├── .gitattributes
├── .gitignore
├── .htpasswd
├── README.md
├── cert
    ├── letsencrypt-root-ca.pem
    └── ssl-example
├── cloudflare
├── common
├── country-cz
├── debug_vars
├── extras
    ├── cron
    │   └── certbot-renew
    ├── fail2ban
    │   ├── filter.d
    │   │   ├── nginx-404.conf
    │   │   ├── wp-auth-failed.conf
    │   │   ├── wp-auth.conf
    │   │   └── wp-strange.conf
    │   └── jail.d
    │   │   ├── nginx-404.conf
    │   │   ├── wp-auth-failed.conf
    │   │   ├── wp-auth.conf
    │   │   └── wp-strange.conf
    ├── log-rotate
    │   └── nginx
    ├── mu-plugins
    │   ├── lynt-custom-login.php
    │   ├── lynt-enhancer.php
    │   ├── lynt-mailfixer.php
    │   ├── lynt-mo-cache-igb.php
    │   ├── lynt-mo-cache.php
    │   └── lynt-team-cookie.php
    └── php-fpm
    │   └── www.conf
├── fastcgi_params
├── fbclid-redir
├── limit
├── limit-pass
├── microcache
├── nginx.conf
├── php5
├── php5.load
├── php7
├── php7.load
├── production
├── ssl-config
├── vhosts.d
    ├── example.conf
    └── sslexample.conf
└── wordpress


/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | 
 7 | # Standard to msysgit
 8 | *.doc	 diff=astextplain
 9 | *.DOC	 diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot  diff=astextplain
13 | *.DOT  diff=astextplain
14 | *.pdf  diff=astextplain
15 | *.PDF	 diff=astextplain
16 | *.rtf	 diff=astextplain
17 | *.RTF	 diff=astextplain
18 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Windows image file caches
 2 | Thumbs.db
 3 | ehthumbs.db
 4 | 
 5 | # Folder config file
 6 | Desktop.ini
 7 | 
 8 | # Recycle Bin used on file shares
 9 | $RECYCLE.BIN/
10 | 
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 | 
17 | # Windows shortcuts
18 | *.lnk
19 | 
20 | # =========================
21 | # Operating System Files
22 | # =========================
23 | 
24 | # OSX
25 | # =========================
26 | 
27 | .DS_Store
28 | .AppleDouble
29 | .LSOverride
30 | 
31 | # Thumbnails
32 | ._*
33 | 
34 | # Files that might appear in the root of a volume
35 | .DocumentRevisions-V100
36 | .fseventsd
37 | .Spotlight-V100
38 | .TemporaryItems
39 | .Trashes
40 | .VolumeIcon.icns
41 | 
42 | # Directories potentially created on remote AFP share
43 | .AppleDB
44 | .AppleDesktop
45 | Network Trash Folder
46 | Temporary Items
47 | .apdisk
48 | 


--------------------------------------------------------------------------------
/.htpasswd:
--------------------------------------------------------------------------------
1 | example:$apr1$BjHbmZRV$KeIQrMM48EVrwztcvKeOK.
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # WP-nginx-config
 2 | Basic Nginx + WordPress setup
 3 | 
 4 | It is compiled from our production setup. It is not suitable for Copy&Paste to production use without edits.
 5 | 
 6 | # Main features
 7 | - extended configuration via "features includes"
 8 | - PHP5/PHP7 support
 9 | - SSL confing based on "Mozilla SSL Configuration Generator" recommendations
10 | - Let's Encrypt enabled (OCSP Stapling included)
11 | - clientside static resources caching and serverside open files descriptors caching
12 | - gzip compression
13 | - CloudFlare support
14 | - optional GeoIP blocking
15 | - optional Nginx Microcache settings
16 | - optional basic HTTP auth
17 | - Basic & WordPress Security
18 |   - prevent HTTP Poxy
19 |   - prevent Slow Loris (optional)
20 |   - blocking common hacking tools and uncommon HTTP methods
21 |   - usernames harvesting denial
22 |   - blocking access to files with sensitive informaion and VCS systems
23 |   - blocking PHP in uploads directory
24 |   - blocking empty referres into comments, login and ajax
25 |   - blocking suspicious queries (based on iThemes Security blacklist)
26 |   - adding basic security headers
27 | 
28 | # Extra configs
29 | Look at **extras** folder
30 | - mu-plugins - small mu-plugin for WordPress
31 |   - **Enhancer**
32 |   - enable bcryp hashes for user passwords
33 |   - filter out sensitive user info from rest API
34 |   - change status code of failed logins to 401
35 |   - **Mail Fixer**
36 |   - fix Return-Path header
37 |   - set SMTP server
38 |   - **Team Cookie**
39 |   - allow to exclude web related users from analytics via special cookie
40 |   - **MO Cache**
41 |   - simple file system cache for gettext translations
42 | - fail2ban rules - block many 404, block failed logins
43 | - log rotate - log rotate rule for nginx logs
44 | - php-fpm - basic PHP-FPM pool with open-basedir and disable_functions
45 | 
46 | 


--------------------------------------------------------------------------------
/cert/letsencrypt-root-ca.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
 3 | MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
 4 | DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
 5 | PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
 6 | Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 7 | AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
 8 | rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
 9 | OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
10 | xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
11 | 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
12 | aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
13 | HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
14 | SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
15 | ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
16 | AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
17 | R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
18 | JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
19 | Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
20 | -----END CERTIFICATE-----
21 | 
22 | -----BEGIN CERTIFICATE-----
23 | MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
24 | MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
25 | DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
26 | SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
27 | GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
28 | AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
29 | q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
30 | SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
31 | Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
32 | a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
33 | /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
34 | AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
35 | CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
36 | bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
37 | c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
38 | VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
39 | ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
40 | MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
41 | Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
42 | AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
43 | uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
44 | wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
45 | X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
46 | PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
47 | KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
48 | -----END CERTIFICATE-----
49 | 


--------------------------------------------------------------------------------
/cert/ssl-example:
--------------------------------------------------------------------------------
1 | ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
2 | ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
3 | ssl_trusted_certificate cert/letsencrypt-root-ca.pem;
4 | 
5 | include ssl-config;
6 | 


