2025-11-04
This commit is contained in:
parent
e4eaf6404a
commit
66397de267
101 changed files with 2573 additions and 58 deletions
129
containers/conf/angie/snippets/security.conf-example
Executable file
129
containers/conf/angie/snippets/security.conf-example
Executable file
|
|
@ -0,0 +1,129 @@
|
|||
# Remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
ignore_invalid_headers on;
|
||||
|
||||
location ~ /robots.txt { allow all; }
|
||||
location ~ /sitemap*xml { allow all; }
|
||||
|
||||
# Disallow scripts
|
||||
location ~* \.(pl|cgi|py|sh|lua)$ { return 404; }
|
||||
|
||||
# Skip .git, .htpasswd etc and all dirs starting with .
|
||||
location ~ (^|/)\. { return 404; }
|
||||
|
||||
#hide all dirs with synology diskstation stuff
|
||||
location ~ /DS_Store/ { return 404; }
|
||||
|
||||
# Help guard against SQL injection
|
||||
location ~* .(\;|'|\"|%22).*(request|insert|union|declare|drop)$ { return 404; }
|
||||
|
||||
#Disallow access to sensitive files
|
||||
location ~ /(\.|wp-config.php|readme.html|license.txt|nginx.conf|wp-config-sample.php|readme.txt|dbconfig.php) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ ^/([^/])+\.(orig$|conf$|git$) { return 404; }
|
||||
location ~ /db.(conf|php|inc)|config.(xml|php|inc|ini)/ { return 404; }
|
||||
|
||||
# Disallow common hacks
|
||||
location ~* .(display_errors|set_time_limit|allow_url_include.*disable_functions.*open_basedir|set_magic_quotes_runtime|webconfig.txt.php|file_put_contentssever_root|wlwmanifest) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~* .(env|globals|encode|localhost|loopback|xmlrpc|revslider) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Forbidden file extensions.
|
||||
# Guards against unintended exposure of development/configuration files.
|
||||
# stolen from modsecurity-crs
|
||||
|
||||
location ~ ^/([^/])+\.(asa$|asax$|ascx$|axd$|backup$|bak$|bat$|cdx$|cer$|cfg$|cmd$|com$|config$|conf$|cs$|csproj$|csr$|dat$|db$/.dbf$|dll$|dos$|htr$|htw$|ida$|idc|idq$|inc$|ini$|key|licx$|lnk$|log$|mdb$|old$|pass$|pdb$|pol$|printer$|pwd$|resources$|resx$|sql$|sys$|vb$|vbs$|vbproj$|vsdisco$|webinfo$|xsd$|xsx$) {
|
||||
return 404;
|
||||
}
|
||||
|
||||
# Hide /acme-challenge subdirectory and return 404 on all requests.
|
||||
# It is somewhat more secure than letting Nginx return 403.
|
||||
# Ending slash is important!
|
||||
location = /.well-known/acme-challenge/ {
|
||||
return 404;
|
||||
}
|
||||
|
||||
# Wordpress, remove any php handler
|
||||
location ~ ^/wp-content/uploads/([^/])+\.php { return 404; }
|
||||
location ~ ^/wp\-includes(/.*\.php(|[\/].*)|(|\/))$ { return 404; }
|
||||
location ~ ^/wp-content(/.*\.txt(|[\/].*)|(|\/))$ { return 404; }
|
||||
location ~ ^/wp-admin/(?:install|includes) { return 404; }
|
||||
location ~ ^/(?:readme|license)\. { return 404; }
|
||||
location ~ ^/wp-admin/(load\-styles|load\-scripts)\.php.*load\[\]\=([^&,]*,){20,} { return 404; }
|
||||
location ~ ^(/wp-json/wp/v[0-9]+/users) { return 404; }
|
||||
|
||||
#
|
||||
# MAGENTO 1
|
||||
#
|
||||
# Denied locations require a "^~" to prevent regexes (such as the PHP handler below) from matching
|
||||
# http://nginx.org/en/docs/http/ngx_http_core_module.html#location
|
||||
location /shell/ { deny all; }
|
||||
location /cgi-bin/ { deny all; }
|
||||
location /install.(php|txt) { deny all; }
|
||||
location /license.(php|txt) { deny all; }
|
||||
location ^~ /app/ { return 404; }
|
||||
location ^~ /includes/ { return 404; }
|
||||
location ^~ /media/downloadable/ { return 404; }
|
||||
location ^~ /pkginfo/ { return 404; }
|
||||
location ^~ /report/config.xml { return 404; }
|
||||
location ^~ /var/ { return 404; }
|
||||
location ^~ /lib/ { return 404; }
|
||||
location ^~ /dev/ { return 404; }
|
||||
location ^~ /RELEASE_NOTES.txt { return 404; }
|
||||
location ^~ /downloader/pearlib { return 404; }
|
||||
location ^~ /downloader/template { return 404; }
|
||||
location ^~ /downloader/Maged { return 404; }
|
||||
location ~* ^/errors/.+\.xml { return 404; }
|
||||
|
||||
location ~* /rss/order/new { return 403; }
|
||||
location ~* /rss/catalog/notifystock { return 403; }
|
||||
location ~* /rss/catalog/review { return 403; }
|
||||
|
||||
# Disallow PHP scripts in /media/ etc
|
||||
# Also render static 404 pages for missing media
|
||||
location ~ ^/(tmp|lib|media|shell|skin)/ {
|
||||
location ~ \.php$ {
|
||||
return 404;
|
||||
}
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
# Don't skip .thumbs, this is a default directory where Magento places thumbnails
|
||||
# Nginx cannot "not" match something, instead the target is matched with an empty block
|
||||
# http://stackoverflow.com/a/16304073
|
||||
location ~ /\.thumbs { }
|
||||
|
||||
#location ~ /var/export {
|
||||
# satisfy all;
|
||||
# allow 1.2.3.4;
|
||||
# deny all;
|
||||
# auth_basic "Restricted";
|
||||
# auth_basic_user_file .htpasswd;
|
||||
# autoindex off;
|
||||
# }
|
||||
|
||||
|
||||
#taken from logfiles
|
||||
location ~* /(magento_version|util\/login.aspx|/install.php) { return 404; }
|
||||
|
||||
|
||||
#be carefull with ifs!!
|
||||
|
||||
#only allow the standard methods.
|
||||
if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 404; }
|
||||
|
||||
# Note the .+ at the start: We want to allow url's like
|
||||
# order=create_date, which would otherwise match.
|
||||
#if ($arg_order ~* .+(select|create|insert|update|drop|delete|concat|alter|load)) { return 404; }
|
||||
|
||||
# CVE-2015-3428 / AW_Blog vulnerability
|
||||
# Note the .+ at the start: We want to allow url's like
|
||||
# order=create_date, which would otherwise match.
|
||||
#if ($arg_order ~* .+(select|create|insert|update|drop|delete|concat|alter|load)) { return 404; }
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue