vikarti.anatra/nginx-ultimate-bad-bot-blocker
1
0
Fork 0
mirror of https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker.git synced 2025-09-02 18:50:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Enginegtron for cPanel/WHM Configuration Example

Browse source 
This example includes a modified /utilities/https_vhosts.php file which will do the includes for you on any vhosts you create using Enginetron.
Please use this example ONLY as a guide.
This commit is contained in:
Mitchell Krog 2017-04-17 12:16:33 +02:00
parent 90644a87eb
commit 03d91fea48
26 changed files with 6747 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
Engintron_for_cPanel_WHM_Configuration_Example/README.md Normal file
View file

@ -0,0 +1,67 @@
### If this helps you [You can buy me a beer](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=BKF9XT6WHATLG):beer:
# Nginx Bad Bot and User-Agent Blocker, Spam Referrer Blocker, Anti DDOS, Bad IP Blocker and Wordpress Theme Detector Blocker
# Configuration Example for Engintron for cPanel/WHM
<table style="width:100%;margin:0;">
<tr>
<td align="left"><img src="https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/blob/master/nginx-ultimate-bad-bot-referrer-blocker.png" alt="Nginx Ultimate Bad Bot Spam Referrer Blocker - Nginx Block Bad Bots, Vulnerability Scanners, Malware and Adware, Malicious Sites, Spam Referrers, Bad Referrers, Spam Blocker with DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders"/></td>
<td align="right"><a href="https://travis-ci.org/mitchellkrogza/nginx-ultimate-bad-bot-blocker" target="_blank"><img src="https://travis-ci.org/mitchellkrogza/nginx-ultimate-bad-bot-blocker.svg?branch=master"/></a></td>
</tr>
</table>
- This is a copy of an entire /etc/nginx folder from an Engintron/cPanel/WHM configuration.
- This is merely an example of where to put the required includes into your hosts files.
- **Do not simply copy and paste this over your entire nginx folder**, use it as a guide only as it requires that you put the correct domain names into your hosts config's and also correct certificate locations.
- PLEASE Follow the main configuration instructions at https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/blob/master/CONFIGURATION.md
- If you follow the main configuration instructions all you need to to is make the changes required in your /etc/conf.d/default.conf and /etc/conf.d/default_https.conf files as per this example.
### Version 2.2017.05
##### Created by: https://github.com/mitchellkrogza
##### Copyright Mitchell Krog <mitchellkrog@gmail.com>
# MIT License
## Copyright (c) 2017 Mitchell Krog - mitchellkrog@gmail.com
## https://github.com/mitchellkrogza
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
##### Some other free projects
- https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker
- https://github.com/mitchellkrogza/Badd-Boyz-Hosts
- https://github.com/mitchellkrogza/fail2ban-useful-scripts
- https://github.com/mitchellkrogza/linux-server-administration-scripts
- https://github.com/mitchellkrogza/Travis-CI-Nginx-for-Testing-Nginx-Configuration
- https://github.com/mitchellkrogza/Travis-CI-for-Apache-For-Testing-Apache-and-PHP-Configurations
- https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning
- https://github.com/mariusv/nginx-badbot-blocker
##### Into Photography?
Come drop by and visit me at https://mitchellkrog.com
### Coding makes me very thirsty [why not buy me a beer](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=BKF9XT6WHATLG):beer:

6
Engintron_for_cPanel_WHM_Configuration_Example/bots.d/blacklist-user-agents.conf Executable file
View file

@ -0,0 +1,6 @@
# Add One Entry Per Line - List all the extra bad User-Agents you want to permanently block
# This is for User-Agents that are not included in the main list of the bot blocker
# This allows you finer control of keeping certain bots blocked and automatic updates will
# Never be able to remove this custom list of yours
"~*mybaduseragentname" 3;

45
Engintron_for_cPanel_WHM_Configuration_Example/bots.d/blockbots.conf Executable file
View file

@ -0,0 +1,45 @@
#######################################################################
# Author: Mitchell Krog <mitchellkrog@gmail.com> - https://github.com/mitchellkrogza/
# Include this in a vhost file within a server {} block using and include statement like below
# server {
# #Config stuff here
# include /etc/nginx/bots.d/blockbots.conf
# include /etc/nginx/bots.d/ddos.conf
# #Other config stuff here
# }
#######################################################################
# BOTS
# ****
#limit_conn bot1_connlimit 100;
limit_conn bot2_connlimit 10;
#limit_req zone=bot1_reqlimitip burst=50;
limit_req zone=bot2_reqlimitip burst=10;
if ($bad_bot = '3') {
return 444;
}
# BAD REFER WORDS
# ***************
if ($bad_words) {
return 444;
}
# REFERERS
# ********
if ($bad_referer) {
return 444;
}
# IP BLOCKS
# *********
if ($validate_client) {
return 444;
}
#######################################################################

