Nginx Directive Snippets causing error

Discussion in 'Installation/Configuration' started by skysky, Nov 21, 2020.

  1. skysky

    skysky Member

    Hi
    I created below Nginx Directive Snippets, and assigned to my site option setting. but somehow I got error, and it can not run. This is the codes from Joomla admin tools.
    https://www.akeeba.com/documentation/admin-tools/nginx-maker.html

    ### ===========================================================================
    ### Security Enhanced & Highly Optimized NginX Configuration File for Joomla!
    ### automatically generated by Admin Tools 5.1.3 on 2020-11-21 16:22:17 CST
    ### ===========================================================================
    ###
    ### Admin Tools is Free Software, distributed under the terms of the GNU
    ### General Public License version 3 or, at your option, any later version
    ### published by the Free Software Foundation.
    ###
    ### !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! IMPORTANT !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    ### !! !!
    ### !! If you get an Internal Server Error 500 or a blank page when trying !!
    ### !! to access your site, remove this file and try tweaking its settings !!
    ### !! in the back-end of the Admin Tools component. !!
    ### !! !!
    ### !! Remember to include this file in your site's configuration file. !!
    ### !! Also remember to reload or restart NginX after making any change to !!
    ### !! this file. !!
    ### !! !!
    ### !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    ###

    ### Prevent access to this file
    location = /nginx.conf {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }

    location = /nginx.conf.admintools {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }
    ######################################################################
    ## Protect against common file injection attacks
    ######################################################################
    set $file_injection 0;
    if ($query_string ~ "[a-zA-Z0-9_]=http://") {
    set $file_injection 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
    set $file_injection 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
    set $file_injection 1;
    }
    if ($file_injection = 1) {
    return 403;
    break;
    }
    ######################################################################
    ## Disable PHP Easter Eggs
    ######################################################################
    if ($query_string ~ "\=PHP[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}") {
    return 403;
    break;
    }
    ######################################################################
    ## Block access to configuration.php-dist and htaccess.txt
    ######################################################################
    location = /configuration.php-dist {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }

    location = /htaccess.txt {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }

    location = /web.config {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }

    location = /configuration.php {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }

    location = /CONTRIBUTING.md {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }

