openec2 Article Description
Scripts – Part 1 – Nginx Configuration Files
Optional .conf files for Nginx
vi inc.conf
location ~ ^/(wp-admin|wp-login\.php)$ {
allow XXX.XXX.XXX.XXX;
deny all;
}
# Refer to https://gist.github.com/nfsarmento/57db5abba08b315b67f174cd178bea88
# Disable logging for favicon
location = /favicon.ico {
try_files /favicon.ico @empty;
access_log off;
log_not_found off;
expires max;
}
location @empty {
empty_gif;
}
# Enable Rewrite Rules for Yoast SEO SiteMap
rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
location ~* .(sh)$ {
return 444;
}
location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) {
deny all;
}
# Disallow php in upload folder and add webp rewrite
location /wp-content/uploads/ {
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
# nginx block xmlrpc.php requests
location /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
return 444;
}
# block access to install.php and upgrade.php
location ^~ /wp-admin/install.php {
deny all;
allow 144.6.125.35;
error_page 403 =404 / ;
}
location ^~ /wp-admin/upgrade.php {
deny all;
allow 144.6.125.35;
error_page 403 =404 / ;
}
#Deny access to wp-content folders for suspicious files
location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ {
deny all;
}
# Stop scann for the follow files on plugins folder
location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ {
deny all;
error_page 403 =404 / ;
}
# Stop scann for the follow files on themes folder
location ~* ^/wp-content/themes/.+\.(txt|log|md)$ {
deny all;
error_page 403 =404 / ;
}
# Deny access to uploads that aren’t images, videos, music, etc. (js is still needed in Avada)
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|swf)$ {
deny all;
}
#This module will allow us to pattern match certain key files and inject random text in the files that
# is non-destructive / non-invasive and will most importantly alter the md5sum calculated on such files. All transparent to WPScan.
location ~* ^/(license.txt|wp-includes/(.*)/.+\.(js|css)|wp-admin/(.*)/.+\.(js|css))$ {
sub_filter_types text/css text/javascript text/plain;
sub_filter_once on;
sub_filter ‘;’ ‘; /* $msec */ ‘;
}
#Direct PHP File Access
#If somehow, a hacker successfully sneaks in a PHP file onto your site,
#they’ll be able to run this file by loading file which effectively becomes a backdoor to infiltrate your site.
location ~* /(?:uploads|wp-content|wp-includes)/.*.php$ {
deny all;
access_log off;
log_not_found off;
}
# Similar to PHP file, a dotfile like .htaccess, .user.ini, and .git may contain sensitive information.
# To be on the safer side, it’s better to disable direct access to these files.
location ~ /\.(svn|git)/* {
deny all;
access_log off;
log_not_found off;
}
location ~ /\.ht {
deny all;
access_log off;
log_not_found off;
}
location ~ /\.user.ini {
deny all;
access_log off;
log_not_found off;
}
# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
deny all;
access_log off;
log_not_found off;
}
#WordFence
location ~ \.user\.ini$ {
deny all;
}
# WordPress: deny wp-content, wp-includes php files
location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
deny all;
}
# WordPress: deny general stuff
location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
deny all;
}
# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\.(curl|heic|swf|tiff|rss|atom|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off;
log_not_found off;
expires 30d;
}
# Web fonts send expires headers
location ~* \.(?:eot|otf|ttf|woff|woff2)$ {
expires 30d;
access_log off;
add_header Cache-Control “public”;
}
# SVGs & MP4 WEBM send expires headers – this rule is set specific to ns site
location ~* \.(?:svg|svgz|mp4|webm)$ {
expires 30d;
access_log off;
add_header Cache-Control “public”;
}
# Media: images, icons, video, audio send expires headers.
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|aac|m4a|mp3|ogg|ogv|webp)$ {
expires 30d;
access_log off;
add_header Cache-Control “public”;
}
# Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
add_header “Access-Control-Allow-Origin” “*”;
access_log off;
log_not_found off;
expires 30d;
}
# CSS and Javascript send expires headers.
location ~* \.(?:css|js)$ {
expires 30d;
access_log off;
add_header Cache-Control “public”;
}
# HTML send expires headers.
location ~* \.(html)$ {
expires 7d;
access_log off;
add_header Cache-Control “public”;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location ~* “/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)” {
deny all;
}
# Deny backup extensions & log files and return 403 forbidden
location ~* “\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$” {
deny all;
}
The use of w3tc.conf below is not quite correct. W3Tc will add a .conf file or ask you to add a file on the WordPress directory. It already includes gzip entries.
