Memory issue
JohnCarne
nginx-forum at forum.nginx.org
Fri Apr 7 03:57:38 UTC 2017
another attempt :
# configuration file /etc/nginx/nginx.conf:
#Core Functionality
user nobody;
worker_processes 8;
pid /var/run/nginx.pid;
pcre_jit on;
error_log /var/log/nginx/error_log;
#error_log /home/abackup/debug.log debug;
worker_rlimit_nofile 300000;
#Load Dynamic Modules
include /etc/nginx/modules.d/*.load;
events {
worker_connections 8192;
use epoll;
multi_accept on;
accept_mutex off;
}
#Settings For other core modules like for example the stream module
include /etc/nginx/conf.d/main_custom_include.conf;
#Settings for the http core module
include /etc/nginx/conf.d/http_settings_custom.conf;
# configuration file /etc/nginx/modules.d/brotli.load:
load_module "/etc/nginx/modules/ngx_http_brotli_filter_module.so";
load_module "/etc/nginx/modules/ngx_http_brotli_static_module.so";
# configuration file /etc/nginx/modules.d/geoip.load:
load_module "/etc/nginx/modules/ngx_http_geoip_module.so";
# configuration file /etc/nginx/modules.d/headers_more_filter.load:
load_module "/etc/nginx/modules/ngx_http_headers_more_filter_module.so";
# configuration file /etc/nginx/modules.d/ndk.load:
load_module "/etc/nginx/modules/ndk_http_module.so";
# configuration file /etc/nginx/conf.d/main_custom_include.conf:
# configuration file /etc/nginx/conf.d/http_settings_custom.conf:
http {
#Set server identifier to XtendWeb-nginx
more_set_headers 'Server: YOORshop';
sendfile off;
sendfile_max_chunk 1M;
tcp_nodelay on;
#tcp_nopush on;
# Slowloris mitigation
client_body_timeout 10s;
client_header_timeout 10s;
keepalive_timeout 30s;
send_timeout 20s;
reset_timedout_connection on;
keepalive_requests 512;
keepalive_disable msie6 safari;
types_hash_max_size 2048;
server_names_hash_max_size 256000;
server_names_hash_bucket_size 4096;
server_tokens off;
client_max_body_size 32m;
client_body_buffer_size 256k;
map_hash_bucket_size 256;
map_hash_max_size 4096;
connection_pool_size 512;
client_header_buffer_size 32k;
large_client_header_buffers 4 256k;
request_pool_size 32k;
output_buffers 4 256k;
postpone_output 1460;
#FastCGI
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
# the below options depend on theoretical maximum of your PHP script
run-time
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
# Open File Cache
open_file_cache max=10000 inactive=5m;
open_file_cache_valid 2m;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# Logging Settings
open_log_file_cache max=1000 inactive=20s valid=1m min_uses=2;
log_format bytes_log "$sec $bytes_sent .";
log_not_found off;
access_log off;
#Default maps
include /etc/nginx/conf.d/maps.conf;
include /etc/nginx/conf.d/maps-custom.conf;
#Limit Request Zone conf
include /etc/nginx/conf.d/limit_request_custom.conf;
#Include File where you can add any custom settings
include /etc/nginx/conf.d/custom_include.conf;
#RealIP conf for CDN like CloudFlare,Incapsula etc
include /etc/nginx/conf.d/cdn_realip.conf;
real_ip_header X-Forwarded-For;
# FastCGI and PROXY cache config
include /etc/nginx/conf.d/nginx_cache_custom.conf;
# Uncomment following to enable DOS mitigation server wide
# include /etc/nginx/conf.d/dos_mitigate.conf;
# Include All config files in /etc/nginx/conf.auto/
include /etc/nginx/conf.auto/*.conf;
# Virtual Host Configs
#include /etc/nginx/conf.d/default_server.conf; # Auto Generated at nDeploy
install time
#include /etc/nginx/sites-enabled/*.conf; # Auto Generated by nDeploy
}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/maps.conf:
#Mapping upstream httpd ports
map $scheme $cpport {
http 9999;
https 4430;
}
#Mapping $msec to $sec so that we dont break cPanel bandwidth calculator
map $msec $sec {
~^(?P<secres>.+)\. $secres;
}
#Maps to be used with various cache templates
####################################################################
map $request_method $requestnocache {
default "";
POST 1;
}
map $http_cookie $wpcookienocache {
default "";