--------------------------------------------------------------------------------
/cloudflare:
--------------------------------------------------------------------------------
 1 | #https://www.cloudflare.com/ips-v4
 2 | set_real_ip_from 103.21.244.0/22;
 3 | set_real_ip_from 103.22.200.0/22;
 4 | set_real_ip_from 103.31.4.0/22;
 5 | set_real_ip_from 104.16.0.0/12;
 6 | set_real_ip_from 108.162.192.0/18;
 7 | set_real_ip_from 131.0.72.0/22;
 8 | set_real_ip_from 141.101.64.0/18;
 9 | set_real_ip_from 162.158.0.0/15;
10 | set_real_ip_from 172.64.0.0/13;
11 | set_real_ip_from 173.245.48.0/20;
12 | set_real_ip_from 188.114.96.0/20;
13 | set_real_ip_from 190.93.240.0/20;
14 | set_real_ip_from 197.234.240.0/22;
15 | set_real_ip_from 198.41.128.0/17;
16 | 
17 | #https://www.cloudflare.com/ips-v6
18 | set_real_ip_from 2400:cb00::/32;
19 | set_real_ip_from 2405:b500::/32;
20 | set_real_ip_from 2606:4700::/32;
21 | set_real_ip_from 2803:f800::/32;
22 | set_real_ip_from 2c0f:f248::/32;
23 | set_real_ip_from 2a06:98c0::/29;
24 | 
25 | real_ip_header CF-Connecting-IP;
26 | 


--------------------------------------------------------------------------------
/common:
--------------------------------------------------------------------------------
 1 | location ~ /\.(?!well-known\/) {
 2 |     deny all;
 3 | }
 4 | 
 5 | location /favicon.ico {
 6 |     log_not_found       off;
 7 |     auth_basic  off;
 8 |     expires     31d;
 9 |     add_header  Cache-Control  private;
10 | }
11 | 
12 | location /robots.txt {
13 |     log_not_found       off;
14 | }
15 | 


--------------------------------------------------------------------------------
/country-cz:
--------------------------------------------------------------------------------
1 |     if ($geoip_country_code !~ "CZ") {
2 |         return 403;
3 |     }
4 | 
5 |     include        php7.load;
6 | 


--------------------------------------------------------------------------------
/debug_vars:
--------------------------------------------------------------------------------
 1 | location = /debug_vars {
 2 |     default_type text/plain;
 3 |     return 200 "
 4 | http_host:      $http_host
 5 | http_user_agent:        $http_user_agent
 6 | http_referer:   $http_referer
 7 | http_via:       $http_via
 8 | http_x_forwarded_for:   $http_x_forwarded_for
 9 | http_cookie:    $http_cookie
10 | content_length: $content_length
11 | content_type:   $content_type
12 | host:   $host
13 | binary_remote_addr:     $binary_remote_addr
14 | remote_addr:    $remote_addr
15 | remote_port:    $remote_port
16 | proxy_protocol_addr:    $proxy_protocol_addr
17 | proxy_protocol_port:    $proxy_protocol_port
18 | server_addr:    $server_addr
19 | server_port:    $server_port
20 | server_protocol:        $server_protocol
21 | scheme: $scheme
22 | https:  $https
23 | request_uri:    $request_uri
24 | uri:    $uri
25 | document_uri:   $document_uri
26 | request:        $request
27 | document_root:  $document_root
28 | realpath_root:  $realpath_root
29 | query_string:   $query_string
30 | args:   $args
31 | is_args:        $is_args
32 | request_filename:       $request_filename
33 | server_name:    $server_name
34 | request_method: $request_method
35 | remote_user:    $remote_user
36 | bytes_sent:     $bytes_sent
37 | body_bytes_sent:        $body_bytes_sent
38 | pipe:   $pipe
39 | request_completion:     $request_completion
40 | request_body:   $request_body
41 | request_body_file:      $request_body_file
42 | request_length: $request_length
43 | request_time:   $request_time
44 | request_id:     $request_id
45 | status: $status
46 | sent_http_content_type: $sent_http_content_type
47 | sent_http_content_length:       $sent_http_content_length
48 | sent_http_location:     $sent_http_location
49 | sent_http_last_modified:        $sent_http_last_modified
50 | sent_http_connection:   $sent_http_connection
51 | sent_http_keep_alive:   $sent_http_keep_alive
52 | sent_http_transfer_encoding:    $sent_http_transfer_encoding
53 | sent_http_cache_control:        $sent_http_cache_control
54 | sent_http_link: $sent_http_link
55 | limit_rate:     $limit_rate
56 | connection:     $connection
57 | connection_requests:    $connection_requests
58 | nginx_version:  $nginx_version
59 | hostname:       $hostname
60 | pid:    $pid
61 | msec:   $msec
62 | time_iso8601:   $time_iso8601
63 | time_local:     $time_local
64 | tcpinfo_rtt:    $tcpinfo_rtt
65 | tcpinfo_rttvar: $tcpinfo_rttvar
66 | tcpinfo_snd_cwnd:       $tcpinfo_snd_cwnd
67 | tcpinfo_rcv_space:      $tcpinfo_rcv_space
68 | http_:  $http_
69 | sent_http_:     $sent_http_
70 | sent_trailer_:  $sent_trailer_
71 | cookie_:        $cookie_
72 | arg_:   $arg_
73 | ";
74 | }


--------------------------------------------------------------------------------
/extras/cron/certbot-renew:
--------------------------------------------------------------------------------
1 | #renew LE certificates every monday at 6:45
2 | 45 6 * * 1      certbot renew --post-hook "systemctl reload nginx"


--------------------------------------------------------------------------------
/extras/fail2ban/filter.d/nginx-404.conf:
--------------------------------------------------------------------------------
 1 | # 404 scan blocker: /etc/fail2ban/filter.d/nginx-404.conf:
 2 | #
 3 | # Block IPs generate many 404
 4 | #
 5 | # Matches e.g.
 6 | # ip.ip.ip.ip - - [14/Jul/2015:16:54:53 +0200] "GET /404.php HTTP/1.0" 404
 7 | 
 8 | [Definition]
 9 | failregex = ^<HOST> .* "(GET|POST|HEAD) /.*" 404
10 | ignoreregex =
11 | 


