haiku-atelier-2024/containers/conf/angie/snippets/security.conf-example

        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;
	ignore_invalid_headers on;

        location ~ /robots.txt { allow all; }
        location ~ /sitemap*xml { allow all; }

        # Disallow scripts
        location ~* \.(pl|cgi|py|sh|lua)$ { return 404; }

	# Skip .git, .htpasswd etc and all dirs starting with .
	location ~ (^|/)\. { return 404; }

	#hide all dirs with synology diskstation stuff
	location ~ /DS_Store/ { return 404; }

	# Help guard against SQL injection
	location ~* .(\;|'|\"|%22).*(request|insert|union|declare|drop)$ { return 404; }

	#Disallow access to sensitive files
	location ~ /(\.|wp-config.php|readme.html|license.txt|nginx.conf|wp-config-sample.php|readme.txt|dbconfig.php) {
		deny all;
	}

        location ~ ^/([^/])+\.(orig$|conf$|git$) { return 404; }
        location ~ /db.(conf|php|inc)|config.(xml|php|inc|ini)/ { return 404; }

	# Disallow common hacks
	location ~* .(display_errors|set_time_limit|allow_url_include.*disable_functions.*open_basedir|set_magic_quotes_runtime|webconfig.txt.php|file_put_contentssever_root|wlwmanifest) {
		deny all;
	}

	location ~* .(env|globals|encode|localhost|loopback|xmlrpc|revslider) {
		deny all;
	}

	# Forbidden file extensions.
	# Guards against unintended exposure of development/configuration files.
	# stolen from modsecurity-crs

	location ~ ^/([^/])+\.(asa$|asax$|ascx$|axd$|backup$|bak$|bat$|cdx$|cer$|cfg$|cmd$|com$|config$|conf$|cs$|csproj$|csr$|dat$|db$/.dbf$|dll$|dos$|htr$|htw$|ida$|idc|idq$|inc$|ini$|key|licx$|lnk$|log$|mdb$|old$|pass$|pdb$|pol$|printer$|pwd$|resources$|resx$|sql$|sys$|vb$|vbs$|vbproj$|vsdisco$|webinfo$|xsd$|xsx$) {
		 return 404;	
	}

	# Hide /acme-challenge subdirectory and return 404 on all requests.
	# It is somewhat more secure than letting Nginx return 403.
	# Ending slash is important!
	location = /.well-known/acme-challenge/ {
		return 404;
	}
	
	# Wordpress, remove any php handler
	location ~ ^/wp-content/uploads/([^/])+\.php { return 404; }
	location ~ ^/wp\-includes(/.*\.php(|[\/].*)|(|\/))$ { return 404; }
	location ~ ^/wp-content(/.*\.txt(|[\/].*)|(|\/))$ { return 404; }
	location ~ ^/wp-admin/(?:install|includes) { return 404; }
	location ~ ^/(?:readme|license)\. { return 404; }
	location ~ ^/wp-admin/(load\-styles|load\-scripts)\.php.*load\[\]\=([^&,]*,){20,} { return 404; }
	location ~ ^(/wp-json/wp/v[0-9]+/users) { return 404; }
	
	#
	# MAGENTO 1
	#
	# Denied locations require a "^~" to prevent regexes (such as the PHP handler below) from matching
        # http://nginx.org/en/docs/http/ngx_http_core_module.html#location
        location /shell/   	             	{ deny all; }
        location /cgi-bin/      	        { deny all; }
        location /install.(php|txt)     	{ deny all; }
        location /license.(php|txt)     	{ deny all; }
        location ^~ /app/                       { return 404; }
        location ^~ /includes/                  { return 404; }
        location ^~ /media/downloadable/        { return 404; }
        location ^~ /pkginfo/                   { return 404; }
        location ^~ /report/config.xml          { return 404; }
        location ^~ /var/                       { return 404; }
        location ^~ /lib/                       { return 404; }
        location ^~ /dev/                       { return 404; }
        location ^~ /RELEASE_NOTES.txt          { return 404; }
        location ^~ /downloader/pearlib         { return 404; }
        location ^~ /downloader/template        { return 404; }
        location ^~ /downloader/Maged           { return 404; }
        location ~* ^/errors/.+\.xml            { return 404; }

	location ~* /rss/order/new		{ return 403; }
        location ~* /rss/catalog/notifystock	{ return 403; }
        location ~* /rss/catalog/review		{ return 403; }	

	# Disallow PHP scripts in /media/ etc
        # Also render static 404 pages for missing media
	location ~ ^/(tmp|lib|media|shell|skin)/ {
            location ~ \.php$ {
                return 404;
            }
            try_files $uri $uri/ =404;
        }

        # Don't skip .thumbs, this is a default directory where Magento places thumbnails
        # Nginx cannot "not" match something, instead the target is matched with an empty block
        # http://stackoverflow.com/a/16304073
        location ~ /\.thumbs { }

        #location ~ /var/export {
        #        satisfy all;
        #        allow 1.2.3.4;
        #        deny all;
        #        auth_basic "Restricted";
        #        auth_basic_user_file .htpasswd;
        #        autoindex off;
        #    }


	#taken from logfiles
	location ~* /(magento_version|util\/login.aspx|/install.php) { return 404; }


	#be carefull with ifs!!

        #only allow the standard methods.
        if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 404; }

        # Note the .+ at the start: We want to allow url's like
        # order=create_date, which would otherwise match.
        #if ($arg_order ~* .+(select|create|insert|update|drop|delete|concat|alter|load)) { return 404; }

        # CVE-2015-3428 / AW_Blog vulnerability
        # Note the .+ at the start: We want to allow url's like
        # order=create_date, which would otherwise match.
        #if ($arg_order ~* .+(select|create|insert|update|drop|delete|concat|alter|load)) { return 404; }