Mes virtualhosts sur Nginx |
Article original Publié le : 26 janvier 2018
Mise a jour le : – |
Voici la conf de mes 2 vhosts sur Nginx, un site web wordpress et matomo.
Pour en garder une trace et pour en avoir une correction si quelqu’un y voit une erreur.
Site WordPress
server { if ($host = wordpress.domaine.tld) { return 301 https://$host$request_uri; } listen 80; server_name wordpress.domaine.tld; return 301 https://$server_name$request_uri; ## Block SQL injections set $block_sql_injections 0; if ($query_string ~ "union.*select.*\(") { set $block_sql_injections 1; } if ($query_string ~ "union.*all.*select.*") { set $block_sql_injections 1; } if ($query_string ~ "concat.*\(") { set $block_sql_injections 1; } if ($block_sql_injections = 1) { return 403; } ## Block file injections set $block_file_injections 0; if ($query_string ~ "[a-zA-Z0-9_]=http://") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { set $block_file_injections 1; } if ($block_file_injections = 1) { return 403; } ## Block common exploits set $block_common_exploits 0; if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { set $block_common_exploits 1; } if ($query_string ~ "GLOBALS(=|[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "_REQUEST(=|[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "proc/self/environ") { set $block_common_exploits 1; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { set $block_common_exploits 1; } if ($query_string ~ "base64_(en|de)code\(.*\)") { set $block_common_exploits 1; } if ($block_common_exploits = 1) { return 403; } ## Block spam set $block_spam 0; if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { set $block_spam 1; } if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { set $block_spam 1; } if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { set $block_spam 1; } if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { set $block_spam 1; } if ($block_spam = 1) { return 403; } ## Block user agents set $block_user_agents 0; # Don't disable wget if you need it to run cron jobs! if ($http_user_agent ~ "Wget") { set $block_user_agents 1; } # Disable Akeeba Remote Control 2.5 and earlier if ($http_user_agent ~ "Indy Library") { set $block_user_agents 1; } # Common bandwidth hoggers and hacking tools. if ($http_user_agent ~ "libwww-perl") { set $block_user_agents 1; } if ($http_user_agent ~ "GetRight") { set $block_user_agents 1; } if ($http_user_agent ~ "GetWeb!") { set $block_user_agents 1; } if ($http_user_agent ~ "Go!Zilla") { set $block_user_agents 1; } if ($http_user_agent ~ "Download Demon") { set $block_user_agents 1; } if ($http_user_agent ~ "Go-Ahead-Got-It") { set $block_user_agents 1; } if ($http_user_agent ~ "TurnitinBot") { set $block_user_agents 1; } if ($http_user_agent ~ "GrabNet") { set $block_user_agents 1; } if ($block_user_agents = 1) { return 403; } } server { listen 443 ssl http2; server_name wordpress.domaine.tld; root /var/www/wordpress; index index.php index.html index.htm; location / { try_files $uri $uri/ /index.php?q=$uri&$args; } error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location = /index.html { root /usr/share/nginx/html; } location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~ ^/(status)$ { allow 127.0.0.1; allow 1xx.xxx.xxx.xxx; allow 2xx.xxx.xxx.xxx; deny all; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_index index.php; include fastcgi_params; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } location = /xmlrpc.php { deny all; access_log off; log_not_found off; return 444; } location /wp-config.php { deny all; } location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|eot|otf|woff|woff2|ttf|ogg)$ { expires 10d; } location ~ ^/(wp-admin|wp-login.php) { allow 1xx.xxx.xxx.xxx; allow 2xx.xxx.xxx.xxx; deny all; } ssl_certificate /etc/letsencrypt/live/wordpress.domaine.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/wordpress.domaine.tld/privkey.pem; ssl_session_timeout 5m; ssl_session_cache shared:wordpress_SSL:10m; ssl_session_tickets off; # ssl_dhparam /etc/nginx/ssl/dh4096.pem; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_ecdh_curve secp384r1; ssl_trusted_certificate /etc/letsencrypt/live/wordpress.domaine.tld/chain.pem; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "default-src 'self' ; frame-src 'self' ; child-src 'self' ; img-src 'self' data: http: https: ; style-src 'self' data: http: https: 'unsafe-inline' ; script-src 'self' data: http: https: 'unsafe-inline' 'unsafe-eval';"; add_header Feature-Policy "midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;"; rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml$ "/index.php?xml_sitemap=params=$2" last; rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml\.gz$ "/index.php?xml_sitemap=params=$2;zip=true" last; rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.html$ "/index.php?xml_sitemap=params=$2;html=true" last; rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.html.gz$ "/index.php?xml_sitemap=params=$2;html=true;zip=true" last; }