--------------------------------------------------------------------------------
/extras/fail2ban/filter.d/wp-auth-failed.conf:
--------------------------------------------------------------------------------
 1 | # WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth-failed.conf:
 2 | #
 3 | # Block IPs trying to auth wp wordpress - only failed logins - you need to use mu-plugin
 4 | #
 5 | # Matches e.g.
 6 | # ip.ip.ip.ip - - [16/Oct/2014:11:40:50 +0200] "POST /wp-login.php HTTP/1.0" 401 1531 "-" "-"
 7 | #
 8 | [Definition]
 9 | failregex = ^<HOST> .* "POST /wp-login.php.*" 401
10 | ignoreregex =
11 | 


--------------------------------------------------------------------------------
/extras/fail2ban/filter.d/wp-auth.conf:
--------------------------------------------------------------------------------
 1 | # WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf:
 2 | #
 3 | # Block IPs trying to auth wp wordpress
 4 | #
 5 | # Matches e.g.
 6 | # ip.ip.ip.ip - - [16/Oct/2014:11:40:50 +0200] "POST /wp-login.php HTTP/1.0" 200 1531 "-" "-"
 7 | #
 8 | [Definition]
 9 | failregex = ^<HOST> .* "POST /wp-login.php
10 | ignoreregex =
11 | 


--------------------------------------------------------------------------------
/extras/fail2ban/filter.d/wp-strange.conf:
--------------------------------------------------------------------------------
1 | # WordPress strange 40x requests filter: /etc/fail2ban/filter.d/wp-strange.conf:
2 | #
3 | [Definition]
4 | failregex = ^<HOST> .* "(GET|POST|HEAD) /.*(adminer|xxxxxx|backup|dump|\.sql|\.tar|~|searchreplacedb2|wallet\.dat|wp-config\.php|download|upload|eval\(|<script|base64_|union|https:|http:|author=).*" 40.*$
5 | ignoreregex =
6 | 


--------------------------------------------------------------------------------
/extras/fail2ban/jail.d/nginx-404.conf:
--------------------------------------------------------------------------------
1 | #Change the logpath
2 | [nginx-404]
3 | enabled = true
4 | filter = nginx-404 
5 | logpath = /var/log/nginx/*-access.log
6 | bantime  = 14400
7 | maxretry = 25
8 | findtime = 300
9 | 


--------------------------------------------------------------------------------
/extras/fail2ban/jail.d/wp-auth-failed.conf:
--------------------------------------------------------------------------------
1 | #Change the logpath
2 | [wp-auth]
3 | enabled = true
4 | filter = wp-auth
5 | logpath = /var/log/nginx/*-access.log
6 | bantime  = 28800
7 | maxretry = 3
8 | 
9 | 


--------------------------------------------------------------------------------
/extras/fail2ban/jail.d/wp-auth.conf:
--------------------------------------------------------------------------------
1 | #Change the logpath
2 | [wp-auth]
3 | enabled = true
4 | filter = wp-auth
5 | logpath = /var/log/nginx/*-access.log
6 | bantime  = 28800
7 | maxretry = 5
8 | 
9 | 


--------------------------------------------------------------------------------
/extras/fail2ban/jail.d/wp-strange.conf:
--------------------------------------------------------------------------------
 1 | #Change the logpath
 2 | [wp-strange]
 3 | enabled = true
 4 | filter = wp-strange
 5 | logpath = /var/log/nginx/*-access.log
 6 | bantime  = 900
 7 | maxretry = 5
 8 | findtime = 300
 9 | 
10 | 


--------------------------------------------------------------------------------
/extras/log-rotate/nginx:
--------------------------------------------------------------------------------
 1 | /var/log/nginx/*.log {
 2 |         daily
 3 |         missingok
 4 |         rotate 52
 5 |         compress
 6 |         delaycompress
 7 |         notifempty
 8 |         create 640 nginx adm
 9 |         sharedscripts
10 |         postrotate
11 |                 if [ -f /var/run/nginx.pid ]; then
12 |                         kill -USR1 `cat /var/run/nginx.pid`
13 |                 fi
14 |         endscript
15 | }
16 | 


--------------------------------------------------------------------------------
/extras/mu-plugins/lynt-custom-login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Plugin Name: Lynt custom login
 4 |  * Description: Allow wp-login.php only with cookie obtained from custom URL.
 5 |  * Plugin URI:  https://github.com/lynt-smitka/WP-nginx-config/blob/master/extras/mu-plugins/lynt-custom-login.php
 6 |  * Author:      Vladimir Smitka
 7 |  * Author URI:  https://lynt.cz/
 8 |  * License:     GNU General Public License v3 or later
 9 |  * License URI: http://www.gnu.org/licenses/gpl-3.0.html
10 |  */
11 | defined( 'ABSPATH' ) or die( 'nothing here' );
12 | 
13 | if ( !defined('LYNT_CUSTOM_LOGIN_URL') )
14 |   define('LYNT_CUSTOM_LOGIN_URL', '/my-admin');
15 | 
16 | function lynt_handler_custom_login() {
17 | 
18 |   $path  = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
19 |   $query = parse_url($_SERVER['REQUEST_URI'], PHP_URL_QUERY);
20 | 
21 |   if($path === LYNT_CUSTOM_LOGIN_URL) {
22 | 
23 |     $nonce = wp_create_nonce('lynt-custom-login');
24 |     setcookie('wp_lynt_custom_login', $nonce);
25 |     wp_redirect(implode('?', array_filter(array('/wp-login.php',$query))));
26 |     exit;
27 |   }
28 | }
29 | 
30 | function lynt_check_custom_login(){
31 |    $nonce = isset($_COOKIE['wp_lynt_custom_login'])?$_COOKIE['wp_lynt_custom_login']:'';
32 |    $action = isset($_GET['action'])?$_GET['action']:'';
33 |    $loggedout = isset($_GET['loggedout'])?$_GET['loggedout']:'';
34 | 
35 |   if (!wp_verify_nonce($nonce, 'lynt-custom-login') && $action !== 'logout' && $action !== 'confirm_admin_email' && $action !== 'rp' && $loggedout !== 'true') {
36 |     header($_SERVER['SERVER_PROTOCOL'].' 404 Not Found');
37 |     exit;
38 |   }
39 | }
40 | 
41 | add_action('parse_request', 'lynt_handler_custom_login');
42 | add_action('login_init', 'lynt_check_custom_login');
43 | 
44 | 