As a result, the gzip.conf file has a couple of missing entries. You can see the nginx.log file for duplicate warning.
cd /etc/nginx vi gzip.conf gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_min_length 256; gzip_types application/atom+xml application/geo+json application/javascript application/x-javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/xhtml+xml application/xml application/octet-stream font/eot font/otf font/ttf font/woff2 font/woff font/svg image/svg+xml image/png image/jpg image/jpeg image/webp text/css text/javascript text/plain text/xml; [save and exit - note the semicolon; at the end of the file.]
vi db.conf
# common nginx configuration to block sql injection and other attacks
# DISABLE THIS INCLUDES FILE FOR UPDATING PHPMYADMIN CONTENT
location ~* “(eval\()” {
deny all;
}
location ~* “(127\.0\.0\.1)” {
deny all;
}
location ~* “([a-z0-9]{2000})” {
deny all;
}
location ~* “(javascript\:)(.*)(\;)” {
deny all;
}
location ~* “(base64_encode)(.*)(\()” {
deny all;
}
location ~* “(GLOBALS|REQUEST)(=|\[|%)” {
deny all;
}
location ~* “(<|%3C).*script.*(>|%3)” {
deny all;
}
location ~ “(\\|\.\.\.|\.\./|~|`|<|>|\|)” {
deny all;
}
location ~* “(boot\.ini|etc/passwd|self/environ)” {
deny all;
}
location ~* “(thumbs?(_editor|open)?|tim(thumb)?)\.php” {
deny all;
}
location ~* “(\’|\”)(.*)(drop|insert|md5|select|union)” {
deny all;
}
location ~* “(https?|ftp|php):/” {
deny all;
}
location ~* “(=\\\’|=\\%27|/\\\’/?)\.” {
deny all;
}
location ~ “(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\”\\\”)” {
deny all;
}
location ~ “(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)” {
deny all;
}
location ~* “/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)” {
deny all;
}
location ~* “(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)” {
deny all;
}
location ~* “/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php” {
deny all;
}
vi w3tc.conf
# BEGIN W3TC Minify cache
location ~ /wp-content/cache/minify/.*js_gzip$ {
gzip off;
types {}
default_type application/x-javascript;
add_header Content-Encoding gzip;
expires 31536000s;
etag on;
if_modified_since exact;
add_header Pragma “public”;
add_header Cache-Control “public”;
add_header X-Powered-By “W3 Total Cache/2.7.1”;
add_header Referrer-Policy “no-referrer-when-downgrade”;
add_header Vary “Accept-Encoding”;
}
location ~ /wp-content/cache/minify/.*css_gzip$ {
gzip off;
types {}
default_type text/css;
add_header Content-Encoding gzip;
expires 31536000s;
etag on;
if_modified_since exact;
add_header Pragma “public”;
add_header Cache-Control “public”;
add_header X-Powered-By “W3 Total Cache/2.7.1”;
add_header Referrer-Policy “no-referrer-when-downgrade”;
add_header Vary “Accept-Encoding”;
}
# END W3TC Minify cache
# BEGIN W3TC Page Cache cache
location ~ /wp-content/cache/page_enhanced.*gzip$ {
gzip off;
types {}
default_type text/html;
add_header Content-Encoding gzip;
expires 3600s;
etag on;
if_modified_since exact;
add_header Pragma “public”;
add_header Cache-Control “public”;
add_header X-Powered-By “W3 Total Cache/2.7.1”;
add_header Referrer-Policy “no-referrer-when-downgrade”;
}
# END W3TC Page Cache cache
# BEGIN W3TC Browser Cache
gzip on;
gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext text/plain text/xsd text/xsl text/xml image/bmp application/java application/msword application/vnd.ms-fontobject application/x-msdownload image/x-icon application/json application/vnd.ms-access video/webm application/vnd.ms-project application/x-font-otf application/vnd.ms-opentype application/vnd.oasis.opendocument.database application/vnd.oasis.opendocument.chart application/vnd.oasis.opendocument.formula application/vnd.oasis.opendocument.graphics application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text audio/ogg application/pdf application/vnd.ms-powerpoint image/svg+xml application/x-shockwave-flash image/tiff application/x-font-ttf audio/wav application/vnd.ms-write application/font-woff application/font-woff2 application/vnd.ms-excel;
location ~ \.(css|htc|less|js|js2|js3|js4)$ {
expires 31536000s;
etag on;
if_modified_since exact;
add_header Pragma “public”;
add_header Cache-Control “public”;
add_header X-Powered-By “W3 Total Cache/2.7.1”;
add_header Referrer-Policy “no-referrer-when-downgrade”;
try_files $uri $uri/ /index.php?$args;
}
location ~ \.(html|htm|rtf|rtx|txt|xsd|xsl|xml)$ {
expires 3600s;
etag on;
if_modified_since exact;
add_header Pragma “public”;
add_header Cache-Control “public”;
add_header X-Powered-By “W3 Total Cache/2.7.1”;
add_header Referrer-Policy “no-referrer-when-downgrade”;
try_files $uri $uri/ /index.php?$args;
}
location ~ \.(asf|asx|wax|wmv|wmx|avi|avif|avifs|bmp|class|divx|doc|docx|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|webp|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|webm|mpp|_otf|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|_ttf|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
expires 31536000s;
etag on;
if_modified_since exact;
add_header Pragma “public”;
add_header Cache-Control “public”;
add_header X-Powered-By “W3 Total Cache/2.7.1”;
add_header Referrer-Policy “no-referrer-when-downgrade”;
try_files $uri $uri/ /index.php?$args;
}
add_header Referrer-Policy “no-referrer-when-downgrade”;
# END W3TC Browser Cache
# BEGIN W3TC Minify core
set $w3tc_enc “”;
if ($http_accept_encoding ~ gzip) {
set $w3tc_enc _gzip;
}
if (-f $request_filename$w3tc_enc) {
rewrite (.*) $1$w3tc_enc break;
}
rewrite ^/wp-content/cache/minify/ /index.php last;
# END W3TC Minify core
# BEGIN W3TC Page Cache core
set $w3tc_query_string $query_string;