17
Engintron_for_cPanel_WHM_Configuration_Example/bots.d/ddos.conf Executable file
View file

@ -0,0 +1,17 @@
#######################################################################
# Author: Mitchell Krog <mitchellkrog@gmail.com> - https://github.com/mitchellkrogza/
# Include this in a vhost file within a server {} block using and include statement like below
# server {
# #Config stuff here
# include /etc/nginx/bots.d/blockbots.conf
# include /etc/nginx/bots.d/ddos.conf
# #Other config stuff here
# }
#######################################################################
limit_conn addr 200;
limit_req zone=flood burst=200 nodelay;

2
Engintron_for_cPanel_WHM_Configuration_Example/bots.d/whitelist-domains.conf Executable file
View file

@ -0,0 +1,2 @@
# Add One Entry Per Line - List all the domains of the web sites you run on your Nginx to spare them from referrer checking
"~*mydomain.com" 0;

2
Engintron_for_cPanel_WHM_Configuration_Example/bots.d/whitelist-ips.conf Executable file
View file

@ -0,0 +1,2 @@
# Add One Entry Per Line - Can Include Ranges like 127.0.0.1/32
127.0.0.1 0;

125
Engintron_for_cPanel_WHM_Configuration_Example/common_https.conf Executable file
View file

@ -0,0 +1,125 @@
# Common definitions for static content (HTTPS)
# TLS/SSL common
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites (2048 bits)
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Protocols & Ciphers
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# Initialize important variables
set $CACHE_BYPASS_FOR_DYNAMIC 0;
set $CACHE_BYPASS_FOR_STATIC 0;
set $PROXY_DOMAIN_OR_IP $host;
set $PROXY_TO_PORT 8443;
set $SITE_URI "$host$request_uri";
# Generic query string to request a page bypassing Nginx's caching entirely for both dynamic & static content
if ($query_string ~* "nocache") {
set $CACHE_BYPASS_FOR_DYNAMIC 1;
set $CACHE_BYPASS_FOR_STATIC 1;
}
# Proxy requests to "localhost"
if ($host ~* "localhost") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
}
# Proxy cPanel specific subdomains
if ($host ~* "^webmail\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2096;
}
if ($host ~* "^cpanel\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2083;
}
if ($host ~* "^whm\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2087;
}
if ($host ~* "^webdisk\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2078;
}
if ($host ~* "^(cpcalendars|cpcontacts)\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2080;
}
# Set custom rules like domain/IP exclusions or redirects here
include custom_rules;
location / {
try_files $uri $uri/ @backend;
}
location @backend {
include proxy_params_common;
# === MICRO CACHING ===
# Comment the following line to disable 1 second micro-caching for dynamic HTML content
include proxy_params_dynamic;
}
# Enable browser cache for static content files (TTL is 1 hour)
location ~* \.(?:json|xml|rss|atom)$ {
include proxy_params_common;
include proxy_params_static;
expires 1h;
}
# Enable browser cache for CSS / JS (TTL is 30 days)
location ~* \.(?:css|js)$ {
include proxy_params_common;
include proxy_params_static;
expires 30d;
}
# Enable browser cache for images (TTL is 60 days)
location ~* \.(?:ico|jpg|jpeg|gif|png|webp)$ {
include proxy_params_common;
include proxy_params_static;
expires 60d;
}
# Enable browser cache for archives, documents & media files (TTL is 60 days)
location ~* \.(?:3gp|7z|avi|bmp|bz2|csv|divx|doc|docx|eot|exe|flac|flv|gz|less|mid|midi|mka|mkv|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogm|ogv|opus|pdf|ppt|pptx|rar|rtf|swf|tar|tbz|tgz|tiff|txz|wav|webm|wma|wmv|xls|xlsx|xz|zip)$ {
set $CACHE_BYPASS_FOR_STATIC 1;
include proxy_params_common;
include proxy_params_static;
expires 60d;
}
# Enable browser cache for fonts & fix @font-face cross-domain restriction (TTL is 60 days)
location ~* \.(eot|ttf|otf|woff|woff2|svg|svgz)$ {
include proxy_params_common;
include proxy_params_static;
expires 60d;
add_header Access-Control-Allow-Origin *;
}
# Prevent logging of favicon and robot request errors
location = /favicon.ico {
include proxy_params_common;
include proxy_params_static;
expires 60d;
log_not_found off;
}
location = /robots.txt {
include proxy_params_common;
include proxy_params_static;
expires 1d;
log_not_found off;
}
# Deny access to files like .htaccess or .htpasswd
location ~ /\.ht {
deny all;
}

4
Engintron_for_cPanel_WHM_Configuration_Example/conf.d/botblocker-nginx-settings.conf Executable file
View file

@ -0,0 +1,4 @@
server_names_hash_bucket_size 64;
server_names_hash_max_size 4096;
limit_req_zone $binary_remote_addr zone=flood:50m rate=90r/s;
limit_conn_zone $binary_remote_addr zone=addr:50m;