--------------------------------------------------------------------------------
/extras/mu-plugins/lynt-enhancer.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Plugin Name: Lynt enhancer
 4 |  * Description: Lynt security customizations
 5 |  * Plugin URI:  https://github.com/lynt-smitka/WP-nginx-config/blob/master/extras/mu-plugins/lynt-enhancer.php
 6 |  * Author:      Vladimir Smitka
 7 |  * Author URI:  https://lynt.cz/
 8 |  * License:     GNU General Public License v3 or later
 9 |  * License URI: http://www.gnu.org/licenses/gpl-3.0.html
10 |  */
11 | 
12 | defined( 'ABSPATH' ) or die( 'nothing here' );
13 | 
14 | //Enable bcrypt - PHP 5.5+
15 | global $wp_hasher;
16 | 
17 | if ( empty($wp_hasher) ) {
18 |   require_once( ABSPATH . WPINC . '/class-phpass.php');
19 |   $wp_hasher = new PasswordHash(10, false);
20 | }
21 | 
22 | 
23 | // Remove sensitive data from REST API
24 | // User endpoint
25 | function lynt_remove_sensitive_data_from_rest_user( $response ) {
26 |    
27 |    if(!current_user_can('list_users')){
28 |    
29 |      //get WP_REST_Response
30 |      $data = $response->get_data();
31 |      //unset sensitive fields
32 |      if(preg_replace('/[\W]+/', '',$data['name']) == preg_replace('/[\W]+/', '',$data['slug'])) $data['name']="Author";
33 |      unset($data['link']);
34 |      unset($data['slug']);
35 |      unset($data['avatar_urls']);
36 |      //set data back
37 |      $response->set_data($data);
38 |    }
39 |    return $response;
40 | }
41 | 
42 | // Comment endpoint
43 | function lynt_remove_sensitive_data_from_rest_comment( $response ) {
44 | 
45 |    if(!current_user_can('list_users')){
46 | 
47 |      //get WP_REST_Response
48 |      $data = $response->get_data();
49 |      //unset sensitive fields
50 |      unset($data['author_avatar_urls']);
51 |      //set data back
52 |      $response->set_data($data);
53 |    }
54 |    return $response;
55 | }
56 | 
57 | 
58 | add_filter( 'rest_prepare_user', 'lynt_remove_sensitive_data_from_rest_user');
59 | add_filter( 'rest_prepare_comment', 'lynt_remove_sensitive_data_from_rest_comment');
60 | 
61 | // Return 401 code after failed login, useful for fail2ban
62 | function lynt_failed_login_401() {
63 |   status_header( 401 );
64 | }
65 | add_action( 'wp_login_failed', 'lynt_failed_login_401' );
66 | 
67 | 
68 | // Beta: Logs users out if they log in from a new IP - protection against leaking auth cookies.
69 | // With this approach, there will be only one user session bound to an IP address.
70 | function new_ip_invalidate_sessions() {
71 |     if (is_user_logged_in()) {
72 |         $user_id = get_current_user_id();
73 |         $current_ip = $_SERVER['REMOTE_ADDR'];
74 |         
75 |         $session_tokens = get_user_meta($user_id, 'session_tokens', true);
76 |         $sessions = maybe_unserialize($session_tokens);
77 |         
78 |         if (is_array($sessions)) {
79 |             foreach ($sessions as $token => $session) {
80 |                 if ($session['ip'] !== $current_ip) {
81 |                     WP_Session_Tokens::get_instance($user_id)->destroy_all();
82 |                     break;
83 |                 }
84 |             }
85 |         }
86 |     }
87 | }
88 | //add_action('init', 'new_ip_invalidate_sessions');
89 | 


--------------------------------------------------------------------------------
/extras/mu-plugins/lynt-mailfixer.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Plugin Name: Lynt mail fixer
 4 |  * Description: Lynt set up correct mail settings
 5 |  * Plugin URI:  https://github.com/lynt-smitka/WP-nginx-config/blob/master/extras/mu-plugins/lynt-mailfixer.php
 6 |  * Author:      Vladimir Smitka
 7 |  * Author URI:  https://lynt.cz/
 8 |  * License:     GNU General Public License v3 or later
 9 |  * License URI: http://www.gnu.org/licenses/gpl-3.0.html
10 |  */
11 | 
12 | defined( 'ABSPATH' ) or die( 'nothing here' );
13 | 
14 | add_action('phpmailer_init', 'lynt_customize_mail_settings');
15 |    
16 | function lynt_customize_mail_settings($phpmailer) {
17 |    
18 |    //Set custom From address (it also mitigates CVE-2017-8295)  
19 |    //$phpmailer->From = "lynt@example.com";
20 |    //Set custom From Name
21 |    //$phpmailer->FromName = 'Vlada Smitka';
22 |    
23 |    //Set Sender (Return-Path) to From address 
24 |     $phpmailer->Sender = $phpmailer->From;
25 |     
26 |     //Setup your own SMTP server
27 |     /*
28 |     $phpmailer->Host = 'smpt.server';
29 |     $phpmailer->Port = 465;
30 |     $phpmailer->SMTPSecure = 'tls';
31 |     $phpmailer->Username = 'jmeno';
32 |     $phpmailer->Password = 'heslo';
33 |     $phpmailer->SMTPAuth = true;
34 |     $phpmailer->IsSMTP();
35 |     */
36 | }
37 | 