Site Matomo
server { if ($host = matomo.domaine.tld) { return 301 https://$host$request_uri; } listen 80; server_name matomo.domaine.tld; location / { return 301 https://$host$request_uri; } ## Block SQL injections set $block_sql_injections 0; if ($query_string ~ "union.*select.*\(") { set $block_sql_injections 1; } if ($query_string ~ "union.*all.*select.*") { set $block_sql_injections 1; } if ($query_string ~ "concat.*\(") { set $block_sql_injections 1; } if ($block_sql_injections = 1) { return 403; } ## Block file injections set $block_file_injections 0; if ($query_string ~ "[a-zA-Z0-9_]=http://") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { set $block_file_injections 1; } if ($block_file_injections = 1) { return 403; } ## Block common exploits set $block_common_exploits 0; if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { set $block_common_exploits 1; } if ($query_string ~ "GLOBALS(=|[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "_REQUEST(=|[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "proc/self/environ") { set $block_common_exploits 1; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { set $block_common_exploits 1; } if ($query_string ~ "base64_(en|de)code\(.*\)") { set $block_common_exploits 1; } if ($block_common_exploits = 1) { return 403; } ## Block spam set $block_spam 0; if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { set $block_spam 1; } if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { set $block_spam 1; } if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { set $block_spam 1; } if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { set $block_spam 1; } if ($block_spam = 1) { return 403; } ## Block user agents set $block_user_agents 0; # Don't disable wget if you need it to run cron jobs! if ($http_user_agent ~ "Wget") { set $block_user_agents 1; } # Disable Akeeba Remote Control 2.5 and earlier if ($http_user_agent ~ "Indy Library") { set $block_user_agents 1; } # Common bandwidth hoggers and hacking tools. if ($http_user_agent ~ "libwww-perl") { set $block_user_agents 1; } if ($http_user_agent ~ "GetRight") { set $block_user_agents 1; } if ($http_user_agent ~ "GetWeb!") { set $block_user_agents 1; } if ($http_user_agent ~ "Go!Zilla") { set $block_user_agents 1; } if ($http_user_agent ~ "Download Demon") { set $block_user_agents 1; } if ($http_user_agent ~ "Go-Ahead-Got-It") { set $block_user_agents 1; } if ($http_user_agent ~ "TurnitinBot") { set $block_user_agents 1; } if ($http_user_agent ~ "GrabNet") { set $block_user_agents 1; } if ($block_user_agents = 1) { return 403; } } server { listen 443 ssl http2; server_name matomo.domaine.tld; access_log /var/log/nginx/matomo.access.log; error_log /var/log/nginx/matomo.error.log; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Feature-Policy "midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;"; add_header Content-Security-Policy "default-src 'self' ; frame-src 'self' ; child-src 'self' ; img-src 'self' data: http: https: ; style-src 'self' data: http: https: 'unsafe-inline' ; script-src 'self' data: http: https: 'unsafe-inline' 'unsafe-eval';"; add_header Referrer-Policy "same-origin" always; ssl_certificate /etc/letsencrypt/live/matomo.domaine.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/matomo.domaine.tld/privkey.pem; include ssl.conf; root /var/www/matomo/; index index.php; location ~ ^/(index|matomo|piwik|js/index).php { include snippets/fastcgi-php.conf; fastcgi_param HTTP_PROXY ""; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } location = /plugins/HeatmapSessionRecording/configs.php { include snippets/fastcgi-php.conf; fastcgi_param HTTP_PROXY ""; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } location ~* ^.+\.php$ { deny all; return 403; } location / { try_files $uri $uri/ =404; } location ~ /(config|tmp|core|lang) { deny all; return 403; } location ~ /\.ht { deny all; return 403; } location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { allow all; expires 1h; add_header Pragma public; add_header Cache-Control "public"; } location ~ /(libs|vendor|plugins|misc/user) { deny all; return 403; } location ~/(.*\.md|LEGALNOTICE|LICENSE) { default_type text/plain; } }