150
Engintron_for_cPanel_WHM_Configuration_Example/conf.d/default.conf Executable file
View file

@ -0,0 +1,150 @@
# /**
# * @version 1.8.3
# * @package Engintron for cPanel/WHM
# * @author Fotis Evangelou
# * @url https://engintron.com
# * @copyright Copyright (c) 2010 - 2017 Nuevvo Webware P.C. All rights reserved.
# * @license GNU/GPL license: https://www.gnu.org/copyleft/gpl.html
# */
server {
listen 80 default_server;
#listen [::]:80 ipv6only=on;
server_name localhost;
# deny all; # DO NOT REMOVE OR CHANGE THIS LINE - Used when Engintron is disabled to block Nginx from becoming an open proxy
# Initialize important variables
set $CACHE_BYPASS_FOR_DYNAMIC 0;
set $CACHE_BYPASS_FOR_STATIC 0;
set $PROXY_DOMAIN_OR_IP $host;
set $PROXY_TO_PORT 8080;
set $SITE_URI "$host$request_uri";
# Generic query string to request a page bypassing Nginx's caching entirely for both dynamic & static content
if ($query_string ~* "nocache") {
set $CACHE_BYPASS_FOR_DYNAMIC 1;
set $CACHE_BYPASS_FOR_STATIC 1;
}
# Proxy requests to "localhost"
if ($host ~* "localhost") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
}
# Proxy cPanel specific subdomains
if ($host ~* "^webmail\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2095;
}
if ($host ~* "^cpanel\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2082;
}
if ($host ~* "^whm\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2086;
}
if ($host ~* "^webdisk\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2077;
}
if ($host ~* "^(cpcalendars|cpcontacts)\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2079;
}
# Set custom rules like domain/IP exclusions or redirects here
include custom_rules;
# Includes for Nginx Bad Bot Blocker
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
location / {
try_files $uri $uri/ @backend;
}
location @backend {
include proxy_params_common;
# === MICRO CACHING ===
# Comment the following line to disable 1 second micro-caching for dynamic HTML content
include proxy_params_dynamic;
}
# Enable browser cache for static content files (TTL is 1 hour)
location ~* \.(?:json|xml|rss|atom)$ {
include proxy_params_common;
include proxy_params_static;
expires 1h;
}
# Enable browser cache for CSS / JS (TTL is 30 days)
location ~* \.(?:css|js)$ {
include proxy_params_common;
include proxy_params_static;
expires 30d;
}
# Enable browser cache for images (TTL is 60 days)
location ~* \.(?:ico|jpg|jpeg|gif|png|webp)$ {
include proxy_params_common;
include proxy_params_static;
expires 60d;
}
# Enable browser cache for archives, documents & media files (TTL is 60 days)
location ~* \.(?:3gp|7z|avi|bmp|bz2|csv|divx|doc|docx|eot|exe|flac|flv|gz|less|mid|midi|mka|mkv|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogm|ogv|opus|pdf|ppt|pptx|rar|rtf|swf|tar|tbz|tgz|tiff|txz|wav|webm|wma|wmv|xls|xlsx|xz|zip)$ {
set $CACHE_BYPASS_FOR_STATIC 1;
include proxy_params_common;
include proxy_params_static;
expires 60d;
}
# Enable browser cache for fonts & fix @font-face cross-domain restriction (TTL is 60 days)
location ~* \.(eot|ttf|otf|woff|woff2|svg|svgz)$ {
include proxy_params_common;
include proxy_params_static;
expires 60d;
add_header Access-Control-Allow-Origin *;
}
# Prevent logging of favicon and robot request errors
location = /favicon.ico {
include proxy_params_common;
include proxy_params_static;
expires 60d;
log_not_found off;
}
location = /robots.txt {
include proxy_params_common;
include proxy_params_static;
expires 1d;
log_not_found off;
}
location = /nginx_status {
stub_status;
access_log off;
log_not_found off;
# Uncomment the following 2 lines to make the Nginx status page private.
# If you do this and you have Munin installed, graphs for Nginx will stop working.
#allow 127.0.0.1;
#deny all;
}
location = /whm-server-status {
proxy_pass http://127.0.0.1:8080;
# Comment the following 2 lines to make the Apache status page public
allow 127.0.0.1;
deny all;
}
# Deny access to files like .htaccess or .htpasswd
location ~ /\.ht {
deny all;
}
}

