Memory issue

JohnCarne nginx-forum at forum.nginx.org
Fri Apr 7 03:57:38 UTC 2017


another attempt :

# configuration file /etc/nginx/nginx.conf:
#Core Functionality

user  nobody;
worker_processes  8;
pid        /var/run/nginx.pid;
pcre_jit on;
error_log /var/log/nginx/error_log;
#error_log /home/abackup/debug.log debug;
worker_rlimit_nofile 300000;

#Load Dynamic Modules
include /etc/nginx/modules.d/*.load;

events {
worker_connections 8192;
use epoll;
multi_accept on;
accept_mutex off;
}

#Settings For other core modules like for example the stream module
include /etc/nginx/conf.d/main_custom_include.conf;

#Settings for the http core module
include /etc/nginx/conf.d/http_settings_custom.conf;


# configuration file /etc/nginx/modules.d/brotli.load:
load_module "/etc/nginx/modules/ngx_http_brotli_filter_module.so";
load_module "/etc/nginx/modules/ngx_http_brotli_static_module.so";

# configuration file /etc/nginx/modules.d/geoip.load:
load_module "/etc/nginx/modules/ngx_http_geoip_module.so";

# configuration file /etc/nginx/modules.d/headers_more_filter.load:
load_module "/etc/nginx/modules/ngx_http_headers_more_filter_module.so";

# configuration file /etc/nginx/modules.d/ndk.load:
load_module "/etc/nginx/modules/ndk_http_module.so";

# configuration file /etc/nginx/conf.d/main_custom_include.conf:

# configuration file /etc/nginx/conf.d/http_settings_custom.conf:
http {

#Set server identifier to XtendWeb-nginx
more_set_headers 'Server: YOORshop';

sendfile             off;
sendfile_max_chunk   1M;
tcp_nodelay          on;
#tcp_nopush           on;

# Slowloris mitigation
client_body_timeout             10s;
client_header_timeout           10s;
keepalive_timeout               30s;
send_timeout                    20s;
reset_timedout_connection       on;

keepalive_requests              512;
keepalive_disable               msie6 safari;
types_hash_max_size             2048;
server_names_hash_max_size      256000;
server_names_hash_bucket_size   4096;

server_tokens                   off;
client_max_body_size        	32m;
client_body_buffer_size      	256k;	
map_hash_bucket_size         	256;
map_hash_max_size            	4096;

connection_pool_size 		 	512;
client_header_buffer_size    	32k;
large_client_header_buffers  	4 256k;
request_pool_size            	32k;
output_buffers               	4 256k;
postpone_output  			 	1460;

#FastCGI
fastcgi_buffers				 16 16k;
fastcgi_buffer_size			 32k;
# the below options depend on theoretical maximum of your PHP script
run-time
fastcgi_read_timeout         300;
fastcgi_send_timeout         300;

include /etc/nginx/mime.types;
default_type application/octet-stream;

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

# Open File Cache
open_file_cache          max=10000 inactive=5m;
open_file_cache_valid    2m;
open_file_cache_min_uses 2;
open_file_cache_errors   on;

# Logging Settings
open_log_file_cache max=1000 inactive=20s valid=1m min_uses=2;
log_format bytes_log "$sec $bytes_sent .";
log_not_found off;
access_log off;

#Default maps
include /etc/nginx/conf.d/maps.conf;
include /etc/nginx/conf.d/maps-custom.conf;

#Limit Request Zone conf
include /etc/nginx/conf.d/limit_request_custom.conf;

#Include File where you can add any custom settings
include /etc/nginx/conf.d/custom_include.conf;

#RealIP conf for CDN like CloudFlare,Incapsula etc
include /etc/nginx/conf.d/cdn_realip.conf;
real_ip_header     X-Forwarded-For;

# FastCGI and PROXY cache config
include /etc/nginx/conf.d/nginx_cache_custom.conf;

# Uncomment following to enable DOS mitigation server wide
# include /etc/nginx/conf.d/dos_mitigate.conf;

# Include All config files in /etc/nginx/conf.auto/
include /etc/nginx/conf.auto/*.conf;

# Virtual Host Configs
#include /etc/nginx/conf.d/default_server.conf; # Auto Generated at nDeploy
install time
#include /etc/nginx/sites-enabled/*.conf; # Auto Generated by nDeploy

}

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document 
  docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet       
  xlsx;
   
application/vnd.openxmlformats-officedocument.presentationml.presentation 
pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/maps.conf:
#Mapping upstream httpd ports
 map $scheme $cpport {
      http  9999;
      https 4430;
  }


