server { listen 80 default_server; listen [::]:80 default_server; server_name ele.com www.ele.com; #return 301 https://$host$request_uri; #rewrite 301 https://www.ele.com$request_uri? permanent; return 301 https://www.ele.com$request_uri; } server { listen 443; server_tokens off; server_name ele.com www.ele.com; #allow 59.177.8.31; #allow 2405:204:138b:977c:3442:cecc:cdea:621c; #allow 2402:3a80:90e:cc9d:3442:cecc:cdea:621c; #deny all; proxy_connect_timeout 1200; proxy_send_timeout 1200; proxy_read_timeout 1200; send_timeout 1200; #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains'; ssl_certificate /etc/letsencrypt/live/ele.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/ele.com/privkey.pem; # managed by Certbot if ($host = ele.com) { return 301 https://www.ele.com$request_uri; } # ssl_stapling on; # ssl_stapling_verify on; # resolver 8.8.8.8 8.8.4.4 valid=300s; # resolver_timeout 5s; # ssl_trusted_certificate /usr/local/src/ssl/2017.crt; ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; # ssl_protocols TLSv1.2; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; # ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; #ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS; #ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; ssl_prefer_server_ciphers on; #ssl_dhparam /usr/local/src/ssl/dhparam.pem; #proxy_read_timeout 1200; access_log /var/log/nginx/ele.access.log audit; location ^~ /var/ { return 403; } #error_log /var/log/nginx/ele.error.log; location / { proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto https; # Fix the “It appears that your reverse proxy set up is broken" error. proxy_pass http://127.0.0.1:8080; proxy_read_timeout 900; # proxy_redirect http://localhost:8080 https://jenkins.domain.com; } #security #add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://v2.zopim.com https://www.google-analytics.com https://js.braintreegateway.com https://d1n7u6d5707h07.cloudfront.net https://api.braintreegateway.com https://client-analytics.braintreegateway.com https://widget.trustpilot.com/bootstrap/v5/tp.widget.bootstrap.min.js https://cdn.raptorsupplies.com https://www.googletagmanager.com"; #add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://v2.zopim.com https://www.google-analytics.com https://js.braintreegateway.com https://d1a9lcvhivouno.cloudfront.net"; ## Block SQL injections set $block_sql_injections 0; if ($query_string ~ "union.*select.*\(") { set $block_sql_injections 1; } if ($query_string ~ "union.*all.*select.*") { set $block_sql_injections 1; } if ($query_string ~ "concat.*\(") { set $block_sql_injections 1; } if ($block_sql_injections = 1) { return 403; } ## Block file injections set $block_file_injections 0; if ($query_string ~ "[a-zA-Z0-9_]=http://") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { set $block_file_injections 1; } if ($block_file_injections = 1) { return 403; } ## Block common exploits set $block_common_exploits 0; if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { set $block_common_exploits 1; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "proc/self/environ") { set $block_common_exploits 1; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { set $block_common_exploits 1; } if ($query_string ~ "base64_(en|de)code\(.*\)") { set $block_common_exploits 1; } if ($block_common_exploits = 1) { return 403; } ## Block spam set $block_spam 0; if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { set $block_spam 1; } if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { set $block_spam 1; } if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { set $block_spam 1; } if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { set $block_spam 1; } if ($block_spam = 1) { return 403; } ## Block user agents set $block_user_agents 0; # Don't disable wget if you need it to run cron jobs! #if ($http_user_agent ~ "Wget") { # set $block_user_agents 1; #} # Disable Akeeba Remote Control 2.5 and earlier if ($http_user_agent ~ "Indy Library") { set $block_user_agents 1; } # Common bandwidth hoggers and hacking tools. if ($http_user_agent ~ "libwww-perl") { set $block_user_agents 1; } if ($http_user_agent ~ "GetRight") { set $block_user_agents 1; } if ($http_user_agent ~ "GetWeb!") { set $block_user_agents 1; } if ($http_user_agent ~ "Go!Zilla") { set $block_user_agents 1; } if ($http_user_agent ~ "Download Demon") { set $block_user_agents 1; } if ($http_user_agent ~ "Go-Ahead-Got-It") { set $block_user_agents 1; } if ($http_user_agent ~ "TurnitinBot") { set $block_user_agents 1; } if ($http_user_agent ~ "GrabNet") { set $block_user_agents 1; } if ($block_user_agents = 1) { #access_log /var/log/nginx/bot_block.log audit; return 403; } }