Initial Commit

nginx/extra/restrictions.conf

@@ -0,0 +1,39 @@
+# Global restrictions configuration file
+# Designed to be included in any server {} block
+
+## Disable TRACE, DELETE, PUT, OPTIONS modes
+if ($request_method !~ ^(GET|HEAD|POST)$ ) {
+        return 405;
+}
+
+location = /favicon.ico {
+    log_not_found off;
+    access_log off;
+}
+
+location = /robots.txt {
+    allow all;
+    log_not_found off;
+    access_log off;
+}
+
+# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
+# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+location ~ /\. {
+    access_log off;
+    log_not_found off;
+    deny all;
+}
+
+location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
+    access_log        off;
+    log_not_found     off;
+    expires           360d;
+}
+
+# Deny access to any files with a .php extension in the uploads directory
+# Works in sub-directory installs and also in multisite network
+# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+location ~* /(?:uploads|files)/.*\.php$ {
+    deny all;
+}