nginx: added some security related configs

webserver-configs/nginx.conf

@@ -16,7 +16,22 @@ server {
  }
  ## End - Index
 
+ ## Begin - ACME (LetsEncrypt) 
+ # adapt the alias folder to where your certification job (e.g. CertBot)
+ # puts the domain verification challenges
+ # location ^~ /.well-known/acme-challenge/ {
+ # alias /srv/http/acme;
+ # }
+ ## End - ACME (LetsEncrypt) 
+
  ## Begin - Security
+ # safety stuff adopted from .htaccess
+ if ($request_uri ~ "{{|}}|{%|%}") { return 403; }
+ if ($query_string ~ "{{|}}|{%25|%25}") { return 403; }
+ if ($query_string ~ "base64_encode[^(]*\([^)]*\)") { return 403; }
+ if ($query_string ~* "(<|%3C)([^s]*s)+cript.*(>|%3E)") { return 403; }
+ if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 403; }
+ if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 403; }
  # deny all direct access for these folders
  location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
  # deny running scripts inside core system folders
@@ -25,6 +40,8 @@ server {
  location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
  # deny access to specific files in the root folder
  location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+ # deny all files and folder beginning with a dot (hidden files & folders)
+ location ~ (^|/)\. { return 403; }
  ## End - Security
 
  ## Begin - PHP
@@ -39,6 +56,18 @@ server {
  include fastcgi_params;
  fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
  }
+ # or alternatively if you use uwsgi
+ # location ~ \.php$ {
+ # include uwsgi_params;
+ # uwsgi_modifier1 14;
+ # uwsgi_pass unix:/run/uwsgi/grav.sock;
+ # }
  ## End - PHP
-}
 
+ ## Begin - Static content
+ location ~ \.(?:css|js|svg|gif|jpe?g|png|woff2?)$ {
+ expires 7d;
+ access_log off;
+ }
+ ## End - Static content
+}