SESS 1;
PHPSESSID 1;
~*wordpress_[a-f0-9]+ 1;
comment_author 1;
wp-postpass 1;
wordpress_no_cache 1;
woocommerce_items_in_cart 1;
resetpass 1;
wordpress_logged_in 1;
}
map $http_cookie $drupalcookienocache {
default "";
~*SESS 1;
}
map $request_uri $wpurinocache {
default "";
~*^\/wp-admin\/.* 1;
~*^\/wp-[a-zA-Z0-9-]+\.php$ 1;
~*^\/feed\/.* 1;
~*^\/administrator\/.* 1;
~*^\/xmlrpc.php$ 1;
~*^\/index.php$ 1;
~*^\/wp-links-opml.php$ 1;
~*^\/wp-locations.php$ 1;
~*^\/sitemap(_index)?.xml 1;
~*^\/[a-z0-9_-]+-sitemap([0-9]+)?.xml 1;
~*^\/cart\/.* 1;
~*^\/my-account\/.* 1;
~*^\/wp-api\/.* 1;
~*^\/resetpass\/.* 1;
}
map $request_uri $drupalurinocache {
default "";
~*\/status\.php$ 1;
~*\/update\.php$ 1;
~*\/admin$ 1;
~*\/admin\/.*$ 1;
~*\/user$ 1;
~*\/user\/.* 1;
~*\/flag\/.* 1;
~*.*\/ajax\/.* 1;
~*.*\/ahah\/.* 1;
~*\/admin\/content\/backup_migrate\/export 1;
}
#Map for mobile user agent
map $http_user_agent $ua_device {
default 'desktop';
~*(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\
|maemo|midp|mmp|mobile.+firefox|netfront|opera\ m(ob|in)i|palm(\
os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows\
ce|xda|xiino/i 'mobile';
~*android|ipad|playbook|silk/i 'tablet';
}
####################################################################
# configuration file /etc/nginx/conf.d/maps-custom.conf:
map $request_method $not_allowed_method {
default 1;
GET 0;
HEAD 0;
POST 0;
}
# GeoIP
geoip_country /usr/share/GeoIP/GeoLiteCountry.dat;
geoip_city /usr/share/GeoIP/GeoLiteCity.dat;
map $geoip_country_code $allowed_country {
default yes;
RU no;
CN no;
UA no;
}
# configuration file /etc/nginx/conf.d/limit_request_custom.conf:
limit_req_zone $binary_remote_addr zone=FLOODPROTECT:10m rate=10r/s;
limit_req_zone $server_name zone=FLOODVHOST:20m rate=10r/s;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/m;
limit_req_zone $binary_remote_addr zone=two:10m rate=2r/s;
limit_req_zone $binary_remote_addr zone=three:10m rate=3r/s;
limit_conn_zone $binary_remote_addr zone=PERIP:10m;
limit_conn_zone $server_name zone=PERSERVER:10m;
limit_conn_zone $server_name zone=PERSERVERLOGIN:10m;
limit_conn_zone $server_name zone=PERSERVERSEARCH:10m;
# configuration file /etc/nginx/conf.d/custom_include.conf:
#Referrer Spam Map
include /etc/nginx/conf.d/spam_protection.conf;
##
#IP blocks
include /etc/nginx/conf.d/ip_blocks.conf;
##
#IP blocks
include /etc/nginx/conf.d/ip_blocks_layer7.conf;
# Include netdata
include /etc/nginx/conf.d/netdata.conf;
# configuration file /etc/nginx/conf.d/spam_protection.conf:
map $http_user_agent $bad_bot {
default 0;
~*^Lynx 0; # Let Lynx go through
~*UptimeRobot/2.0 0; # Let UptimeRobot
~*bingbot/2.0 0; # Let bingbot
~*checkgzipcompression.com 0; # Let check gzip
~*ocsp.comodoca.com 0; # SSL comodo
libwww-perl 1;
~*(?i)(\$x0E|\%0A|\%0D|\%27|\%3C|\%00|\@\$x|\!susie|\_irc|\_works|3gse|^4all|^4anything|^Buzzbot|a\_browser|^Yooplaabot|^ltx71|^python-requests|NerdyBot|^Vegi|^VegeBot)
1;
}
map $http_user_agent $scanners {
default 0;
"~*LinkedInBot" 0;
"~*Discovery" 0;
"~*Bloglovin" 1;
"~*Jakarta" 1;
"~*toCrawl/UrlDispatcher" 1;
}
map $http_referer $bad_referer {
default 0;
"~*pastebin.com" 1;
"~*torrent" 1;
"~*webxtrakt" 1;
}
map $remote_addr $denied {
default 0;
poneytelecom.eu 1;
185.62.189.113 1;
155.94.172.27 1;
1.54.43.166 1;
104.144.28.20 1;
}
# configuration file /etc/nginx/conf.d/ip_blocks.conf:
deny 123.125.71.56/29;
deny 1.233.43.75;
deny 104.194.26.1;
deny 104.194.26.128/26;
# configuration file /etc/nginx/conf.d/ip_blocks_layer7.conf:
deny 103.194.193.1/32;
deny 103.194.193.2/31;
deny 103.194.193.4/30;
# configuration file /etc/nginx/conf.d/cdn_realip.conf:
#CloudFlare
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
#Incapsula
set_real_ip_from 199.83.128.0/21;
set_real_ip_from 198.143.32.0/19;
set_real_ip_from 149.126.72.0/21;
set_real_ip_from 103.28.248.0/22;
set_real_ip_from 45.64.64.0/22;
set_real_ip_from 185.11.124.0/22;
