-
Notifications
You must be signed in to change notification settings - Fork 0
/
vhost.conf
113 lines (100 loc) · 3.47 KB
/
vhost.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
proxy_cache_path /tmp/cache levels=1:2 keys_zone=cache_proxy:1000m inactive=1d max_size=2g;
proxy_temp_path /tmp/proxy;
fastcgi_cache_path /tmp/cache2 levels=1:2 keys_zone=cache_fastcgi:1000m inactive=1d max_size=2g;
fastcgi_temp_path /tmp/proxy2;
server {
server_name xname www.xname;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header 'Referrer-Policy' 'same-origin';
## Block SQL injections
set $block_sql_injections 0;
if ($query_string ~ "union.*select.*\(") {
set $block_sql_injections 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $block_sql_injections 1;
}
if ($query_string ~ "concat.*\(") {
set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
return 403;
}
## Block file injections
set $block_file_injections 0;
if ($query_string ~ "[a-zA-Z0-9_]=http://") {
set $block_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $block_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $block_file_injections 1;
}
if ($block_file_injections = 1) {
return 403;
}
## Block common exploits
set $block_common_exploits 0;
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $block_common_exploits 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "proc/self/environ") {
set $block_common_exploits 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $block_common_exploits 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 403;
}
root /opt/www/web/public;
index index.php;
location ~ /\.(git|env|htaccess) {
return 200;
}
location ~ \.(css|js|jpeg|jpg|png|svg|otf) {
expires 1d;
add_header Pragma "cache";
add_header Cache-Control "public";
}
location / {
if ( $host ~* www.xname) {
rewrite ^ $scheme://xname$request_uri permanent;
}
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param CI_ENV "_ENV_";
fastcgi_param HTTPS $http_usehttps;
include fastcgi.conf;
}
}
server {
server_name thumb.xname;
location /image {
rewrite ^/image(.*)$ /?url=https://cdn.xname/image$1&w=$arg_w&h=$arg_h&a=$arg_a&q=$arg_q break;
proxy_pass http://thumb.codigo.id;
proxy_set_header Host thumb.codigo.id;
proxy_cache cache_proxy;
proxy_cache_key "1$host$request_uri";
proxy_cache_valid 200 302 24h;
proxy_cache_valid any 4m;
proxy_cache_use_stale updating;
proxy_intercept_errors on;
}
}