Ticket #1689: text.txt

File text.txt, 17.1 KB (added by Nar, 7 years ago)

nginx -T

Line 
1# configuration file /etc/nginx/nginx.conf:
2user useriuss;
3pid /var/run/nginx.pid;
4
5worker_processes auto;
6worker_rlimit_nofile 8192;
7
8events {
9 worker_connections 2048;
10 use epoll;
11 multi_accept on;
12}
13
14http {
15 sendfile on;
16 tcp_nopush on;
17 tcp_nodelay on;
18 server_tokens off;
19
20 error_log /var/log/nginx/error.log error;
21 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
22 '$status $body_bytes_sent "$http_referer" '
23 '"$http_user_agent" "$http_x_forwarded_for"';
24 access_log off;
25
26 keepalive_timeout 20;
27 send_timeout 10;
28 reset_timedout_connection on;
29 output_buffers 4 32k;
30 client_header_timeout 12;
31 client_body_timeout 12;
32 client_body_buffer_size 128k;
33 client_header_buffer_size 3m;
34 client_max_body_size 20m;
35 large_client_header_buffers 4 256k;
36 client_body_temp_path /var/spool/nginx_client_body_temp;
37
38 include /etc/nginx/mime.types;
39 default_type application/octet-stream;
40 charset UTF-8;
41
42 gzip on;
43 gzip_static on;
44 gzip_vary on;
45 gzip_comp_level 4;
46 gzip_min_length 1024;
47 gzip_http_version 1.1;
48 gzip_buffers 4 32k;
49 gzip_types text/plain application/xml application/x-javascript text/css text/javascript image/svg+xml;
50
51# cache informations about file descriptors, frequently accessed files
52# can boost performance, but you need to test those values
53 open_file_cache max=64000 inactive=40s;
54 open_file_cache_valid 60s;
55 open_file_cache_min_uses 2;
56 open_file_cache_errors on;
57
58### NGINX Simple DDoS Defense
59# limit_conn_zone $binary_remote_addr zone=isp:10m;
60# limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
61
62### Прокси
63 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
64 proxy_set_header Host $host;
65 proxy_set_header X-Real-IP $remote_addr;
66
67 port_in_redirect off;
68
69 proxy_pass_header Server;
70 proxy_redirect off;
71 proxy_buffering on;
72
73 proxy_buffer_size 16k;
74 proxy_buffers 8 128k;
75 proxy_busy_buffers_size 256k;
76
77 proxy_next_upstream off;
78 proxy_intercept_errors off;
79 proxy_connect_timeout 90;
80 proxy_read_timeout 90;
81 proxy_send_timeout 90;
82
83 proxy_temp_file_write_size 256k;
84 proxy_max_temp_file_size 0;
85
86 proxy_temp_path /var/spool/nginx_proxy_temp;
87
88### Подключение других конфигов
89 include /etc/nginx/conf.d/*.conf;
90
91server {
92 listen 82;
93 server_name site.ru www.site.ru localhost;
94
95 location / {
96 proxy_pass http://127.0.0.1:81;
97 proxy_redirect http://www.site.ru:80/ /;
98 }
99
100 location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|bmp|rtf|flv|js|swf|mp3|ogg|flac|avi|mp4|gp|wma|wmv|wav)$ {
101 root /var/www/site;
102 error_page 404 = @fallback;
103 expires max;
104 }
105
106 location ~* (\.swf|\.js)$ {
107 valid_referers none blocked server_names ~(site.ru|google.|yandex.|bing.);
108 if ($invalid_referer) {return 403;}
109 }
110
111 location @fallback {
112 proxy_pass http://127.0.0.1:81;
113 }
114
115 listen 443 ssl http2; # managed by Certbot
116 ssl_certificate /etc/letsencrypt/live/site.ru/fullchain.pem; # managed by Certbot
117 ssl_certificate_key /etc/letsencrypt/live/site.ru/privkey.pem; # managed by Certbot
118 include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
119 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
120
121}
122
123}
124
125# configuration file /etc/nginx/mime.types:
126
127types {
128 text/html html htm shtml;
129 text/css css;
130 text/xml xml;
131 image/gif gif;
132 image/jpeg jpeg jpg;
133 application/x-javascript js;
134 application/atom+xml atom;
135 application/rss+xml rss;
136
137 text/mathml mml;
138 text/plain txt;
139 text/vnd.sun.j2me.app-descriptor jad;
140 text/vnd.wap.wml wml;
141 text/x-component htc;
142
143 image/png png;
144 image/tiff tif tiff;
145 image/vnd.wap.wbmp wbmp;
146 image/x-icon ico;
147 image/x-jng jng;
148 image/x-ms-bmp bmp;
149 image/svg+xml svg svgz;
150 image/webp webp;
151
152application/font-sfnt otf ttf;
153application/font-woff woff;
154application/font-woff2 woff2;
155application/vnd.ms-fontobject eot;
156
157 application/java-archive jar war ear;
158 application/mac-binhex40 hqx;
159 application/msword doc;