#Mapping $msec to $sec so that we dont break cPanel bandwidth calculator
map $msec $sec {
        ~^(?P<secres>.+)\. $secres;
    }


#Maps to be used with various cache templates
####################################################################
map $request_method $requestnocache {
    default "";
    POST    1;
}


map $http_cookie $wpcookienocache {
        default                     "";
        SESS                        1;
        PHPSESSID                   1;
        ~*wordpress_[a-f0-9]+       1;
        comment_author              1;
        wp-postpass                 1;
        wordpress_no_cache          1;
        woocommerce_items_in_cart   1;
        resetpass                   1;
        wordpress_logged_in         1;
    }


map $http_cookie $drupalcookienocache {
        default                     "";
        ~*SESS                        1;
    }


map $request_uri $wpurinocache {
        default                                      "";
        ~*^\/wp-admin\/.*                            1;
        ~*^\/wp-[a-zA-Z0-9-]+\.php$                  1;
        ~*^\/feed\/.*                                1;
        ~*^\/administrator\/.*                       1;
        ~*^\/xmlrpc.php$                             1;
        ~*^\/index.php$                              1;
        ~*^\/wp-links-opml.php$                      1;
        ~*^\/wp-locations.php$                       1;
        ~*^\/sitemap(_index)?.xml                    1;
        ~*^\/[a-z0-9_-]+-sitemap([0-9]+)?.xml        1;
        ~*^\/cart\/.*                                1;
        ~*^\/my-account\/.*                          1;
        ~*^\/wp-api\/.*                              1;
        ~*^\/resetpass\/.*                           1;
}


map $request_uri $drupalurinocache {
        default                 "";
        ~*\/status\.php$         1;
        ~*\/update\.php$         1;
        ~*\/admin$              1;
        ~*\/admin\/.*$          1;
        ~*\/user$               1;
        ~*\/user\/.*            1;
        ~*\/flag\/.*            1;
        ~*.*\/ajax\/.*          1;
        ~*.*\/ahah\/.*          1;
        ~*\/admin\/content\/backup_migrate\/export  1;
  }


#Map for mobile user agent
map $http_user_agent $ua_device {
	default 'desktop';
	~*(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\
|maemo|midp|mmp|mobile.+firefox|netfront|opera\ m(ob|in)i|palm(\
os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows\
ce|xda|xiino/i 'mobile';
	~*android|ipad|playbook|silk/i 'tablet';
}
####################################################################

# configuration file /etc/nginx/conf.d/maps-custom.conf:
map $request_method $not_allowed_method {
    default 1;
    GET 0;
    HEAD 0;
    POST 0;
    }
	
# GeoIP
geoip_country         /usr/share/GeoIP/GeoLiteCountry.dat;
geoip_city            /usr/share/GeoIP/GeoLiteCity.dat;

map $geoip_country_code $allowed_country {
        default yes;
		RU no;
		CN no;
		UA no;
    }

# configuration file /etc/nginx/conf.d/limit_request_custom.conf:
limit_req_zone $binary_remote_addr zone=FLOODPROTECT:10m rate=10r/s;
limit_req_zone $server_name zone=FLOODVHOST:20m rate=10r/s;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/m;
limit_req_zone $binary_remote_addr zone=two:10m rate=2r/s;
limit_req_zone $binary_remote_addr zone=three:10m rate=3r/s;
limit_conn_zone $binary_remote_addr zone=PERIP:10m;
limit_conn_zone $server_name zone=PERSERVER:10m;
limit_conn_zone $server_name zone=PERSERVERLOGIN:10m;
limit_conn_zone $server_name zone=PERSERVERSEARCH:10m;
# configuration file /etc/nginx/conf.d/custom_include.conf:
#Referrer Spam Map
include /etc/nginx/conf.d/spam_protection.conf;
##
#IP blocks
include /etc/nginx/conf.d/ip_blocks.conf;
##
#IP blocks
include /etc/nginx/conf.d/ip_blocks_layer7.conf;
# Include netdata
include /etc/nginx/conf.d/netdata.conf;

