Vai al contenuto
Daniel

4.x [Nginx] Conf File IPS 4.1.8.1+

Recommended Posts

Daniel

ho trovato un interessante configurazione per NGINX fatta per IPS4

il link di github è questo https://gist.github.com/zeronug/a16b06fde32dbf0685a5

(è specifica per centmindmod)

 

# IPB4 Working NGINX site conf file
# Tested on IPB 4.1.8.1+ and Centminmod 123.09beta01
# This file is for a FORCED SSL site.  Non-SSL requests will be directed to SSL.
# Replace 10.0.0.121 with your IP address or domain name.

# Information gathered from
# Centminmod.com / Information pulled from multiple guides.  Thx eva2000!
# Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide.
# Base building forum thread:  https://community.centminmod.com/threads/ipb-v4-1-x-files.4922/
# Anyone else not mentioned who helped modify and create this file:  Thanks!

# Redirect to HTTPS from port 80
# Redirect from www to non-www with forced SSL
server {
    listen  80;
    server_name 10.0.0.121;
    return 301 https://10.0.0.121$request_uri;
    
    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via80.log;
}

server {
    listen 443 ssl http2;
    server_name  10.0.0.121;
    root /home/nginx/domains/10.0.0.121/public;
    
    ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem;
    ssl_certificate      /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key;
    include /usr/local/nginx/conf/ssl_include.conf;
    
    # Mozilla Recommended
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
    ssl_prefer_server_ciphers   on;

    # add_header Alternate-Protocol  443:npn-spdy/3;
    # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
    # You'd want to include subdomains if you're using SSL wildcard certificates
    # include subdomain
    # add_header Public-Key-Pins 'pin-sha256="kUtRfCe0JWOz1gw4DOGvf15QCfSLkIrlu+eOpf/PFOg="; pin-sha256="7nF+BczNEgtaZKE9fU80QwigQ+9Ip5S4AhR8CYM/U70="; max-age=86400; includeSubDomains';
    # exclude subdomains
    # add_header Public-Key-Pins 'pin-sha256="kUtRfCe0JWOz1gw4DOGvf15QCfSLkIrlu+eOpf/PFOg="; pin-sha256="7nF+BczNEgtaZKE9fU80QwigQ+9Ip5S4AhR8CYM/U70="; max-age=86400';
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options "nosniff" always;
    # spdy_headers_comp 5;
    ssl_buffer_size 1400;
    ssl_session_tickets on;

    # enable ocsp stapling
    # resolver 8.8.8.8 8.8.4.4 valid=10m;
    # resolver_timeout 10s;
    # ssl_stapling on;
    # ssl_stapling_verify on;
    # ssl_trusted_certificate /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121-trusted.crt;

    # ngx_pagespeed & ngx_pagespeed handler
    # include /usr/local/nginx/conf/pagespeed.conf;
    # include /usr/local/nginx/conf/pagespeedhandler.conf;
    # include /usr/local/nginx/conf/pagespeedstatslog.conf;

    # add_header X-Xss-Protection "1; mode=block" always;
    # add_header X-Xss-Protection "1; mode=block" always;
    # add_header X-Content-Type-Options "nosniff" always;

    # Limit Connections Per IP Address
    # Modified from default to allow Admin directory to have more connections
    # Modified in nginx.conf
    # limit_conn_zone $limitconn_map zone=limit_per_ip:16m;
    
    # ssi  on;

    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via443.log;

    # Prevent access to ./directories and files
    location ~ (?:^|/)\. {
        deny all;
    }

    location / {

        # block common exploits, sql injections etc
        include /usr/local/nginx/conf/block.conf;

        # Enables directory listings when index file not found
        # autoindex  on;

        # Shows file listing times as local time
        autoindex_localtime on;

        try_files    $uri $uri/ /index.php;

    }
    
    location ~^(/page/).*(\.php)$ {
        try_files  $uri $uri/ /index.php;
    }
    
    # Mask fake admin directory
    # Must comment this during install.  Uncomment after you change the name of the admin directory.
    location ~^/admin/(.*)$ {
        deny all;
    }
    
    # Secure real admin directory
    # Replace /your_admin_renamed_directory/ with your renamed directory.
    #location /your_admin_renamed_directory/ {
    #    auth_basic "Private";
    #    auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
    #        include /usr/local/nginx/conf/php.conf;
    #        allow 127.0.0.1;
    #        allow YOURIPADDRESS;
    #        deny all;
    #}
    
    # IP.Board PHP/CGI Protection

    # Allow access to interface files
    location ~^(/applications/*/interface/).*(\.php)$ {
      allow all;
    }

    location ~^(/uploads/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/system/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/datastore/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/plugins/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/blog/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/calendar/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/chat/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/cms/).*(\.php)$ {
        deny     all;
    }

    location ~^(/applications/core/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/downloads/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/forums/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/gallery/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/nexus/).*(\.php)$ {
        deny     all;
    }   

    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_server.conf;
}

 

Condividi questo messaggio


Link di questo messaggio
Condividi su altri siti

Crea un account o accedi per lasciare un commento

You need to be a member in order to leave a comment

Crea un account

Iscriviti per un nuovo account nella nostra comunità. È facile!

Registra un nuovo account

Accedi

Sei già registrato? Accedi qui.

Accedi Ora

×