160 application/pdf pdf;
161 application/postscript ps eps ai;
162 application/rtf rtf;
163 application/vnd.ms-excel xls;
164 application/vnd.ms-powerpoint ppt;
165 application/vnd.wap.wmlc wmlc;
166 application/vnd.google-earth.kml+xml kml;
167 application/vnd.google-earth.kmz kmz;
168 application/x-7z-compressed 7z;
169 application/x-cocoa cco;
170 application/x-java-archive-diff jardiff;
171 application/x-java-jnlp-file jnlp;
172 application/x-makeself run;
173 application/x-perl pl pm;
174 application/x-pilot prc pdb;
175 application/x-rar-compressed rar;
176 application/x-redhat-package-manager rpm;
177 application/x-sea sea;
178 application/x-shockwave-flash swf;
179 application/x-stuffit sit;
180 application/x-tcl tcl tk;
181 application/x-x509-ca-cert der pem crt;
182 application/x-xpinstall xpi;
183 application/xhtml+xml xhtml;
184 application/zip zip;
185
186 application/octet-stream bin exe dll;
187 application/octet-stream deb;
188 application/octet-stream dmg;
189 # application/octet-stream eot;
190 application/octet-stream iso img;
191 application/octet-stream msi msp msm;
192
193 audio/midi mid midi kar;
194 audio/mpeg mp3;
195 audio/ogg ogg;
196 audio/x-m4a m4a;
197 audio/x-realaudio ra;
198
199 video/3gpp 3gpp 3gp;
200 video/mp4 mp4;
201 video/mpeg mpeg mpg;
202 video/quicktime mov;
203 video/webm webm;
204 video/x-flv flv;
205 video/x-m4v m4v;
206 video/x-mng mng;
207 video/x-ms-asf asx asf;
208 video/x-ms-wmv wmv;
209 video/x-msvideo avi;
210}
211
212# configuration file /etc/nginx/conf.d/site.ru.conf:
213fastcgi_cache_path /var/lib/nginx/fastcgi_cache/ levels=1:2 keys_zone=cache:100m inactive=1d max_size=1G;
214fastcgi_temp_path /var/lib/nginx/fastcgi_temp/ 1 2;
215fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
216fastcgi_cache_min_uses 1;
217fastcgi_cache_valid 200 302 10m;
218fastcgi_cache_valid 404 1m;
219fastcgi_cache_use_stale error timeout invalid_header http_500 http_503;
220fastcgi_cache_key "$request_method|$host|$request_uri";
221fastcgi_buffers 256 4k;
222fastcgi_cache_lock on;
223
224server {
225 listen 80;
226 server_name site.ru localhost;
227 return 301 https://$host$request_uri;
228}
229
230server {
231 listen 81;
232 listen 8080 default_server;
233 server_name site.ru localhost;
234 charset utf-8;
235 rewrite_log off;
236 access_log /var/log/nginx/site.ru.access.log main buffer=16k;
237 autoindex off;
238
239 root /var/www/site;
240 include conf.d/rewrites.inc;
241 index index.php index.html;
242
243 # Disallow iframe
244 add_header X-Frame-Options "SAMEORIGIN";
245
246 include conf.d/common.inc;
247 include conf.d/common-loc.inc;
248
249# Ограничь количество доступных методов обращения к Web-серверу (секция server)
250 if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; }
251
252# Insert this in server configuration:
253 if ($bad_referer) { return 444; }
254# Insert this in server configuration:
255 if ($bad_bot) { return 403; }
256
257 location ~* ^.+\.(xml|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|pdf|txt|tar|bmp|rtf|flv|js|swf|mp3|avi|srt|mp4|gp|wav|eot|ttf|woff|woff2|svg)$ {
258 expires max;
259 access_log off;
260 log_not_found off;
261
262# для файлов выше 1m ограничить скорость
263 limit_rate_after 2m;
264 limit_rate 250k;
265
266# Отправить заголовки для кеширования браузером
267 add_header Pragma "public";
268 add_header Cache-Control "public, must-revalidate, proxy-revalidate";
269 }
270
271 location ~* \.html$ {
272 expires modified 1200s;
273 add_header Vary Cookie;
274 add_header Pragma "public";
275 add_header Cache-Control "max-age=1200, public, must-revalidate, proxy-revalidate";
276 }
277
278 location ~* (\.swf|\.js)$ {
279 valid_referers none blocked server_names ~(google.|yandex.|bing.);
280 if ($invalid_referer) {
281 return 403;
282 }
283 }
284
285 listen 443 ssl http2; # managed by Certbot
286 ssl_certificate /etc/letsencrypt/live/site.ru/fullchain.pem; # managed by Certbot
287 ssl_certificate_key /etc/letsencrypt/live/site.ru/privkey.pem; # managed by Certbot
288 include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
289 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
290
291 # Дополнительные параметры https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.14.0&openssl=1.0.2k&hsts=yes&profile=intermediate