# configuration file /etc/nginx/conf.d/spam_protection.conf:
map $http_user_agent $bad_bot {
    default 0;
    ~*^Lynx 0; # Let Lynx go through
	~*UptimeRobot/2.0 0; # Let UptimeRobot
	~*bingbot/2.0 0; # Let bingbot
	~*checkgzipcompression.com 0; # Let check gzip
	~*ocsp.comodoca.com 0; # SSL comodo
     libwww-perl 1;   
~*(?i)(\$x0E|\%0A|\%0D|\%27|\%3C|\%00|\@\$x|\!susie|\_irc|\_works|3gse|^4all|^4anything|^Buzzbot|a\_browser|^Yooplaabot|^ltx71|^python-requests|NerdyBot|^Vegi|^VegeBot)
1;
}

map $http_user_agent $scanners {
        default 0;
		"~*LinkedInBot" 0;
		"~*Discovery" 0;		
		"~*Bloglovin" 1;
		"~*Jakarta" 1;
        "~*toCrawl/UrlDispatcher" 1; 			
}

map $http_referer $bad_referer {
   default 0;
   "~*pastebin.com" 1;   
   "~*torrent" 1;
   "~*webxtrakt" 1;
}

map $remote_addr $denied {
default 0;
poneytelecom.eu 1;
185.62.189.113 1;
155.94.172.27 1;
1.54.43.166 1;
104.144.28.20 1;
} 
# configuration file /etc/nginx/conf.d/ip_blocks.conf:
deny 123.125.71.56/29;
deny 1.233.43.75;
deny 104.194.26.1;
deny 104.194.26.128/26;

# configuration file /etc/nginx/conf.d/ip_blocks_layer7.conf:
deny 103.194.193.1/32;
deny 103.194.193.2/31;
deny 103.194.193.4/30;

# configuration file /etc/nginx/conf.d/cdn_realip.conf:

#CloudFlare
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;

set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

#Incapsula
set_real_ip_from 199.83.128.0/21;
set_real_ip_from 198.143.32.0/19;
set_real_ip_from 149.126.72.0/21;
set_real_ip_from 103.28.248.0/22;
set_real_ip_from 45.64.64.0/22;
set_real_ip_from 185.11.124.0/22;
set_real_ip_from 192.230.64.0/18;
set_real_ip_from 107.154.126.0/24;

set_real_ip_from 2a02:e980::/29;

# configuration file /etc/nginx/conf.d/nginx_cache_custom.conf:
# PROXY Micro-caching
proxy_cache_path /tmpcachenginx levels=1:2 keys_zone=micro:300m
inactive=240m max_size=5000m;
#PROXY CACHE
proxy_cache_path /var/cache/nginx/proxycache levels=1:2
keys_zone=PROXYCACHE:32m inactive=360m max_size=1000m;

proxy_cache_key "$scheme$request_method$host$request_uri";

#################################
#FASTCGICACHE
fastcgi_cache_path /var/cache/nginx/fastcgicache levels=1:2
keys_zone=FASTCGICACHE:32m inactive=60m max_size=512m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";

# configuration file /etc/nginx/conf.auto/geoip.conf:
# GeoIP
# Add Following to /etc/nginx/conf.d/custom_include.conf to preserve in rpm
upgrade.

#geoip_country         /usr/share/GeoIP/GeoLiteCountry.dat;
#geoip_city            /usr/share/GeoIP/GeoLiteCity.dat;


1 vhost as example

# Redirects if any







# The server blocks

server {
listen    11.0.5.21:80 ;

server_name  22b-pit.com mail.22b-pit.com www.22b-pit.com;

access_log /usr/local/apache/domlogs/22b-pit.com-bytes_log bytes_log
buffer=32k flush=5m;






add_header X-Frame-Options SAMEORIGIN;



add_header X-XSS-Protection "1; mode=block";


include /etc/nginx/conf.d/gzip.conf;





# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Allow "Well-Known URIs" as per RFC 5785
# Include NAXSI settings
location ^~ /NaxsiRequestDenied {
return 418;
}
# End Include NAXSI settings
# Include any applications in subdirectory

# End Include any applications in subdirectory
include /etc/nginx/sites-enabled/22b-pit.com.manualconfig*;
include /etc/nginx/sites-enabled/22b-pit.com.include;