if ($w3tc_query_string ~* “^(.*?&|)_branch_match_id(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)_bta_c(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)_bta_tid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)_ga(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)_gl(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)_ke(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)adgroupid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)adid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)age\-verified(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)ao_noptimize(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)campaignid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)campid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)cn\-reloaded(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)customid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)dm_i(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)ef_id(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)epik(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)fb_action_ids(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)fb_action_types(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)fb_source(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)fbclid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)gclid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)gclsrc(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)gdffi(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)gdfms(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)gdftrk(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)hsa_acc(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)hsa_ad(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)hsa_cam(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)hsa_grp(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)hsa_kw(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)hsa_mt(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)hsa_net(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)hsa_src(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)hsa_tgt(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)hsa_ver(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)igshid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)matomo_campaign(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)matomo_cid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)matomo_content(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)matomo_group(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)matomo_keyword(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)matomo_medium(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)matomo_placement(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)matomo_source(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mc_cid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mc_eid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mkcid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mkevt(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mkrid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mkwid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)msclkid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mtm_campaign(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mtm_cid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mtm_content(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mtm_group(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mtm_keyword(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mtm_medium(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mtm_placement(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)mtm_source(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)pcrid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)piwik_campaign(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)piwik_keyword(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)piwik_kwd(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)pk_campaign(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)pk_cid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)pk_content(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)pk_keyword(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)pk_kwd(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)pk_medium(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)pk_source(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)pp(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)redirect_log_mongo_id(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)redirect_mongo_id(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)ref(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)s_kwcid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)sb_referer_host(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)si(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)sscid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)toolid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)trk_contact(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)trk_module(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)trk_msg(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)trk_sid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)usqp(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)utm_campaign(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)utm_content(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)utm_expid(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)utm_id(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)utm_medium(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)utm_source(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~* “^(.*?&|)utm_term(=[^&]*)?(&.*|)$”) {
set $w3tc_query_string $1$3;
}
if ($w3tc_query_string ~ ^[?&]+$) {
set $w3tc_query_string “”;
}
set $w3tc_request_uri $request_uri;
if ($w3tc_request_uri ~* “^([^?]+)\?”) {
set $w3tc_request_uri $1;
}
set $w3tc_rewrite 1;
if ($request_method = POST) {
set $w3tc_rewrite 0;
}
if ($w3tc_query_string != “”) {
set $w3tc_rewrite 0;
}
set $w3tc_slash “”;
if ($w3tc_request_uri ~ \/$) {
set $w3tc_slash _slash;
}
if ($http_cookie ~* “(comment_author|wp\-postpass|w3tc_logged_out|wordpress_logged_in|wptouch_switch_toggle)”) {
set $w3tc_rewrite 0;
}
set $w3tc_preview “”;
if ($http_cookie ~* “(w3tc_preview)”) {
set $w3tc_preview _preview;
}
set $w3tc_ssl “”;
if ($scheme = https) {
set $w3tc_ssl _ssl;
}
if ($http_x_forwarded_proto = ‘https’) {
set $w3tc_ssl _ssl;
}
set $w3tc_enc “”;
if ($http_accept_encoding ~ gzip) {
set $w3tc_enc _gzip;
}
if (!-f “$document_root/wp-content/cache/page_enhanced/$http_host/$w3tc_request_uri/_index$w3tc_slash$w3tc_ssl$w3tc_preview.html$w3tc_enc”) {
set $w3tc_rewrite 0;
}
if ($w3tc_rewrite = 1) {
rewrite .* “/wp-content/cache/page_enhanced/$http_host/$w3tc_request_uri/_index$w3tc_slash$w3tc_ssl$w3tc_preview.html$w3tc_enc” last;