292 #ssl_session_cache shared:SSL:30m; #вместо 1м по умолчанию
293 ssl_session_tickets off;
294 ssl_buffer_size 8k;
295 add_header Strict-Transport-Security max-age=15768000; # HST 6 months
296
297}
298
299# страницы ошибок
300error_page 404 /errors/404.html;
301error_page 403 /errors/403.html;
302error_page 500 502 504 /errors/50x.html;
303error_page 503 /errors/503.html; # профилактические работы
304
305# запретить исполнение php и др. в директориях с загруженными иллюстрациями
306rewrite w/images/.*\.php /errors/404.html;
307rewrite /wp-content/uploads/.*\.php /errors/404.html;
308location /errors/ { internal; }
309
310#####################
311# Wordpress
312# https://codex.wordpress.org/Nginx
313#####################
314
315 location / {
316 try_files $uri $uri/ /index.php?$args;
317 }
318 rewrite /wp-admin$ $scheme://$host$uri/ permanent;
319 include conf.d/common-loc.inc;
320
321 #had simplified configuration
322
323#####################
324## SQL Injection and similar attacks
325#####################
326 location ~* "(eval\()" { deny all; }
327 location ~* "(127\.0\.0\.1)" { deny all; }
328 location ~* "([a-z0-9]{2000})" { deny all; }
329 location ~* "(javascript\:)(.*)(\;)" { deny all; }
330 location ~* "(base64_encode)(.*)(\()" { deny all; }
331 location ~* "(GLOBALS|REQUEST)(=|\[|%)" { deny all; }
332 location ~* "(<|%3C).*script.*(>|%3)" { deny all; }
333 location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { deny all; }
334 location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; }
335 location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; }
336 location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { deny all; }
337 location ~* "(https?|ftp|php):/" { deny all; }
338 location ~* "(=\\\'|=\\%27|/\\\'/?)\." { deny all; }
339# location ~* "/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$" { deny all; }
340 location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { deny all; }
341 location ~ "(~|`|<|>|;|%|\\|\s|\{|\}|\[|\]|\|)" { deny all; }
342 location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { deny all; }
343 location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { deny all; }
344 location ~* "\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { deny all; }
345 location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { deny all; }
346
347# configuration file /etc/nginx/fastcgi_params:
348
349fastcgi_param QUERY_STRING $query_string;
350fastcgi_param REQUEST_METHOD $request_method;
351fastcgi_param CONTENT_TYPE $content_type;
352fastcgi_param CONTENT_LENGTH $content_length;
353
354fastcgi_param SCRIPT_NAME $fastcgi_script_name;
355fastcgi_param REQUEST_URI $request_uri;
356fastcgi_param DOCUMENT_URI $document_uri;
357fastcgi_param DOCUMENT_ROOT $document_root;
358fastcgi_param SERVER_PROTOCOL $server_protocol;
359
360fastcgi_param GATEWAY_INTERFACE CGI/1.1;
361fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
362
363fastcgi_param REMOTE_ADDR $remote_addr;
364fastcgi_param REMOTE_PORT $remote_port;
365fastcgi_param SERVER_ADDR $server_addr;
366fastcgi_param SERVER_PORT $server_port;
367fastcgi_param SERVER_NAME $server_name;
368
369# PHP only, required if PHP was built with --enable-force-cgi-redirect
370fastcgi_param REDIRECT_STATUS 200;
371fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
372
373# configuration file /etc/nginx/conf.d/common-loc.inc:
374location ~ \.php$ {
375 fastcgi_cache_bypass $skip_cache;
376 fastcgi_no_cache $skip_cache;
377 fastcgi_cache cache;
378 fastcgi_cache_valid 30m;
379
380 try_files $uri =404;
381 fastcgi_pass 127.0.0.1:9000;
382 fastcgi_index index.php;
383 include fastcgi_params;
384}
385
386location ~ /\.passwd { deny all; }
387location ~ /\.ht { deny all; }
388location ~ /\.hg/ { deny all; }
389location ~ /\.svn/ { deny all; }
390location ~ /\.git/ { deny all; }
391
392
393# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
394# This file contains important security parameters. If you modify this file
395# manually, Certbot will be unable to automatically provide future security
396# updates. Instead, Certbot will print and log an error message with a path to
397# the up-to-date file that you will need to refer to when manually updating
398# this file.