--------------------------------------------------------------------------------
/extras/mu-plugins/lynt-mo-cache-igb.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Plugin Name: Lynt MO Cache
 4 |  * Description: Lynt translations performance booster - igbinary version EXPERIMENTAL
 5 |  * Plugin URI:  https://github.com/lynt-smitka/WP-nginx-config/blob/master/extras/mu-plugins/lynt-mo-cache-igb.php
 6 |  * Author:      Vladimir Smitka
 7 |  * Author URI:  https://lynt.cz/
 8 |  * License:     GNU General Public License v3 or later
 9 |  * License URI: http://www.gnu.org/licenses/gpl-3.0.html
10 |  */
11 | defined('ABSPATH') or die('nothing here');
12 | 
13 | function lynt_load_textdomain($retval, $domain, $mofile)
14 | {
15 |   global $l10n;
16 |   if (!is_readable($mofile))
17 |     return false;
18 | 
19 |   if (!function_exists('igbinary_serialize'))
20 |     return false;
21 | 
22 | 
23 |   $cache_path = WP_CONTENT_DIR . "/cache/lynt";
24 |   if (!file_exists($cache_path)) {
25 |     mkdir($cache_path, 0770, true);
26 |   }
27 |   $cache_file = sprintf('%s/mo-%s.igb',$cache_path, md5($mofile));
28 | 
29 | 
30 |   if (file_exists($cache_file)) {
31 |     $data = igbinary_unserialize(file_get_contents($cache_file));
32 |   } else {
33 |     $data = false;
34 |   }
35 | 
36 |   $mtime = filemtime($mofile);
37 | 
38 |   $mo = new MO();
39 |   if (!$data || !isset($data['mtime']) || $mtime > $data['mtime']) {
40 |     if (!$mo->import_from_file($mofile)) return false;
41 |     // prepare structure
42 |     $data = array(
43 |       'mtime' => $mtime,
44 |       'file' => $mofile,
45 |       'entries' => $mo->entries,
46 |       'headers' => $mo->headers
47 |     );
48 | 
49 |     // export mo object
50 |     file_put_contents($cache_file, igbinary_serialize($data), LOCK_EX);
51 |   } else {
52 |     $mo->entries = $data['entries'];
53 |     $mo->headers = $data['headers'];
54 |   }
55 |   if (isset($l10n[$domain])) {
56 |     $mo->merge_with($l10n[$domain]);
57 |   }
58 |   $l10n[$domain] = &$mo;
59 |   return true;
60 | }
61 | 
62 | add_filter('override_load_textdomain', 'lynt_load_textdomain', 0, 3);
63 | 
64 | 


--------------------------------------------------------------------------------
/extras/mu-plugins/lynt-mo-cache.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Plugin Name: Lynt MO Cache
 4 |  * Description: Lynt translations performance booster EXPERIMENTAL
 5 |  * Plugin URI:  https://github.com/lynt-smitka/WP-nginx-config/blob/master/extras/mu-plugins/lynt-mo-cache.php
 6 |  * Author:      Vladimir Smitka
 7 |  * Author URI:  https://lynt.cz/
 8 |  * License:     GNU General Public License v3 or later
 9 |  * License URI: http://www.gnu.org/licenses/gpl-3.0.html
10 |  */
11 | defined('ABSPATH') or die('nothing here');
12 | 
13 | //reconstruction fake class
14 | class Lynt_Translation_Entry extends Translation_Entry
15 | {
16 |   public static function __set_state($args)
17 |   {
18 |     return new Translation_Entry($args);
19 |   }
20 | }
21 | 
22 | function lynt_load_textdomain($retval, $domain, $mofile)
23 | {
24 |   global $l10n;
25 |   if (!is_readable($mofile))
26 |     return false;
27 |   
28 |   $cache_path = WP_CONTENT_DIR . "/cache/lynt";
29 |   if (!file_exists($cache_path)) {
30 |     mkdir($cache_path, 0770, true);
31 |   }
32 |   $cache_file = sprintf('%s/mo-%s.php',$cache_path, md5($mofile));
33 |   
34 |  
35 |   if (file_exists($cache_file)) {
36 |     include $cache_file;
37 |     $data = isset($val) ? $val : false;
38 |   } else {
39 |     $data = false;
40 |   }
41 |   
42 |   $mtime = filemtime($mofile);
43 |   
44 |   $mo = new MO();
45 |   
46 |   if (!$data || !isset($data['mtime']) || $mtime > $data['mtime']) {
47 |     if (!$mo->import_from_file($mofile)) return false;
48 |     // prepare structure
49 |     $data = array(
50 |       'mtime' => $mtime,
51 |       'file' => $mofile,
52 |       'entries' => $mo->entries,
53 |       'headers' => $mo->headers
54 |     );
55 |     
56 |     // export mo object
57 |     $val = var_export($data, true);
58 |     // replace the original class with reconstruction fake class
59 |     $val = str_replace('Translation_Entry::', 'Lynt_Translation_Entry::', $val);
60 |     // save to file
61 |     file_put_contents($cache_file, '<?php $val = ' . $val . ';', LOCK_EX);
62 |     
63 |   } else {
64 |     $mo->entries = $data['entries'];
65 |     $mo->headers = $data['headers'];
66 |   }
67 |   if (isset($l10n[$domain])) {
68 |     $mo->merge_with($l10n[$domain]);
69 |   }
70 |   $l10n[$domain] = &$mo;
71 |   return true;
72 | }
73 | 
74 | add_filter('override_load_textdomain', 'lynt_load_textdomain', 0, 3);
75 | 


--------------------------------------------------------------------------------
/extras/mu-plugins/lynt-team-cookie.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Plugin Name: Lynt Team Cookie
 4 |  * Description: Set cookie lynt_team after open the administration - useful for excluding users from analytics
 5 |  * Plugin URI:  https://github.com/lynt-smitka/WP-nginx-config/blob/master/extras/mu-plugins/lynt-team-cookie.php
 6 |  * Author:      Vladimir Smitka
 7 |  * Author URI:  https://lynt.cz/
 8 |  * License:     GNU General Public License v3 or later
 9 |  * License URI: http://www.gnu.org/licenses/gpl-3.0.html
10 |  */
11 | defined( 'ABSPATH' ) or die( 'nothing here' );
12 | 
13 | function lynt_team_cookie() {
14 |   setcookie('lynt_team', 1, time() + (86400 * 365 * 3), "/");
15 | }
16 | add_action('admin_menu', 'lynt_team_cookie');
17 | 