}
# END W3TC Page Cache core
vi wpsuper.conf
# WP Super Cache rules.
# Designed to be included from a ‘wordpress-ms-…’ configuration file.
set $cache_uri $request_uri;
# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
set $cache_uri ‘null cache’;
}
if ($query_string != “”) {
set $cache_uri ‘null cache’;
}
# Don’t cache uris containing the following segments
if ($request_uri ~* “(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)”) {
set $cache_uri ‘null cache’;
}
# Don’t use the cache for logged in users or recent commenters
if ($http_cookie ~* “comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in”) {
set $cache_uri ‘null cache’;
}
# START MOBILE
# Mobile browsers section to server them non-cached version. COMMENTED by default as most modern wordpress themes including twenty-eleven are responsive. Uncomment config lines in this section if you want to use a plugin like WP-Touch
# if ($http_x_wap_profile) {
# set $cache_uri ‘null cache’;
#}
#if ($http_profile) {
# set $cache_uri ‘null cache’;
#}
#if ($http_user_agent ~* (2.0\ MMP|240×320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800)) {
# set $cache_uri ‘null cache’;
#}
#if ($http_user_agent ~* (w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-)) {
# set $cache_uri ‘null cache’;
#}
#END MOBILE
# Use cached or actual file if they exists, otherwise pass request to WordPress
location / {
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args ;
}
AFTER Port 80's line of index index.php index.html index.htm; add these lines to stop use of the ip address instead of the domain name - USE YOUR OWN DOMAIN
set $test 0;
if ( $host != "DOMAIN.COM" ){
set $test 1;
}
if ( $host != "www.DOMAIN.COM" ){
set $test 1$test;
}
if ( $test = 11 ){
return 444; #CONNECTION CLOSED WITHOUT RESPONSE
}
BEFORE the stanza's 404 section add these lines to stop people downloading "feed" files that contain lots of information. YOu can put in an allow for your own static ip address if yuo have one:
location ~ ^(.*)(.*)(feed)(.*)$ {
allow xxx.xxx.xxx.xxx;
deny all;
try_files $uri $uri/ /index.php?$query_string;
}
location ~ ^(.*)(.*)(rss)(.*)$ {
allow xxx.xxx.xxx.xxx;
deny all;
try_files $uri $uri/ /index.php?$query_string;
}
IN the Port 442 SSL section...
after: ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
index index.php index.html index.htm;
ADD these lines: (your own domain. Again to stop use of ip address)
if ( $host != "DOMAIN.COM" ){
return 444; #CONNECTION CLOSED WITHOUT RESPONSE
}
after the robots section you can include the gzip file. gzip on is already in the first section of our nginx.conf file.
include /etc/nginx/gzip.conf;
Not to use w3tc, if yo uhave a look at tools.pingdom.com you can examine which content types are missing from your gzip.conf file.
As already mentioned, I added these lines before the gzip on line:
proxy_buffer_size 16K;
proxy_buffers 4 16K;
proxy_max_temp_file_size 0;
client_body_buffer_size 2480K;
In your Port 443 location / section, just after it, add these lines for Expire Headers:
location ~* .(?:ico|css|js|gif|jpe?g|png|jpg|woff2|eot|ttf|svg|woff)$ {
expires 30d;
add_header Pragma "public";
add_header Cache-Control "public";
}You can insert this into nginx.conf with the stanzas shown above to block feed or rss attempts:
Place this before your first location / stanza.
You cannot access https://domain.com/phpMyAdmin, but you CAN access https://domain.com/phpMyAdmin/index.php
# THIS DOES NOT WORK: USE BELOW INSTEAD with https://domain.com/phpMyAdmin/index.php
# location ~ ^(.*)(.*)(phpMyAdmin)(.*)$ {
location /phpMyAdmin {
root /usr/share;
allow xxx.xxx.xxx.xxx;
deny all;
try_files $uri $uri/ /index.php?$query_string;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
You will already have /var/www/html/phpMyAdmin as a soft link to /usr/share.
If you are archiving website content that no longer has a domain name, you won’t be able to a access all the permalinks as far as I can tell.
In that case you have to edit your WordPress menus to point to the page ID numbers instead.