53
Engintron_for_cPanel_WHM_Configuration_Example/conf.d/default_https.conf Executable file
View file

@ -0,0 +1,53 @@
# Default definition block for HTTPS (Generated on 2017.04.15 23:47:42) #
server {
listen 443 ssl http2 default_server;
#listen [::]:443 ipv6only=on ssl http2 default_server;
server_name localhost;
# deny all; # DO NOT REMOVE OR CHANGE THIS LINE - Used when Engintron is disabled to block Nginx from becoming an open proxy
ssl_certificate /var/cpanel/ssl/cpanel/mycpanel.pem;
ssl_certificate_key /var/cpanel/ssl/cpanel/mycpanel.pem;
include common_https.conf;
# Includes for Nginx Bad Bot Blocker
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
location = /nginx_status {
stub_status;
access_log off;
log_not_found off;
# Uncomment the following 2 lines to make the Nginx status page private.
# If you do this and you have Munin installed, graphs for Nginx will stop working.
#allow 127.0.0.1;
#deny all;
}
location = /whm-server-status {
proxy_pass http://127.0.0.1:8080;
# Comment the following 2 lines to make the Apache status page public
allow 127.0.0.1;
deny all;
}
}
# Definition block for domain(s): yourwebsite.com www.yourwebsite.com #
server {
listen 443 ssl http2;
#listen [::]:443 ipv6only=on ssl http2;
server_name yourwebsite.com www.yourwebsite.com;
# deny all; # DO NOT REMOVE OR CHANGE THIS LINE - Used when Engintron is disabled to block Nginx from becoming an open proxy
ssl_certificate /etc/ssl/engintron/???.crt;
ssl_certificate_key /var/cpanel/ssl/installed/keys/???.key;
include common_https.conf;
# Includes for Nginx Bad Bot Blocker
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
}

5105
Engintron_for_cPanel_WHM_Configuration_Example/conf.d/globalblacklist.conf Executable file
View file

File diff suppressed because it is too large Load diff

93
Engintron_for_cPanel_WHM_Configuration_Example/custom_rules Executable file
View file

@ -0,0 +1,93 @@
#####################################################################
# === Place your custom rules for Nginx here ===
#
# Some examples:
# - Engintron & CloudFlare
# - HTTP to HTTPS redirects when using CloudFlare
# - Setting up domains with dedicated IPs on the system
# - Cache exclusions for domains, subdomains or even directories
# - Any other global or domain specific rule (redirect, process etc.)
#
# For up to date info check out the Engintron wiki at:
# https://github.com/engintron/engintron/wiki
#
# *** Updated for Engintron v1.8.3 ***
#
#####################################################################
# === FOR USE WITH CLOUDFLARE ===
#
# a) If your server has a single shared IP ONLY and you wish to use CloudFlare for any (or all) of your sites
# you will have to specify this shared IP address below otherwise you'll get errors from CloudFlare.
# This change will simply tell Nginx to skip DNS resolving and simply forward traffic to the shared IP.
# Uncomment the following line if all your sites on the shared (main) IP of your server are on CloudFlare:
#
# set $PROXY_DOMAIN_OR_IP "XXX.XXX.XXX.XXX"; # Use your cPanel's shared IP address here
#
# b) If you utilize CloudFlare on a cPanel server with BOTH a shared IP and dedicated IPs for domains, you will
# have to set the IP ONLY for each such domain at the "WHEN TO SPECIFY A DOMAIN IP" section lower in this file.
#
# c) It is possible to force-redirect all your domains on CloudFlare to HTTPS if you have TLS/SSL enabled
# in CloudFlare's "Crypto" settings page. Make sure you use "Flexible SSL" there so CloudFlare proxies
# traffic from HTTPS to Nginx's HTTP port (80). This way you'll also be able to serve sites over HTTPS with
# no actual TLS/SSL certificate installed on the server, as long as they exist in CloudFlare and have
# CloudFlare's shared TLS/SSL certificate enabled there. To redirect to HTTPS, simply specify a block similar
# to the one below and make sure you set the domains you DO NOT want to automatically redirect to HTTPS.
#
# # === Protocol redirect handling when using CloudFlare [start] ===
#
# set $redirToSSL "";
# if ($http_cf_visitor ~ '{"scheme":"http"}') {
# set $redirToSSL "on";
# }
#
# # Set each domain you DO NOT want to automatically redirect to HTTPS when using CloudFlare only below
# # and repeat the process with additional "if" blocks for more domains
#
# if ($host ~ 'domain-to-exclude-from-redirect.com') {
# set $redirToSSL "off";
# }
# if ($redirToSSL = "on") {
# return 301 https://$host$request_uri;
# }
#
# # === Protocol redirect handling when using CloudFlare [finish] ===
# === WHEN TO SPECIFY A DOMAIN IP ===
# By default, Nginx will redirect requests to the right domain IP by using DNS resolving.
# However there are cases where you want to specify an IP for use with Nginx:
# - When you use CloudFlare for certain domains only on your server,
# regardless of whether these domains use the server's shared IP or a dedicated IP.
# - When you are working on a domain which does not yet (DNS) resolve to your server,
# but you want to access it by modifying your computer's "hosts" file.
#
# To specify the domain IP in such cases, simply enter a domain or subdomain in an "if" block
# (as shown below) and inside that block set the appropriate shared or dedicated IP to point to.
#
# To specify the IP for a domain simply uncomment the following 3 lines and make sure you replace
# example.com with your actual domain or subdomain and also replace XXX.XXX.XXX.XXX with the actual
# IP assigned to that domain. To specify the IP for more domains, simply copy that "if" block
# (per domain) and change accordingly.
#
# if ($host ~ "example.com") {
# set $PROXY_DOMAIN_OR_IP "XXX.XXX.XXX.XXX";
# }
# === DOMAIN AND URL PATH EXCLUSIONS FROM CACHING ===
# If you wish to exclude certain domains, subdomains or even full URL paths from micro-caching and/or
# static file caching, simply specify them below and use a colon (|) character as a separator.
# Remember that if you specify a "naked" domain name, e.g. mynicedomain.com, every subdomain e.g.
# support.mynicedomain.com will also be excluded from caching. Decide wisely!
# If you wish to disable ONLY micro-caching, then comment the line "set $CACHE_BYPASS_FOR_STATIC".
# If you wish to disable ONLY static file caching, then comment the line "set $CACHE_BYPASS_FOR_DYNAMIC".
#
# Note: Don't include the "http(s)://" portion of a URL.
#
if ($SITE_URI ~* "nirmoladda.com|nirmoladda.com/login|nirmoladda.com/register|nirmoladda.com/logout|nirmoladda.com/admin.php") {
set $CACHE_BYPASS_FOR_DYNAMIC 1; # Disables micro-caching
# set $CACHE_BYPASS_FOR_STATIC 1; # Disables static file caching
}