set_real_ip_from 192.230.64.0/18;
set_real_ip_from 107.154.126.0/24;
set_real_ip_from 2a02:e980::/29;
# configuration file /etc/nginx/conf.d/nginx_cache_custom.conf:
# PROXY Micro-caching
proxy_cache_path /tmpcachenginx levels=1:2 keys_zone=micro:300m
inactive=240m max_size=5000m;
#PROXY CACHE
proxy_cache_path /var/cache/nginx/proxycache levels=1:2
keys_zone=PROXYCACHE:32m inactive=360m max_size=1000m;
proxy_cache_key "$scheme$request_method$host$request_uri";
#################################
#FASTCGICACHE
fastcgi_cache_path /var/cache/nginx/fastcgicache levels=1:2
keys_zone=FASTCGICACHE:32m inactive=60m max_size=512m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
# configuration file /etc/nginx/conf.auto/geoip.conf:
# GeoIP
# Add Following to /etc/nginx/conf.d/custom_include.conf to preserve in rpm
upgrade.
#geoip_country /usr/share/GeoIP/GeoLiteCountry.dat;
#geoip_city /usr/share/GeoIP/GeoLiteCity.dat;
1 vhost as example
# Redirects if any
# The server blocks
server {
listen 11.0.5.21:80 ;
server_name 22b-pit.com mail.22b-pit.com www.22b-pit.com;
access_log /usr/local/apache/domlogs/22b-pit.com-bytes_log bytes_log
buffer=32k flush=5m;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
include /etc/nginx/conf.d/gzip.conf;
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Allow "Well-Known URIs" as per RFC 5785
# Include NAXSI settings
location ^~ /NaxsiRequestDenied {
return 418;
}
# End Include NAXSI settings
# Include any applications in subdirectory
# End Include any applications in subdirectory
include /etc/nginx/sites-enabled/22b-pit.com.manualconfig*;
include /etc/nginx/sites-enabled/22b-pit.com.include;
}
server {
listen 11.0.5.21:443 ssl http2 ;
ssl_certificate /etc/nginx/ssl/22b-pit.com.crt;
ssl_certificate_key
/var/cpanel/ssl/installed/keys/cbb12_c8e7d_dd90f364f8f3c643df9fc97d3413d866.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate
/var/cpanel/ssl/installed/cabundles/cPanel_Inc__681917bfb43af6b642178607e0b36ccc_1747526399.cabundle;
resolver 213.186.33.99 80.20.9.50 8.8.4.4 valid=300s;
resolver_timeout 5s;
server_name 22b-pit.com mail.22b-pit.com www.22b-pit.com;
access_log /usr/local/apache/domlogs/22b-pit.com-bytes_log bytes_log
buffer=32k flush=5m;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
include /etc/nginx/conf.d/brotli.conf;
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Allow "Well-Known URIs" as per RFC 5785
# Include NAXSI settings
location ^~ /NaxsiRequestDenied {
return 418;
}
# End Include NAXSI settings
# Include any applications in subdirectory
# End Include any applications in subdirectory
include /etc/nginx/sites-enabled/22b-pit.com.manualconfig*;
include /etc/nginx/sites-enabled/22b-pit.com.include;
}
#Proxy to cPanel Apache httpd service
root /home/fit3b/public_html;
access_log off;
location / {
if ($bad_referer = 1) {
rewrite ^(.*) https://www.filters.com/banspam/spam_traffic.html
permanent;
}
if ($bad_bot = 1) {
rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
}
if ($denied) {
rewrite ^(.*) https://www.filters.com/banspam/denied.html permanent;
}
if ($scanners = 1) {
rewrite ^(.*) https://www.filters.com/banspam/scanners.html permanent;
}
if ($allowed_country = no) {
rewrite ^(.*) https://www.filters.com/banspam/country.html permanent;
}
if ($not_allowed_method) {
rewrite ^(.*) https://www.filters.com/banspam/not_allowed.html
permanent;
}
limit_conn PERIP 250;
limit_conn PERSERVER 1000;
proxy_send_timeout 900;
proxy_read_timeout 900;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 300s;
proxy_pass $scheme://11.0.5.21:$cpport;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Scheme $scheme;
proxy_set_header Proxy "";
proxy_redirect off;
}
location ~
^/(\.?!well-known|error_log|up\.php|CONTRIBUTING\.md|README\.md|LICENSES|readme\.html|readme\.txt|license\.txt|license\.html|wp-config\.php|xmlrpc\.php|config\.php|configure\.php|configuration\.php|testproxy\.php|sql|mySqlDumper|msd|jmx-console|jenkins|sys_cpanel|phpMyAdmin|sqlite|mysql|SQlite|sqlitemanager|SQLiteManager)
