
set $bad_ua 0;
# This also disables Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
set $bad_ua 1;
}
# Disabling Wget will also block the most common method to run CRON jobs
if ($http_user_agent ~ "Wget") {
set $bad_ua 1;
}
# Common bandwidth hoggers and hacking tools. Each rule is three lines, beginning with "if"
if ($http_user_agent ~ "libwww-perl") {
set $bad_ua 1;
}
if ($http_user_agent ~ "Download Demon") {
set $bad_ua 1;
}
if ($http_user_agent ~ "GetRight") {
set $bad_ua 1;
}
if ($http_user_agent ~ "GetWeb!") {
set $bad_ua 1;
}
if ($http_user_agent ~ "Go!Zilla") {
set $bad_ua 1;
}
if ($http_user_agent ~ "Go-Ahead-Got-It") {
set $bad_ua 1;
}
if ($http_user_agent ~ "GrabNet") {
set $bad_ua 1;
}
if ($http_user_agent ~ "TurnitinBot") {
set $bad_ua 1;
}
# If you enable any of the above don't remove this. It's what blocks
# the bad user agents!
if ($bad_ua = 1) {
return 403;
}
######################################################################
## Automatic compression of static resources
## Compress text, html, javascript, css, xml and other static resources
## May kill access to your site for old versions of Internet Explorer
######################################################################
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 1100;
gzip_types text/plain text/html text/xml text/css application/xml application/xhtml+xml application/xml+rss application/rss+xml application/x-javascript application/javascript text/javascript;
gzip_buffers 16 8k;
}