93
Engintron_for_cPanel_WHM_Configuration_Example/custom_rules.dist Executable file
View file

@ -0,0 +1,93 @@
#####################################################################
# === Place your custom rules for Nginx here ===
#
# Some examples:
# - Engintron & CloudFlare
# - HTTP to HTTPS redirects when using CloudFlare
# - Setting up domains with dedicated IPs on the system
# - Cache exclusions for domains, subdomains or even directories
# - Any other global or domain specific rule (redirect, process etc.)
#
# For up to date info check out the Engintron wiki at:
# https://github.com/engintron/engintron/wiki
#
# *** Updated for Engintron v1.8.3 ***
#
#####################################################################
# === FOR USE WITH CLOUDFLARE ===
#
# a) If your server has a single shared IP ONLY and you wish to use CloudFlare for any (or all) of your sites
# you will have to specify this shared IP address below otherwise you'll get errors from CloudFlare.
# This change will simply tell Nginx to skip DNS resolving and simply forward traffic to the shared IP.
# Uncomment the following line if all your sites on the shared (main) IP of your server are on CloudFlare:
#
# set $PROXY_DOMAIN_OR_IP "XXX.XXX.XXX.XXX"; # Use your cPanel's shared IP address here
#
# b) If you utilize CloudFlare on a cPanel server with BOTH a shared IP and dedicated IPs for domains, you will
# have to set the IP ONLY for each such domain at the "WHEN TO SPECIFY A DOMAIN IP" section lower in this file.
#
# c) It is possible to force-redirect all your domains on CloudFlare to HTTPS if you have TLS/SSL enabled
# in CloudFlare's "Crypto" settings page. Make sure you use "Flexible SSL" there so CloudFlare proxies
# traffic from HTTPS to Nginx's HTTP port (80). This way you'll also be able to serve sites over HTTPS with
# no actual TLS/SSL certificate installed on the server, as long as they exist in CloudFlare and have
# CloudFlare's shared TLS/SSL certificate enabled there. To redirect to HTTPS, simply specify a block similar
# to the one below and make sure you set the domains you DO NOT want to automatically redirect to HTTPS.
#
# # === Protocol redirect handling when using CloudFlare [start] ===
#
# set $redirToSSL "";
# if ($http_cf_visitor ~ '{"scheme":"http"}') {
# set $redirToSSL "on";
# }
#
# # Set each domain you DO NOT want to automatically redirect to HTTPS when using CloudFlare only below
# # and repeat the process with additional "if" blocks for more domains
#
# if ($host ~ 'domain-to-exclude-from-redirect.com') {
# set $redirToSSL "off";
# }
# if ($redirToSSL = "on") {
# return 301 https://$host$request_uri;
# }
#
# # === Protocol redirect handling when using CloudFlare [finish] ===
# === WHEN TO SPECIFY A DOMAIN IP ===
# By default, Nginx will redirect requests to the right domain IP by using DNS resolving.
# However there are cases where you want to specify an IP for use with Nginx:
# - When you use CloudFlare for certain domains only on your server,
# regardless of whether these domains use the server's shared IP or a dedicated IP.
# - When you are working on a domain which does not yet (DNS) resolve to your server,
# but you want to access it by modifying your computer's "hosts" file.
#
# To specify the domain IP in such cases, simply enter a domain or subdomain in an "if" block
# (as shown below) and inside that block set the appropriate shared or dedicated IP to point to.
#
# To specify the IP for a domain simply uncomment the following 3 lines and make sure you replace
# example.com with your actual domain or subdomain and also replace XXX.XXX.XXX.XXX with the actual
# IP assigned to that domain. To specify the IP for more domains, simply copy that "if" block
# (per domain) and change accordingly.
#
# if ($host ~ "example.com") {
# set $PROXY_DOMAIN_OR_IP "XXX.XXX.XXX.XXX";
# }
# === DOMAIN AND URL PATH EXCLUSIONS FROM CACHING ===
# If you wish to exclude certain domains, subdomains or even full URL paths from micro-caching and/or
# static file caching, simply specify them below and use a colon (|) character as a separator.
# Remember that if you specify a "naked" domain name, e.g. mynicedomain.com, every subdomain e.g.
# support.mynicedomain.com will also be excluded from caching. Decide wisely!
# If you wish to disable ONLY micro-caching, then comment the line "set $CACHE_BYPASS_FOR_STATIC".
# If you wish to disable ONLY static file caching, then comment the line "set $CACHE_BYPASS_FOR_DYNAMIC".
#
# Note: Don't include the "http(s)://" portion of a URL.
#
# if ($SITE_URI ~* "example.com|example2.com/path|example3.com/some/other/path|subdomain.example4.com") {
# set $CACHE_BYPASS_FOR_DYNAMIC 1; # Disables micro-caching
# set $CACHE_BYPASS_FOR_STATIC 1; # Disables static file caching
# }