    location = /joomla.xml {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }

    location = /LICENSE.txt {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }

    location = /phpunit.xml {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }

    location = /README.txt {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }

    location = /web.config.txt {
    log_not_found off;
    access_log off;
    return 404;
    break;
    }
    ## Protect against clickjacking
    add_header X-Frame-Options SAMEORIGIN;
    ######################################################################
    ## Directory indices and no automatic directory listings
    ## Forces index.php to be read before the index.htm(l) files
    ## Also disables showing files in a directory automatically
    ######################################################################
    index index.php index.html index.htm;
    ######################################################################
    ## Automatic compression of static resources
    ## Compress text, html, javascript, css, xml and other static resources
    ## May kill access to your site for old versions of Internet Explorer
    ######################################################################
    # The following is the actual automatic compression setup
    gzip on;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_proxied expired no-cache no-store private auth;
    gzip_min_length 1000;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/xhtml+xml application/xml+rss application/rss+xml application/x-javascript application/javascript text/javascript application/json text/xml application/xml image/svg+xml;
    gzip_buffers 16 8k;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
    ## Referrer-policy
    add_header Referrer-Policy "unsafe-url";
    ## Reduce MIME type security risks
    add_header X-Content-Type-Options "nosniff";
    ## Reflected XSS prevention
    add_header X-XSS-Protection "1; mode=block";
    ## Prevent content transformation
    add_header Cache-Control "no-transform";
    # -- Character encoding, see http://wiki.nginx.org/HttpCharsetModule
    charset utf-8;
    source_charset utf-8;
    # -- Security options, see http://wiki.nginx.org/HttpCoreModule
    server_name_in_redirect off;
    server_tokens off;
    ignore_invalid_headers on;
    # -- Maximum client body size set to 1 Gigabyte
    client_max_body_size 1G;
    set $common_exploit 0;
    if ($query_string ~ "proc/self/environ") {
    set $common_exploit 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
    set $common_exploit 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
    set $common_exploit 1;
    }
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
    set $common_exploit 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
    set $common_exploit 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
    set $common_exploit 1;
    }
    if ($common_exploit = 1) {
    return 403;
    }
    ## Enable SEF URLs
    location / {
    try_files $uri $uri/ /index.php?$args;
    }
    location ~* /index.php$ {
    fastcgi_pass 127.0.0.1:9000;
    break;
    }
    ######################################################################
    ## Advanced server protection rules exceptions
    ######################################################################
    location = /administrator/components/com_akeeba/restore.php {
    fastcgi_pass 127.0.0.1:9000;
    break;
    }
    location = /administrator/components/com_admintools/restore.php {
    fastcgi_pass 127.0.0.1:9000;
    break;
    }
    location = /administrator/components/com_joomlaupdate/restore.php {
    fastcgi_pass 127.0.0.1:9000;
    break;
    }
    location ~* ^/\.well\-known/.*\.php$
    {
    break;
    }
    location ~* ^/\.well\-known/.*$
    {
    break;
    }
    location ~* ^/templates\/your_template_name_here/.*$
    {
    break;
    }
    ######################################################################
    ## Advanced server protection
    ######################################################################
    # Allow media files in select back-end directories
    location ~* ^/administrator/(components|modules|templates|images|plugins)/.*.(jpe|jpg|jpeg|jp2|jpe2|png|gif|bmp|css|js|swf|html|mpg|mp3|mpeg|mp4|avi|wav|ogg|ogv|xls|xlsx|doc|docx|ppt|pptx|zip|rar|pdf|xps|txt|7z|svg|odt|ods|odp|flv|mov|htm|ttf|woff|woff2|eot|JPG|JPEG|PNG|GIF|CSS|JS|TTF|WOFF|WOFF2|EOT)$ {
    break;
    }

    # Allow access to the back-end index.php file
    location = /administrator/index.php {
    fastcgi_pass 127.0.0.1:9000;
    break;
    }
    location ~* ^/administrator$ {
    return 301 /administrator/index.php;
    }
    location ~* ^/administrator/$ {
    return 301 /administrator/index.php;
    }

    # Disable access to everything else.
    location ~* /administrator.*$ {
    # If it is a file, directory or symlink and I haven't deliberately
    # enabled access to it, forbid any access to it!
    if (-e $request_filename) {
    return 403;
    }
    # In any other case, just treat as a SEF URL
    try_files $uri $uri/ /administrator/index.php?$args;
    }
    # Allow media files in select front-end directories
    location ~* ^/(components|modules|templates|images|plugins|media|libraries|media/jui/fonts)/.*.(jpe|jpg|jpeg|jp2|jpe2|png|gif|bmp|css|js|swf|html|mpg|mp3|mpeg|mp4|avi|wav|ogg|ogv|xls|xlsx|doc|docx|ppt|pptx|zip|rar|pdf|xps|txt|7z|svg|odt|ods|odp|flv|mov|ico|htm|ttf|woff|woff2|eot|JPG|JPEG|PNG|GIF|CSS|JS|TTF|WOFF|WOFF2|EOT)$ {
    break;
    }

    ## Disallow front-end access for certain Joomla! system directories (unless access to their files is allowed above)
    location ~* ^/includes/js/ {
    return 403;
    }
    location ~* ^/(cache|includes|language|logs|log|tmp)/ {
    return 403;
    }
    # Allow access to /
    location ~* ^/$ {
    return 301 /index.php;
    }

    # Disable access to everything else.
    location ~* ^/.*$ {
    # If it is a file, directory or symlink and I haven't deliberately
    # enabled access to it, forbid any access to it!
    if (-e $request_filename) {
    return 403;
    }
    # In any other case, just treat as a SEF URL
    try_files $uri $uri/ /index.php?$args;
    }
    ##### Advanced server protection -- END
     
    skysky, Nov 21, 2020
    #1

Share This Page