399
400ssl_session_cache shared:nginx_SSL:30m;
401ssl_session_timeout 1440m;
402
403ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
404ssl_prefer_server_ciphers on;
405
406ssl_ciphers " "; #deleted
407
408
409## Add here all user agents that are to be blocked.
410map $http_user_agent $bad_bot {
411 default 0;
412 ~*^Lynx 0; # Let Lynx go through
413 libwww-perl 1;
414 ~*(?i)(httrack|htmlparser|libwww|JikeSpider|proximic|Sosospider|Baiduspider|Sogou|YoudaoBot|DoCoMo|msnbot|BBBike|WWWOFFLE|Widow|SuperHTTP|BlackWidow|HTTrack|Java|Pixray|CPython|Spinn3r|Abonti|MSIECrawler|Baiduspider|Siteimprove|Aboundex|80legs|360Spider|^Java|Cogentbot|^Alexibot|^asterias|^attach|^BackDoorBot|^BackWeb|Bandit|^BatchFTP|^Bigfoot|^Black.Hole|^BlackWidow|^BlowFish|^BotALot|Buddy|^BuiltBotTough|^Bullseye|^BunnySlippers|^Cegbfeieh|^CheeseBot|^CherryPicker|^ChinaClaw|Collector|Copier|^CopyRightCheck|^cosmos|^Crescent|^Custo|^AIBOT|Mozilla/4.0|ZmEu|MJ12bot|MegaIndex|OpenLinkProfiler|spbot|^Snake|DLE_Spider|Apache-HttpClient|discobot|WordPress|BLEXBot|SolomonoBot|SetLinks|kmbot|Embedly|RadioClicker|VoilaBot) 1;
415}
416
417## Add here all referrers that are to blocked.
418map $http_referer $bad_referer {
419 default 0;
420 ~(?i)(adult|babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|webcam|zippo|casino|replica|en.savefrom.net|7makemoneyonline.com|acunetix-referrer.com|adcash.com|bithack.ru|buttons-for-website.com|cenokos.ru|cenoval.ru|cityadspix.com|darodar.com|econom.co|edakgfvwql.ru|gobongo.info|iedit.ilovevitaly.com|ilovevitaly.com|ilovevitaly.co|ilovevitaly.info|ilovevitaly.org|ilovevitaly.ru|iskalko.ru|luxup.ru|make-money-online.7makemoneyonline.com|maps.ilovevitaly.com|myftpupload.com|savefrom.net|savetubevideo.com|screentoolkit.com|semalt.com|seoexperimenty.ru|shopping.ilovevitaly.ru|slftsdybbg.ru|socialseet.ru|srecorder.com|st3.cwl.yahoo.com|superiends.org|vodkoved.ru|websocial.me|ykecwqlixx.ru|yougetsignal.com|priceg.com|responsinator.com|o-o-6-o-o.ru|o-o-8-o-o.ru) 1;
421}
422
423## Add here all hosts that should be spared any referrer checking.
424geo $bad_referer {
425 127.0.0.1 0;
426 192.168.1.0/24 0;
427 217.23.7.130 0;
428 78.110.60.230 0;
429 193.227.240.37 0;
430 172.31.1.100 0;
431 78.47.141.187 0;
432 193.227.240.38 0;
433}
434
435# configuration file /etc/nginx/conf.d/default.conf:
436server {
437 listen 80;
438 server_name localhost;
439
440 #charset koi8-r;
441 #access_log /var/log/nginx/host.access.log main;
442
443 location / {
444 root /usr/share/nginx/html;
445 index index.html index.htm;
446 }
447
448 #error_page 404 /404.html;
449
450 # redirect server error pages to the static page /50x.html
451 #
452 error_page 500 502 503 504 /50x.html;
453 location = /50x.html {
454 root /usr/share/nginx/html;
455 }
456}
457
458
459# configuration file /etc/nginx/conf.d/status.conf:
460server {
461 listen 127.0.0.1:80;
462 access_log off;
463 location /fpm_ping {
464 fastcgi_pass 127.0.0.1:9000;
465 include fastcgi_params;
466 }
467 location /fpm_status {
468 fastcgi_pass 127.0.0.1:9000;
469 include fastcgi_params;
470 }
471 location /nginx_status {
472 stub_status on;
473 }
474
475}
476
477