25
Engintron_for_cPanel_WHM_Configuration_Example/fastcgi_params Executable file
View file

@ -0,0 +1,25 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

109
Engintron_for_cPanel_WHM_Configuration_Example/koi-utf Executable file
View file

@ -0,0 +1,109 @@
# This map is not a full koi8-r <> utf8 map: it does not contain
# box-drawing and some other characters. Besides this map contains
# several koi8-u and Byelorussian letters which are not in koi8-r.
# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
# map instead.
charset_map koi8-r utf-8 {
80 E282AC ; # euro
95 E280A2 ; # bullet
9A C2A0 ; # &nbsp;
9E C2B7 ; # &middot;
A3 D191 ; # small yo
A4 D194 ; # small Ukrainian ye
A6 D196 ; # small Ukrainian i
A7 D197 ; # small Ukrainian yi
AD D291 ; # small Ukrainian soft g
AE D19E ; # small Byelorussian short u
B0 C2B0 ; # &deg;
B3 D081 ; # capital YO
B4 D084 ; # capital Ukrainian YE
B6 D086 ; # capital Ukrainian I
B7 D087 ; # capital Ukrainian YI
B9 E28496 ; # numero sign
BD D290 ; # capital Ukrainian soft G
BE D18E ; # capital Byelorussian short U
BF C2A9 ; # (C)
C0 D18E ; # small yu
C1 D0B0 ; # small a
C2 D0B1 ; # small b
C3 D186 ; # small ts
C4 D0B4 ; # small d
C5 D0B5 ; # small ye
C6 D184 ; # small f
C7 D0B3 ; # small g
C8 D185 ; # small kh
C9 D0B8 ; # small i
CA D0B9 ; # small j
CB D0BA ; # small k
CC D0BB ; # small l
CD D0BC ; # small m
CE D0BD ; # small n
CF D0BE ; # small o
D0 D0BF ; # small p
D1 D18F ; # small ya
D2 D180 ; # small r
D3 D181 ; # small s
D4 D182 ; # small t
D5 D183 ; # small u
D6 D0B6 ; # small zh
D7 D0B2 ; # small v
D8 D18C ; # small soft sign
D9 D18B ; # small y
DA D0B7 ; # small z
DB D188 ; # small sh
DC D18D ; # small e
DD D189 ; # small shch
DE D187 ; # small ch
DF D18A ; # small hard sign
E0 D0AE ; # capital YU
E1 D090 ; # capital A
E2 D091 ; # capital B
E3 D0A6 ; # capital TS
E4 D094 ; # capital D
E5 D095 ; # capital YE
E6 D0A4 ; # capital F
E7 D093 ; # capital G
E8 D0A5 ; # capital KH
E9 D098 ; # capital I
EA D099 ; # capital J
EB D09A ; # capital K
EC D09B ; # capital L
ED D09C ; # capital M
EE D09D ; # capital N
EF D09E ; # capital O
F0 D09F ; # capital P
F1 D0AF ; # capital YA
F2 D0A0 ; # capital R
F3 D0A1 ; # capital S
F4 D0A2 ; # capital T
F5 D0A3 ; # capital U
F6 D096 ; # capital ZH
F7 D092 ; # capital V
F8 D0AC ; # capital soft sign
F9 D0AB ; # capital Y
FA D097 ; # capital Z
FB D0A8 ; # capital SH
FC D0AD ; # capital E
FD D0A9 ; # capital SHCH
FE D0A7 ; # capital CH
FF D0AA ; # capital hard sign
}

