wordpress/config/nginx.conf

daemon off;

error_log stderr notice;
pid /var/run/nginx/nginx.pid;
env DB_HOST;
env DB_NAME;
env DB_USER;
env DB_PASS;

worker_processes  1;
events {
    worker_connections  1024;
}

http {
  sendfile on;
  include    /etc/nginx/mime.types;
  include    /etc/nginx/fastcgi.conf;
  default_type application/octet-stream;
  access_log stdout;
  tcp_nopush   on;
  client_body_temp_path /tmp/nginx/body 1 2;
  fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2;

  log_format blocked '$time_local: Blocked request from $http_x_real_ip $request';

  log_format specialLog '$http_x_real_ip - $remote_user [$time_local]  '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent"';

  client_max_body_size 512M;

  server {

    listen       80;

    root /usr/html;
    index  index.php index.html index.htm;
    access_log stdout;
    error_log stderr notice;

    disable_symlinks off;

    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }

    location / {
      try_files $uri $uri/ /index.php?$args;
    }

    location ~* /(?:uploads|files)/.*\.php$ {
    	deny all;
    }

    location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
        access_log        off;
        log_not_found     off;
        expires           360d;
    }

    location ~ [^/]\.php(/|$) {
      fastcgi_split_path_info ^(.+?\.php)(/.*)$;
      if (!-f $document_root$fastcgi_script_name) {
        return 404;
      }
      fastcgi_pass unix:/var/run/php-fpm.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      include fastcgi_params;
    }

    ## Block SQL injections
    location ~* union.*select.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* union.*all.*select.* { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* concat.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }

    ## Block common exploits
    location ~* (<|%3C).*script.*(>|%3E) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* base64_(en|de)code\(.*\) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* (%24&x) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* \.\.\/  { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* ~$ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* proc/self/environ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* /\.(htaccess|htpasswd|svn) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }

    ## Block file injections
    location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }

    ## wordpress security
    location ~* wp-config.php { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* wp-admin/includes { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* wp-app\.log { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
    location ~* (licence|readme|license)\.(html|txt) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }

  }

}
🦈🏠🐜❗ Initial Commit ❗🐜🦈🏠 2022-06-24 14:04:55 -04:00			`daemon off;`

			`error_log stderr notice;`
			`pid /var/run/nginx/nginx.pid;`
			`env DB_HOST;`
			`env DB_NAME;`
			`env DB_USER;`
			`env DB_PASS;`

			`worker_processes 1;`
			`events {`
			`worker_connections 1024;`
			`}`

			`http {`
			`sendfile on;`
			`include /etc/nginx/mime.types;`
			`include /etc/nginx/fastcgi.conf;`
			`default_type application/octet-stream;`
			`access_log stdout;`
			`tcp_nopush on;`
			`client_body_temp_path /tmp/nginx/body 1 2;`
			`fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2;`

			`log_format blocked '$time_local: Blocked request from $http_x_real_ip $request';`

			`log_format specialLog '$http_x_real_ip - $remote_user [$time_local] '`
			`'"$request" $status $body_bytes_sent '`
			`'"$http_referer" "$http_user_agent"';`

			`client_max_body_size 512M;`

			`server {`

			`listen 80;`

			`root /usr/html;`
			`index index.php index.html index.htm;`
			`access_log stdout;`
			`error_log stderr notice;`

			`disable_symlinks off;`

			`location = /robots.txt {`
			`allow all;`
			`log_not_found off;`
			`access_log off;`
			`}`

			`location / {`
			`try_files $uri $uri/ /index.php?$args;`
			`}`

			`location ~* /(?:uploads\|files)/.*\.php$ {`
			`deny all;`
			`}`

			`location ~* \.(jpg\|jpeg\|gif\|png\|css\|js\|ico\|xml)$ {`
			`access_log off;`
			`log_not_found off;`
			`expires 360d;`
			`}`

			`location ~ [^/]\.php(/\|$) {`
			`fastcgi_split_path_info ^(.+?\.php)(/.*)$;`
			`if (!-f $document_root$fastcgi_script_name) {`
			`return 404;`
			`}`
			`fastcgi_pass unix:/var/run/php-fpm.sock;`
			`fastcgi_index index.php;`
			`fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;`
			`include fastcgi_params;`
			`}`

			`## Block SQL injections`
			`location ~* union.select.\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* union.all.select.* { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* concat.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`

			`## Block common exploits`
			`location ~* (<\|%3C).script.(>\|%3E) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* base64_(en\|de)code\(.*\) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* (%24&x) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* (%0\|%A\|%B\|%C\|%D\|%E\|%F\|127\.0) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* \.\.\/ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* ~$ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* proc/self/environ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* /\.(htaccess\|htpasswd\|svn) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`

			`## Block file injections`
			`location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`

			`## wordpress security`
			`location ~* wp-config.php { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* wp-admin/includes { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* wp-app\.log { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`
			`location ~* (licence\|readme\|license)\.(html\|txt) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }`

			`}`

			`}`