69 lines
2.8 KiB
Nginx Configuration File
69 lines
2.8 KiB
Nginx Configuration File
daemon off;
|
|
error_log stderr notice;
|
|
pid /var/run/nginx.pid;
|
|
env DB_HOST;
|
|
env DB_NAME;
|
|
env DB_USER;
|
|
env DB_PASS;
|
|
worker_processes 1;
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
http {
|
|
sendfile on;
|
|
include /etc/nginx/mime.types;
|
|
include /etc/nginx/fastcgi.conf;
|
|
default_type application/octet-stream;
|
|
access_log stdout;
|
|
tcp_nopush on;
|
|
client_body_temp_path /tmp/nginx/body 1 2;
|
|
fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2;
|
|
log_format blocked '$time_local: Blocked request from $http_x_real_ip $request';
|
|
log_format specialLog '$http_x_real_ip - $remote_user [$time_local] '
|
|
'"$request" $status $body_bytes_sent '
|
|
'"$http_referer" "$http_user_agent"';
|
|
client_max_body_size 512M;
|
|
server {
|
|
listen 80;
|
|
root /usr/html;
|
|
index index.php index.html index.htm;
|
|
access_log stdout;
|
|
error_log stderr notice;
|
|
disable_symlinks off;
|
|
location = /robots.txt {
|
|
allow all;
|
|
log_not_found off;
|
|
access_log off;
|
|
}
|
|
location / {
|
|
try_files $uri $uri/ /index.php?_url=$uri&$query_string;
|
|
}
|
|
|
|
location ~ [^/]\.php(/|$) {
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
if (!-f $document_root$fastcgi_script_name) {
|
|
return 404;
|
|
}
|
|
fastcgi_pass unix:/var/run/php7-fpm.sock;
|
|
fastcgi_index index.php;
|
|
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
|
include fastcgi_params;
|
|
}
|
|
## Block common exploits
|
|
location ~* (<|%3C).*script.*(>|%3E) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
|
|
location ~* base64_(en|de)code\(.*\) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
|
|
location ~* (%24&x) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
|
|
location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
|
|
location ~* \.\.\/ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
|
|
location ~* ~$ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
|
|
location ~* proc/self/environ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
|
|
location ~* /\.(htaccess|htpasswd|svn) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
|
|
location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
|
|
location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
|
|
location ~* /(.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
|
|
location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
|
|
location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
|
|
location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }
|
|
}
|
|
}
|