}


server {
listen    11.0.5.21:443 ssl http2 ;

ssl_certificate /etc/nginx/ssl/22b-pit.com.crt;
ssl_certificate_key
/var/cpanel/ssl/installed/keys/cbb12_c8e7d_dd90f364f8f3c643df9fc97d3413d866.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_timeout  5m;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate
/var/cpanel/ssl/installed/cabundles/cPanel_Inc__681917bfb43af6b642178607e0b36ccc_1747526399.cabundle;
resolver 213.186.33.99 80.20.9.50 8.8.4.4 valid=300s;
resolver_timeout 5s;

server_name  22b-pit.com mail.22b-pit.com www.22b-pit.com;

access_log /usr/local/apache/domlogs/22b-pit.com-bytes_log bytes_log
buffer=32k flush=5m;






add_header X-Frame-Options SAMEORIGIN;



add_header X-XSS-Protection "1; mode=block";


include /etc/nginx/conf.d/brotli.conf;





# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Allow "Well-Known URIs" as per RFC 5785
# Include NAXSI settings
location ^~ /NaxsiRequestDenied {
return 418;
}
# End Include NAXSI settings
# Include any applications in subdirectory

# End Include any applications in subdirectory
include /etc/nginx/sites-enabled/22b-pit.com.manualconfig*;
include /etc/nginx/sites-enabled/22b-pit.com.include;

}


#Proxy to cPanel Apache httpd service
root /home/fit3b/public_html;
access_log off;

location / {
	if ($bad_referer = 1) {
    rewrite ^(.*) https://www.filters.com/banspam/spam_traffic.html
permanent;
    }
	if ($bad_bot = 1) {
	rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
	}
	if ($denied) {
    rewrite ^(.*) https://www.filters.com/banspam/denied.html permanent;
    }
	if ($scanners = 1) {
    rewrite ^(.*) https://www.filters.com/banspam/scanners.html permanent;
    }
	if ($allowed_country = no) {
    rewrite ^(.*) https://www.filters.com/banspam/country.html permanent;
    }
	if ($not_allowed_method) {
    rewrite ^(.*) https://www.filters.com/banspam/not_allowed.html
permanent;
    }
	limit_conn PERIP 250;
	limit_conn PERSERVER 1000;
	
	proxy_send_timeout         900;
   	proxy_read_timeout 		   900;
	proxy_buffer_size          128k;
	proxy_buffers              4 256k;
	proxy_busy_buffers_size    256k;
	proxy_temp_file_write_size 256k;
   	proxy_connect_timeout      300s;

    
	proxy_pass   $scheme://11.0.5.21:$cpport;
	proxy_ssl_session_reuse on;
	proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
	
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_set_header   Host   $host;
	proxy_set_header   X-Real-IP  $remote_addr;
	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header   X-Forwarded-Proto $scheme;
	proxy_set_header   X-Scheme $scheme;
	proxy_set_header   Proxy "";
	proxy_redirect     off;
	}    

location ~
^/(\.?!well-known|error_log|up\.php|CONTRIBUTING\.md|README\.md|LICENSES|readme\.html|readme\.txt|license\.txt|license\.html|wp-config\.php|xmlrpc\.php|config\.php|configure\.php|configuration\.php|testproxy\.php|sql|mySqlDumper|msd|jmx-console|jenkins|sys_cpanel|phpMyAdmin|sqlite|mysql|SQlite|sqlitemanager|SQLiteManager)
{
    deny all;
    return 444;	
    }

location = /wp-login.php {
	if ($denied) {
    return 444;
    }
	if ($bad_referer = 1) {
    return 410;
    }
	if ($bad_bot = 1) {
	return 444;
	}
	if ($scanners = 1) {
    return 444;
    }
	if ($allowed_country = no) {
    return 444;
    }
	if ($http_user_agent = "") {
	rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
	}
	if ($not_allowed_method) {
    return 405;
    }
    limit_req   zone=one  burst=1 nodelay;
	limit_req_status 429;	
	limit_conn PERIP 3;
	limit_conn PERSERVER 5;
	limit_conn_status 444;
	
	proxy_send_timeout         900;
   	proxy_read_timeout 		   900;
	proxy_buffer_size          128k;
	proxy_buffers              4 256k;
	proxy_busy_buffers_size    256k;
	proxy_temp_file_write_size 256k;
   	proxy_connect_timeout      300s;

    
	proxy_pass   $scheme://11.0.5.21:$cpport;
	proxy_ssl_session_reuse on;
	proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
	
