-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathdrop.conf
39 lines (30 loc) · 2.03 KB
/
drop.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#### nginx-globals - https://github.com/philcryer/nginx-globals
#### Only allow GET, HEAD and POST methods, Do not accept DELETE, SEARCH ideas
#### from http://nginx.2469901.n2.nabble.com/Nginx-Security-Hardening-and-Rules-td7591811.html
if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; }
#### Necessary for Let's Encrypt Domain Name ownership validation
#### from https://github.com/letsencrypt/acme-spec/issues/221#issuecomment-212489139
#location /.well-known/acme-challenge/ { try_files $uri /dev/null =404; }
location ~ ^/.well-known/acme-challenge/* { allow all; }
#### Necessary for LEDN ownership validation, other .well-known use (MORE COMPLETE?)
#### from https://stackoverflow.com/a/49324172
#### "I would go with an optimised code: So that all dots are denied except .well-known folder
#location ~ /\.(?!well-known).* {
# deny all;
#}
#### Turn off logging for basic traffic, giving syslog a little relief
location = /robots.txt { access_log off; log_not_found off; }
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~ ~$ { access_log off; log_not_found off; deny all; }
#### favicon - return 200; suggested by Károly Nagy on a nginx LinkedIn Group discussion
#### https://www.linkedin.com/groups/nginxglobals-2000893.S.5963371829870546947
location = /favicon.ico { access_log off; log_not_found off; return 200; }
#### Block some common attack probes, but don't worry about logging them (garbage traffic)
location ~ ^/(xampp|phpmyadmin|licenses|webalizer|server-status|server-info|cpanel|configuration.php|htaccess) { access_log off; log_not_found off; deny all; }
#### Deny scripts inside writable directories
#### http://www.nginxtips.com/nginx-security-guide/
location ~* /(images|cache|media|logs|tmp)/.*.(php|pl|py|jsp|asp|sh|cgi)$ { return 403; }
#### Do not allow access to files giving away WordPress version
location ~ /(\.|wp-config.php|readme.html|licence.txt) { return 404; }
#### General things you probably don't want exposed
location ~ /(app|i18n|log|test|tmp|tools)/ { deny all; }