stack-config/nginx-vhost.conf at master · Upment/stack-config · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# Upment Magento 1 nginx configuration file

# Define the PHP-FPM socket file for nginx to proxy-pass to
upstream domaintldbackend {
  server unix:/var/run/php-fpm-domaintld;
}

server {
  listen *:80;
  server_name domain.tld *.domain.tld;
  root /var/www/vhosts/domain.tld/htdocs;

  access_log /var/log/nginx/domain.tld-access.log main buffer=32k flush=300;
  error_log /var/log/nginx/domain.tld-error.log;

  location / {
    index index.html index.php;
    try_files $uri $uri/ @handler;
    expires 30d;
  }

  # Block known bad bots
  if ($http_user_agent ~* baidu|ahrefs|semrush|xovibot|360Spider|dotbot|genieo|megaindex\.ru|vagabondo|yandexbot|yelpspider|fatbot|tineye|blexbot|ascribebot|ia_archiver|moatbot|mixrankbot|orangebot|yoozbot|mj12bot|paperlibot|showyoubot|grapeshot|WeSee|haosouspider|spider|lexxebot|nutch) {
    return 403;
  }

  # Deny all access
  location ^~ /app/                            {return 403;}
  location ^~ /rss/                            {return 403;}
  location ^~ /index.php/rss/                  {return 403;}
  location ^~ /includes/                       {return 403;}
  location ^~ /lib/                            {return 403;}
  location ^~ /pkginfo/                        {return 403;}
  location ^~ /downloader/                     {return 403;}
  location ^~ /media/downloadable/             {return 403;}
  location ^~ /media/customer/                 {return 403;}
  location ^~ /report/config.xml               {return 403;}
  location ^~ /RELEASE_NOTES.txt               {return 403;}
  location ^~ /var/                            {return 403;}
  location ^~ /cron.php                        {return 403;}
  location ^~ /dev/                            {return 403;}
  location ^~ /skin/frontend/rwd/default/scss/ {return 403;}
  location ^~ ^/errors/.+\.xml                 {return 403;}

  location ~ /.well-known {
    allow all;
  }

  # Deny access to hidden files
  location ~ /\. {
    deny all;
  }

  # Only allow GET - HEAD - POST requests
  if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
  }

  # CVE-2015-3428, AW_Blog vulnerability
  if ($arg_order ~* .+(select|create|insert|update|drop|delete|concat|alter|load)) {
    return 403;
  }

  # Disallow php files from within the media folder
  location ~ ^/media/ {
    location ~ \.php$ {
      return 403;
    }
    try_files $uri $uri/ =404;
    expires 30d;
  }

  # File caching
  location ~* \.(ico|pdf|flv)$ {
    expires 1y;
  }

  location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
    expires 7d;
  }

  # Don't skip .thumbs
  location ~ /\.thumbs {
  }

  location @handler {
    rewrite / /index.php;
  }

  location ~ .php/ {
    rewrite ^(.*.php)/ $1 last;
  }

  # SSL offloading
  set $my_https off;
  set $my_port 80;

  if ($http_x_forwarded_proto = https) {
    set $my_https on;
    set $my_port 443;
  }

  location ~ .php$ {
    if (!-e $request_filename) { rewrite / /index.php last; }

    expires        off;
    fastcgi_pass   domaintldbackend;
    include        fastcgi_params;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  HTTPS            $my_https;
    fastcgi_param  SERVER_PORT      $my_port;

    set $realip $remote_addr;
    if ($http_x_forwarded_for ~ "^(\d+\.\d+\.\d+\.\d+)") {
      set $realip $1;
    }
    fastcgi_param REMOTE_ADDR $realip;
  }
}