103
Engintron_for_cPanel_WHM_Configuration_Example/koi-win Executable file
View file

@ -0,0 +1,103 @@
charset_map koi8-r windows-1251 {
80 88 ; # euro
95 95 ; # bullet
9A A0 ; # &nbsp;
9E B7 ; # &middot;
A3 B8 ; # small yo
A4 BA ; # small Ukrainian ye
A6 B3 ; # small Ukrainian i
A7 BF ; # small Ukrainian yi
AD B4 ; # small Ukrainian soft g
AE A2 ; # small Byelorussian short u
B0 B0 ; # &deg;
B3 A8 ; # capital YO
B4 AA ; # capital Ukrainian YE
B6 B2 ; # capital Ukrainian I
B7 AF ; # capital Ukrainian YI
B9 B9 ; # numero sign
BD A5 ; # capital Ukrainian soft G
BE A1 ; # capital Byelorussian short U
BF A9 ; # (C)
C0 FE ; # small yu
C1 E0 ; # small a
C2 E1 ; # small b
C3 F6 ; # small ts
C4 E4 ; # small d
C5 E5 ; # small ye
C6 F4 ; # small f
C7 E3 ; # small g
C8 F5 ; # small kh
C9 E8 ; # small i
CA E9 ; # small j
CB EA ; # small k
CC EB ; # small l
CD EC ; # small m
CE ED ; # small n
CF EE ; # small o
D0 EF ; # small p
D1 FF ; # small ya
D2 F0 ; # small r
D3 F1 ; # small s
D4 F2 ; # small t
D5 F3 ; # small u
D6 E6 ; # small zh
D7 E2 ; # small v
D8 FC ; # small soft sign
D9 FB ; # small y
DA E7 ; # small z
DB F8 ; # small sh
DC FD ; # small e
DD F9 ; # small shch
DE F7 ; # small ch
DF FA ; # small hard sign
E0 DE ; # capital YU
E1 C0 ; # capital A
E2 C1 ; # capital B
E3 D6 ; # capital TS
E4 C4 ; # capital D
E5 C5 ; # capital YE
E6 D4 ; # capital F
E7 C3 ; # capital G
E8 D5 ; # capital KH
E9 C8 ; # capital I
EA C9 ; # capital J
EB CA ; # capital K
EC CB ; # capital L
ED CC ; # capital M
EE CD ; # capital N
EF CE ; # capital O
F0 CF ; # capital P
F1 DF ; # capital YA
F2 D0 ; # capital R
F3 D1 ; # capital S
F4 D2 ; # capital T
F5 D3 ; # capital U
F6 C6 ; # capital ZH
F7 C2 ; # capital V
F8 DC ; # capital soft sign
F9 DB ; # capital Y
FA C7 ; # capital Z
FB D8 ; # capital SH
FC DD ; # capital E
FD D9 ; # capital SHCH
FE D7 ; # capital CH
FF DA ; # capital hard sign
}

105
Engintron_for_cPanel_WHM_Configuration_Example/mime.types Executable file
View file

@ -0,0 +1,105 @@
# /**
# * @version 1.8.3
# * @package Engintron for cPanel/WHM
# * @author Fotis Evangelou
# * @url https://engintron.com
# * @copyright Copyright (c) 2010 - 2017 Nuevvo Webware P.C. All rights reserved.
# * @license GNU/GPL license: https://www.gnu.org/copyleft/gpl.html
# */
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
# Fonts
#application/vnd.ms-fontobject eot;
application/x-font-ttf ttf;
font/opentype otf;
#font/x-woff woff woff2;
}

134
Engintron_for_cPanel_WHM_Configuration_Example/nginx.conf Executable file
View file

@ -0,0 +1,134 @@
# /**
# * @version 1.8.3
# * @package Engintron for cPanel/WHM
# * @author Fotis Evangelou
# * @url https://engintron.com
# * @copyright Copyright (c) 2010 - 2017 Nuevvo Webware P.C. All rights reserved.
# * @license GNU/GPL license: https://www.gnu.org/copyleft/gpl.html
# */
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
multi_accept on;
use epoll;
worker_connections 65535;
}
http {
## Basic Settings ##
client_body_buffer_size 128k;
client_body_timeout 30s; # Use 5s for high-traffic sites
client_header_timeout 30s; # Use 5s for high-traffic sites
client_max_body_size 1024m;
keepalive_timeout 20s;
port_in_redirect off;
sendfile on;
server_name_in_redirect off;
server_tokens off;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
## DNS Resolver ##
# If in China, enable the OpenDNS entry that matches your network connectivity (IPv4 only or IPv4 & IPv6)
# OpenDNS (IPv4 & IPv6)
#resolver 208.67.222.222 208.67.220.220 [2620:0:ccc::2] [2620:0:ccd::2];
# OpenDNS (IPv4 only)
#resolver 208.67.222.222 208.67.220.220;
# Google Public DNS (IPv4 & IPv6)
#resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844];
# Google Public DNS (IPv4 only) [default]
resolver 8.8.8.8 8.8.4.4;
## Real IP Forwarding ##
set_real_ip_from 127.0.0.1;
# CloudFlare IPs
# List from: https://www.cloudflare.com/ips-v4
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
# List from: https://www.cloudflare.com/ips-v6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
# Replace with correct visitor IP
real_ip_header X-Forwarded-For;
real_ip_recursive on;
## MIME ##
include /etc/nginx/mime.types;
default_type application/octet-stream;
## Logging Settings ##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
## Gzip Settings ##
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 5;
gzip_disable "msie6";
gzip_min_length 256;
gzip_proxied any;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-javascript
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/x-js
text/xml;
gzip_vary on;
# Proxy Settings
proxy_cache_path /tmp/engintron_dynamic levels=1:2 keys_zone=engintron_dynamic:20m inactive=10m max_size=500m;
proxy_cache_path /tmp/engintron_static levels=1:2 keys_zone=engintron_static:20m inactive=10m max_size=500m;
proxy_temp_path /tmp/engintron_temp;
## Virtual Host Configs ##
include /etc/nginx/conf.d/*.conf;
}