{
deny all;
return 444;
}
location = /wp-login.php {
if ($denied) {
return 444;
}
if ($bad_referer = 1) {
return 410;
}
if ($bad_bot = 1) {
return 444;
}
if ($scanners = 1) {
return 444;
}
if ($allowed_country = no) {
return 444;
}
if ($http_user_agent = "") {
rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
}
if ($not_allowed_method) {
return 405;
}
limit_req zone=one burst=1 nodelay;
limit_req_status 429;
limit_conn PERIP 3;
limit_conn PERSERVER 5;
limit_conn_status 444;
proxy_send_timeout 900;
proxy_read_timeout 900;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 300s;
proxy_pass $scheme://11.0.5.21:$cpport;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Scheme $scheme;
proxy_set_header Proxy "";
proxy_redirect off;
}
location ~ ^/(robots\.txt|sitemap\.xml) {
if ($denied) {
return 444;
}
if ($bad_referer = 1) {
return 410;
}
if ($bad_bot = 1) {
return 444;
}
if ($scanners = 1) {
return 444;
}
if ($allowed_country = no) {
return 444;
}
if ($not_allowed_method) {
return 405;
}
limit_req zone=two burst=2;
limit_conn PERIP 4;
limit_conn PERSERVER 100;
proxy_send_timeout 900;
proxy_read_timeout 900;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 300s;
proxy_pass $scheme://11.0.5.21:$cpport;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Scheme $scheme;
proxy_redirect off;
proxy_cache micro;
proxy_cache_lock on;
proxy_cache_min_uses 2;
proxy_cache_valid 200 5m;
proxy_cache_use_stale updating;
proxy_set_header Proxy "";
proxy_set_header Accept-Encoding "";
}
location /modules/sendtoafriend/ {
deny all;
return 444;
}
location ~ ^/(search) {
if ($denied) {
return 444;
}
if ($bad_referer = 1) {
return 410;
}
if ($bad_bot = 1) {
return 444;
}
if ($scanners = 1) {
return 444;
}
if ($allowed_country = no) {
return 444;
}
if ($http_user_agent = "") {
rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
}
if ($not_allowed_method) {
return 405;
}
limit_conn PERIP 35;
limit_conn PERSERVER 100;
proxy_send_timeout 900;
proxy_read_timeout 900;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 300s;
proxy_pass $scheme://11.0.5.21:$cpport;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Scheme $scheme;
proxy_set_header Proxy "";
proxy_redirect off;
}
location ~ ^/(login|order) {
if ($denied) {
return 444;
}
if ($bad_referer = 1) {
return 410;
}
if ($bad_bot = 1) {
return 444;
}
if ($scanners = 1) {
return 444;
}
if ($allowed_country = no) {
return 444;
}
if ($http_user_agent = "") {
rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
}
if ($not_allowed_method) {
return 405;
}
limit_req zone=two burst=5;
limit_conn PERIP 12;
limit_conn PERSERVERLOGIN 25;
proxy_send_timeout 900;
proxy_read_timeout 900;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 300s;
proxy_pass $scheme://11.0.5.21:$cpport;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Scheme $scheme;
proxy_set_header Proxy "";
proxy_redirect off;
}
## Block SQL injections
set $block_sql_injections 0;
if ($query_string ~ "union.*select.*\(") {
set $block_sql_injections 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $block_sql_injections 1;
}
if ($query_string ~ "concat.*\(") {
set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
return 520;
}
## Block file injections
set $block_file_injections 0;
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $block_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $block_file_injections 1;
}
if ($block_file_injections = 1) {
return 520;
}
## Block common exploits
set $block_common_exploits 0;
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $block_common_exploits 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $block_common_exploits 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 520;
}
###############################################
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273469#msg-273469
More information about the nginx
mailing list