Initial Commit

This commit is contained in:
fernao
2020-06-17 13:31:05 -03:00
parent 922c46e64c
commit 68e9f5900b
14 changed files with 864 additions and 0 deletions

View File

@@ -0,0 +1,20 @@
### gzip + compression global rules
### to be included a single time throughout this nginx instance
### headers rules are also consolidated here
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
add_header Strict-Transport-Security "max-age=31536000;includeSubDomains";
## Header hardening
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";

7
nginx/extra/php-fpm.conf Normal file
View File

@@ -0,0 +1,7 @@
location ~ \.php$ {
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
}

View File

@@ -0,0 +1,39 @@
# Global restrictions configuration file
# Designed to be included in any server {} block
## Disable TRACE, DELETE, PUT, OPTIONS modes
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 405;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 360d;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}