--------------------------------------------------------------------------------
/extras/php-fpm/www.conf:
--------------------------------------------------------------------------------
 1 | [www]
 2 | 
 3 | listen = /var/run/php7-fpm-www
 4 | listen.allowed_clients = 127.0.0.1
 5 | 
 6 | listen.owner = nginx
 7 | listen.group = nginx
 8 | listen.mode = 0660
 9 | 
10 | user = www
11 | group = www
12 | 
13 | pm = ondemand
14 | pm.max_children = 20
15 | pm.process_idle_timeout = 10
16 | 
17 | ;pm = dynamic
18 | ;pm.max_children = 50
19 | ;pm.start_servers = 20
20 | ;pm.min_spare_servers = 10
21 | ;pm.max_spare_servers = 20
22 | 
23 | pm.max_requests = 1000
24 | 
25 | ;pm.status_path = /status-php
26 | ;ping.path = /ping
27 | ;ping.response = pong
28 | ;request_terminate_timeout = 0
29 | ;request_slowlog_timeout = 0
30 | ;slowlog = /var/log/php-fpm.log.slow
31 | ;rlimit_files = 1024
32 | ;rlimit_core = 0
33 | ;chroot = /var/www
34 | ;chdir = /
35 | ;catch_workers_output = yes
36 | 
37 | php_admin_value[error_log] = /var/log/nginx/php-errors.log
38 | php_admin_value[memory_limit] = 128M
39 | php_admin_value[open_basedir] = /var/www:/tmp
40 | php_admin_value[session.save_path] = /tmp/sessions
41 | php_admin_value[upload_tmp_dir] = /tmp
42 | php_admin_value[sys_temp_dir] = /tmp
43 | php_admin_value[disable_functions] = "define_syslog_variables,highlight_file,exec,openlog,passthru,pcntl_exec,pcntl_fork,popen,posix_kill,posix_mkfifo,posix_mknod,posix_setpgid,posix_setsid,posix_setuid,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,putenv,shell_exec,show_shource,symlink,syslog,system"
44 | php_admin_value[mail.log] = /var/log/nginx/mail.log
45 | php_admin_flag[mail.add_x_header] = off
46 | 
47 | 


--------------------------------------------------------------------------------
/fastcgi_params:
--------------------------------------------------------------------------------
 1 | fastcgi_param  QUERY_STRING       $query_string;
 2 | fastcgi_param  REQUEST_METHOD     $request_method;
 3 | fastcgi_param  CONTENT_TYPE       $content_type;
 4 | fastcgi_param  CONTENT_LENGTH     $content_length;
 5 | 
 6 | fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
 7 | fastcgi_param  REQUEST_URI        $request_uri;
 8 | fastcgi_param  DOCUMENT_URI       $document_uri;
 9 | fastcgi_param  DOCUMENT_ROOT      $document_root;
10 | fastcgi_param  SERVER_PROTOCOL    $server_protocol;
11 | fastcgi_param  REQUEST_SCHEME     $scheme;
12 | fastcgi_param  HTTPS              $https if_not_empty;
13 | 
14 | fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
15 | fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
16 | 
17 | fastcgi_param  REMOTE_ADDR        $remote_addr;
18 | fastcgi_param  REMOTE_PORT        $remote_port;
19 | fastcgi_param  SERVER_ADDR        $server_addr;
20 | fastcgi_param  SERVER_PORT        $server_port;
21 | fastcgi_param  SERVER_NAME        $server_name;
22 | 
23 | # PHP only, required if PHP was built with --enable-force-cgi-redirect
24 | fastcgi_param  REDIRECT_STATUS    200;
25 | 
26 | fastcgi_param GEOIP_COUNTRY_CODE  $geoip_country_code;
27 | 
28 | # Disable HTTP proxy: https://httpoxy.org/#fix-now
29 | fastcgi_param HTTP_PROXY "";
30 | 


--------------------------------------------------------------------------------
/fbclid-redir:
--------------------------------------------------------------------------------
1 | if ( $redirect_fbclid ) {
2 |   return 301 $redirect_fbclid;
3 | }
4 | 


--------------------------------------------------------------------------------
/limit:
--------------------------------------------------------------------------------
1 |     allow 127.0.0.1; # Localhost
2 |     allow 1.2.3.4; # Povolena adresa
3 |     deny all;
4 | 


--------------------------------------------------------------------------------
/limit-pass:
--------------------------------------------------------------------------------
1 | satisfy any;
2 | include limit;
3 | auth_basic           "closed site";
4 | auth_basic_user_file .htpasswd;
5 | 


--------------------------------------------------------------------------------
/microcache:
--------------------------------------------------------------------------------
 1 | set $no_cache "";
 2 |     if ($request_method !~ ^(GET|HEAD)$) {
 3 |         set $no_cache "1";
 4 |     }
 5 |     if ($http_cookie ~* "nocache") {
 6 |                 set $no_cache "1";
 7 |     }
 8 | 
 9 |     if ($http_cookie ~* "wordpress_logged_in") {
10 |                 set $no_cache "1";
11 |     }
12 | 
13 | 
14 | fastcgi_cache microcache;
15 | fastcgi_cache_key $request_method|$host|$request_uri;
16 | fastcgi_cache_valid 404 30s;
17 | fastcgi_cache_valid any 3m;
18 | fastcgi_no_cache $no_cache;
19 | fastcgi_cache_bypass $no_cache;
20 | 