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_set_header   Host   $host;
	proxy_set_header   X-Real-IP  $remote_addr;
	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header   X-Forwarded-Proto $scheme;
	proxy_set_header   X-Scheme $scheme;
	proxy_set_header   Proxy "";
	proxy_redirect     off;
	} 
	
location ~ ^/(robots\.txt|sitemap\.xml) {
	if ($denied) {
    return 444;
    }
	if ($bad_referer = 1) {
    return 410;
    }
	if ($bad_bot = 1) {
	return 444;
	}
	if ($scanners = 1) {
    return 444;
    }
	if ($allowed_country = no) {
    return 444;
    }
	if ($not_allowed_method) {
    return 405;
    }
    limit_req   zone=two  burst=2;
	limit_conn PERIP 4;
	limit_conn PERSERVER 100;
	
	proxy_send_timeout         900;
   	proxy_read_timeout 		   900;
	proxy_buffer_size          128k;
	proxy_buffers              4 256k;
	proxy_busy_buffers_size    256k;
	proxy_temp_file_write_size 256k;
   	proxy_connect_timeout      300s;

    
	proxy_pass   $scheme://11.0.5.21:$cpport;
	proxy_ssl_session_reuse on;
	proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
	
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_set_header   Host   $host;
	proxy_set_header   X-Real-IP  $remote_addr;
	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header   X-Forwarded-Proto $scheme;
	proxy_set_header   X-Scheme $scheme;
	proxy_redirect     off;
	proxy_cache micro;
    proxy_cache_lock on;
	proxy_cache_min_uses 2;
   	proxy_cache_valid 200 5m;
   	proxy_cache_use_stale updating;
	proxy_set_header   Proxy "";
	proxy_set_header Accept-Encoding "";
	} 
  
location /modules/sendtoafriend/ {
    deny all;   
    return 444;	
    }
	
location ~ ^/(search) {
	if ($denied) {
    return 444;
    }
	if ($bad_referer = 1) {
    return 410;
    }
	if ($bad_bot = 1) {
	return 444;
	}
	if ($scanners = 1) {
    return 444;
    }
	if ($allowed_country = no) {
    return 444;
    }
	if ($http_user_agent = "") {
	rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
	}
	if ($not_allowed_method) {
    return 405;
    }
	limit_conn PERIP 35;
	limit_conn PERSERVER 100;
	
	proxy_send_timeout         900;
   	proxy_read_timeout 		   900;
	proxy_buffer_size          128k;
	proxy_buffers              4 256k;
	proxy_busy_buffers_size    256k;
	proxy_temp_file_write_size 256k;
   	proxy_connect_timeout      300s;

    
	proxy_pass   $scheme://11.0.5.21:$cpport;
	proxy_ssl_session_reuse on;
	proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
	
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_set_header   Host   $host;
	proxy_set_header   X-Real-IP  $remote_addr;
	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header   X-Forwarded-Proto $scheme;
	proxy_set_header   X-Scheme $scheme;
	proxy_set_header   Proxy "";
	proxy_redirect     off;
	} 
	
location ~ ^/(login|order) {	
	if ($denied) {
    return 444;
    }
	if ($bad_referer = 1) {
    return 410;
    }
	if ($bad_bot = 1) {
	return 444;
	}
	if ($scanners = 1) {
    return 444;
    }
	if ($allowed_country = no) {
    return 444;
    }
	if ($http_user_agent = "") {
	rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
	}
	if ($not_allowed_method) {
    return 405;
    }
	limit_req zone=two burst=5;
	limit_conn PERIP 12;
	limit_conn PERSERVERLOGIN 25;
	
	proxy_send_timeout         900;
   	proxy_read_timeout 		   900;
	proxy_buffer_size          128k;
	proxy_buffers              4 256k;
	proxy_busy_buffers_size    256k;
	proxy_temp_file_write_size 256k;
   	proxy_connect_timeout      300s;

    
	proxy_pass   $scheme://11.0.5.21:$cpport;
	proxy_ssl_session_reuse on;
	proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
	
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_set_header   Host   $host;
	proxy_set_header   X-Real-IP  $remote_addr;
	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header   X-Forwarded-Proto $scheme;
	proxy_set_header   X-Scheme $scheme;
	proxy_set_header   Proxy "";
	proxy_redirect     off;
	} 
	
## Block SQL injections
    set $block_sql_injections 0;
    if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
    }
    if ($block_sql_injections = 1) {
        return 520;
    }

    ## Block file injections
    set $block_file_injections 0;
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
    }
    if ($block_file_injections = 1) {
        return 520;
    }

    ## Block common exploits
    set $block_common_exploits 0;
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
    }
    if ($block_common_exploits = 1) {
        return 520;   
	}	
###############################################

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273469#msg-273469



More information about the nginx mailing list