--------------------------------------------------------------------------------
/nginx.conf:
--------------------------------------------------------------------------------
 1 | user  nginx;
 2 | # number of CPU cores
 3 | worker_processes  2;
 4 | 
 5 | error_log  /var/log/nginx/error.log warn;
 6 | pid        /var/run/nginx.pid;
 7 | 
 8 | load_module "modules/ngx_http_geoip_module.so";
 9 | 
10 | events {
11 |     worker_connections  1024;
12 | }
13 | 
14 | http {
15 |     include       /etc/nginx/mime.types;
16 |     default_type  application/octet-stream;
17 |     
18 |     # extended log with IP before proxy and request time for the performance monitoring
19 |     # goaccess --log-format='%h %^ %^ [%d:%t] "%r" %s %b "%R" "%u" %^ "%T"' --time-format='%H:%M:%S %z' --date-format='%d/%b/%Y'
20 |     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
21 |                       '$status $body_bytes_sent "$http_referer" '
22 |                       '"$http_user_agent" "$http_x_forwarded_for" "$request_time"';
23 | 
24 |     # log full request body for debugging - WARINING, log may contain sensitive information
25 |     log_format  debug  '$remote_addr - $remote_user [$time_local] "$request" '
26 |                       '$status $body_bytes_sent "$http_referer" '
27 |                       '"$http_user_agent" "$http_x_forwarded_for" "$request_body"';
28 | 
29 |     # logstach json format
30 |     log_format logstash_json '{ "@timestamp": "$time_iso8601", '
31 |                          '"@fields": { '
32 |                          '"remote_addr": "$remote_addr", '
33 |                          '"remote_user": "$remote_user", '
34 |                          '"request_method": "$request_method", '
35 |                          '"request": "$request", '
36 |                          '"status": "$status", '
37 |                          '"body_bytes_sent": "$body_bytes_sent", '
38 |                          '"http_referrer": "$http_referer", '
39 |                          '"http_user_agent": "$http_user_agent", '
40 |                          '"http_x_forwarded_for": "$http_x_forwarded_for", '
41 |                          '"request_time": "$request_time", } }';
42 |             
43 | 
44 |     access_log  /var/log/nginx/access.log  main;
45 | 
46 |     sendfile            on;
47 |     tcp_nopush          on;
48 |     tcp_nodelay         on;
49 |     server_tokens       off;
50 | 
51 |     keepalive_timeout  20 15;
52 |     client_body_timeout 15;
53 |     client_header_timeout 15;
54 |     send_timeout 10;
55 | 
56 |     gzip                on;
57 |     gzip_static         on;
58 |     gzip_comp_level     3;
59 |     gzip_min_length     1024;
60 |     gzip_vary on;
61 | 
62 |     # Client setings
63 |     client_max_body_size        50M;
64 |     fastcgi_buffers             256 4k;
65 |     client_body_buffer_size 10K;
66 |     client_header_buffer_size 2k;
67 |     large_client_header_buffers 2 2k;
68 | 
69 |     # Slow Loris protection
70 |     #client_body_timeout 10s;
71 |     #client_header_timeout 10s;
72 | 
73 |     ssl_session_cache shared:ssl_session_cache:30m;
74 |     ssl_session_timeout 1d;
75 | 
76 |     # Microcache
77 |     fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=microcache:20m inactive=1d max_size=512M;
78 | 
79 |     # fbclid mapper
80 |     map $request_uri $redirect_fbclid {
81 |       "~^(.*?)([?&]fbclid=[a-zA-Z0-9_-]+)$" $1;
82 |     }
83 | 
84 |     # GeoIP
85 |     geoip_country         /etc/nginx/GeoIP.dat;
86 | 
87 |     # another server settings
88 |     include /etc/nginx/conf.d/*.conf;
89 | 
90 |     # virtual hosts settings in vhosts.d:
91 |     include /etc/nginx/vhosts.d/*.conf;
92 | 
93 | }
94 | 


--------------------------------------------------------------------------------
/php5:
--------------------------------------------------------------------------------
1 | index index.php index.html index.htm;
2 | 
3 | location ~ \.php$ {
4 |     include        php5.load;
5 | }
6 | 


--------------------------------------------------------------------------------
/php5.load:
--------------------------------------------------------------------------------
1 |     #cesta k unix socketu PHP 5
2 |     fastcgi_pass   unix:/var/run/php5-fpm-www;
3 |     fastcgi_index  index.php;
4 |     fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
5 |     fastcgi_param  ENVIRONMENT LYNT;
6 |     include        fastcgi_params;
7 | 


--------------------------------------------------------------------------------
/php7:
--------------------------------------------------------------------------------
1 | index index.php index.html index.htm;
2 | 
3 | location ~ \.php$ {
4 |     include        php7.load;
5 | }
6 | 


--------------------------------------------------------------------------------
/php7.load:
--------------------------------------------------------------------------------
1 |     #cesta k unix socketu PHP 7
2 |     fastcgi_pass   unix:/var/run/php7-fpm-www;
3 |     fastcgi_index  index.php;
4 |     fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
5 |     fastcgi_param  ENVIRONMENT LYNT;
6 |     include        fastcgi_params;
7 | 


--------------------------------------------------------------------------------
/production:
--------------------------------------------------------------------------------
 1 | gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
 2 | 
 3 | gzip_disable "msie6";
 4 | 
 5 | location ~* ^.+\.(js|css|jpg|jpeg|gif|png|pdf|zip|rar|svg|ico)$ {
 6 |             expires      31d;
 7 |             access_log              off;
 8 |             add_header    Cache-Control  public;
 9 |             open_file_cache max=3000 inactive=120s;
10 |             open_file_cache_valid 45s;
11 |             open_file_cache_min_uses 2;
12 |             open_file_cache_errors off;
13 | }
14 | 


--------------------------------------------------------------------------------
/ssl-config:
--------------------------------------------------------------------------------
 1 | ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
 2 | ssl_prefer_server_ciphers on;
 3 | #openssl dhparam -out /etc/nginx/dhparams.pem 2048
 4 | ssl_dhparam /etc/nginx/dhparams.pem;
 5 | 
 6 | #Ciphers acording to https://mozilla.github.io/server-side-tls/ssl-config-generator/
 7 | ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 8 | ssl_stapling on;
 9 | ssl_stapling_verify on;
10 | 
11 | resolver 8.8.4.4;
12 | 


--------------------------------------------------------------------------------
/vhosts.d/example.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80 deferred;
 3 | 
 4 |     server_name example.com;
 5 |     root /data/htdocs/example/www;
 6 | 
 7 |     access_log /data/htdocs/example/log/access.log main buffer=32k;
 8 |     error_log /data/htdocs/example/log/error.log;
 9 | 
10 |     include common;
11 |     include production;
12 |     include fbclid-redir;
13 |     include wordpress;
14 |     include php7;
15 | 
16 | }
17 | 
18 | 
19 | server {
20 |     listen 80;
21 |     server_name www.example.com;
22 | 
23 |     location / {
24 |         rewrite ^ https://example.com$request_uri permanent;
25 |     }
26 | }
27 | 


--------------------------------------------------------------------------------
/vhosts.d/sslexample.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 443 ssl http2 deferred;
 3 | 
 4 |     server_name sslexample.com;
 5 |     root /data/htdocs/sslexample/www;
 6 | 
 7 |     access_log /data/htdocs/sslexample/log/access.log main buffer=32k;
 8 |     error_log /data/htdocs/sslexample/log/error.log;
 9 | 
10 |     include cert/ssl-example;
11 | 
12 |     include common;
13 |     include production;
14 |     include fbclid-redir;
15 |     include wordpress;
16 |     include php7;
17 | }
18 | 
19 | 
20 | 
21 | server {
22 |     listen 443 ssl http2;
23 |     server_name  www.sslexample.com;
24 |     include cert/ssl-example;
25 |     rewrite ^(.*) https://www.sslexample.com$request_uri? permanent;
26 | }
27 | 
28 | server {
29 |     listen 80;
30 |     server_name www.sslexample.com sslexample.com;
31 | 
32 |     location /.well-known/ {
33 |         root /data/htdocs/sslexample/www;
34 |     }
35 | 
36 |     location / {
37 |         rewrite ^ https://www.sslexample.com$request_uri? permanent;
38 |     }
39 | }
40 | 
41 | 


--------------------------------------------------------------------------------
/wordpress:
--------------------------------------------------------------------------------
 1 | try_files $uri $uri/ /index.php?$args; 
 2 | 
 3 | #block common hacking tools used by script kiddies 
 4 | if ($http_user_agent ~* (WPScan|havij|nmap|nessus|w3af|Jorgee|sqlmap|dirbuster|nikto|<script) ) {
 5 |     return 403;
 6 | }
 7 | 
 8 | #block basic user names enumerations - for REST API used mu-plugin in extras
 9 | if ($args ~* "(?<!_)author="){ return 404; }
10 | 
11 | #block files with sensitive info, VCSs and xmlrpc.php (be careful, some plugins need it)
12 | location ~ license\.txt|wp-config-sample\.php|.*readme\.html|.*readme\.txt|.*rss-functions\.php|\.htaccess|wp-config\.php|xmlrpc\.php|/\.(svn|git|hg|bzr|cvs) {
13 |     return 404;
14 | }
15 | 
16 | #block direct access to .php files in uploads
17 | location ~* wp-content/uploads/.*\.php$ {
18 |     deny all;
19 | }
20 | 
21 | #allow only basic HTTP methods
22 | #REST API usually needs more method - PATCH, PUT, DELETE - you can allow them for REST-API enpoint
23 | #or you can use override by HTTP_X_HTTP_METHOD_OVERRIDE header or _method GET param
24 | if ($request_method !~ ^(GET|HEAD|POST)$ ){
25 |     return 403;
26 | }
27 | 
28 | #allow virtual robots.txt
29 | location = /robots.txt {
30 |     try_files $uri /index.php?$args;
31 |     log_not_found off;
32 | }
33 | 
34 | #block empty referers for login, ajax and comments
35 | if ($uri ~* "(wp-comments-posts|wp-login|admin-ajax)\.php$") {
36 |   set $ref_block A;
37 | }
38 | if ($request_method = POST ) {
39 |   set $ref_block  "${ref_block}B";
40 | }
41 | if ($http_referer = "") {
42 |   set $ref_block  "${ref_block}C";
43 | }
44 | if ($ref_block = ABC) {
45 |   return 403;
46 | }
47 | 
48 | #CVE-2018-6389 - load-scripts.php/load-styles.php - block lonq queries
49 | if ($request_uri ~* "^/wp-admin/load-(scripts|styles)\.php\?.{1024,}$"){
50 |     return 403;
51 | }
52 | 
53 | #block susspicious queries (based on iThemes Security blacklist)
54 | set $susquery 0;
55 | if ($args ~* "\.\./") { set $susquery 1; }
56 | if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
57 | if ($args ~* "wp-config.php") { set $susquery 1; }
58 | if ($args ~* "etc/passwd") { set $susquery 1; }
59 | if ($args ~* "boot.ini") { set $susquery 1; }
60 | if ($args ~* "ftp:") { set $susquery 1; }
61 | if ($args ~* "http:") { set $susquery 1; }
62 | if ($args ~* "https:") { set $susquery 1; }
63 | if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
64 | if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
65 | if ($args ~* "base64_encode") { set $susquery 1; }
66 | if ($args ~* "eval\(") { set $susquery 1; }
67 | if ($args ~* "file_put_contents") { set $susquery 1; }
68 | if ($args ~* "(%24&x)") { set $susquery 1; }
69 | if ($args ~* "(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;|%24&x)"){ set $susquery 1; }
70 | if ($args ~* "(127.0)") { set $susquery 1; }
71 | if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
72 | if ($args ~* "(insert|concat|union|declare)") { set $susquery 1; }
73 | if ($args ~* "^loggedout=true"){ set $susquery 0; }
74 | if ($args ~* "^action=jetpack-sso"){ set $susquery 0; }
75 | if ($args ~* "^action=rp"){ set $susquery 0; }
76 | if ($http_cookie ~* "^.*wordpress_logged_in_.*$"){ set $susquery 0; }
77 | if ($http_referer ~* "^http://maps.googleapis.com(.*)$"){ set $susquery 0; }
78 | if ($susquery = 1) { return 403; }
79 | 
80 | ##allow login page only from Czech Republic
81 | #location ~ ^/(wp-login\.php) {
82 | #    include country-cz;
83 | #}
84 | 
85 | #basic HTTP header for security
86 | add_header X-Frame-Options SAMEORIGIN;
87 | add_header X-XSS-Protection "1; mode=block";
88 | add_header X-Content-Type-Options nosniff;
89 | 


--------------------------------------------------------------------------------