50
Engintron_for_cPanel_WHM_Configuration_Example/proxy_params_common Executable file
View file

@ -0,0 +1,50 @@
# /**
# * @version 1.8.3
# * @package Engintron for cPanel/WHM
# * @author Fotis Evangelou
# * @url https://engintron.com
# * @copyright Copyright (c) 2010 - 2017 Nuevvo Webware P.C. All rights reserved.
# * @license GNU/GPL license: https://www.gnu.org/copyleft/gpl.html
# */
# General Proxy Settings
proxy_pass $scheme://$PROXY_DOMAIN_OR_IP:$PROXY_TO_PORT;
proxy_http_version 1.1; # Always upgrade to HTTP/1.1
proxy_set_header Accept-Encoding ""; # Optimize encoding
proxy_set_header Connection ""; # Enable keepalives
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Referer $http_referer;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;
proxy_set_header CF-Visitor $http_cf_visitor;
# Buffers
proxy_buffers 256 16k;
proxy_buffer_size 128k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
# Timeouts
proxy_connect_timeout 180s;
proxy_read_timeout 240s;
proxy_send_timeout 240s;
# Security Headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
# The HSTS header below force-redirects HTTP to HTTPS traffic & uses the browser's cache
# to store the redirect. Comment out with caution. More info on HSTS here:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
#if ($scheme = 'https') {
# add_header Strict-Transport-Security "max-age=86400; includeSubDomains" always;
#}
# Info
add_header X-Nginx-Cache-Status $upstream_cache_status;
add_header X-Server-Powered-By "Engintron";

79
Engintron_for_cPanel_WHM_Configuration_Example/proxy_params_dynamic Executable file
View file

@ -0,0 +1,79 @@
# /**
# * @version 1.8.3
# * @package Engintron for cPanel/WHM
# * @author Fotis Evangelou
# * @url https://engintron.com
# * @copyright Copyright (c) 2010 - 2017 Nuevvo Webware P.C. All rights reserved.
# * @license GNU/GPL license: https://www.gnu.org/copyleft/gpl.html
# */
# === MICRO CACHING ===
# 1 second (1s) micro-caching enabled for all proxied dynamic HTML content
# If you wish to have longer cache times, change the "proxy_cache_valid"
# line from "1s" to whatever time you want (e.g. "30s" or "1m").
# This cache is turned off when certain criteria are met, e.g. when a site
# manager logs into WordPress' backend/admin section.
#############################################################################################
# ADVANCED USERS ONLY:
# This setting is for cPanel servers with only one to a few sites & NO user-generated content
# in the frontend (no forums, no e-commerce sites, no user logins!) - you have been warned!
# Use the time defined in "$EXPIRES_FOR_DYNAMIC" to force client-side caching on dynamic content
# (set to 1m by default). To enable, uncomment all lines located at the bottom of this file.
# You can also raise "proxy_cache_valid" to the same value (e.g. "1m") to force longer
# server-side caching.
# The combination of these settings will have Nginx serve all content without issuing requests
# to Apache except only when it's required to refresh its cache.
set $EXPIRES_FOR_DYNAMIC 1m;
#############################################################################################
# Allow separate cache entries for mobile devices (smartphones & tables)
set $MOBILE "";
if ($http_user_agent ~* "(iPhone|iPod|iPad|Android|Mobile|Tablet)") {
set $MOBILE "mobile_";
}
# CMS (& CMS extension) specific cookies (e.g. Joomla, K2 for Joomla, WordPress, WooCommerce)
if ($http_cookie ~* "(joomla_[a-zA-Z0-9_]+|userID|wordpress_[a-zA-Z0-9_]+|wp-postpass|comment_author_[a-zA-Z0-9_]+|woocommerce_[a-zA-Z0-9_]+|wp_woocommerce_[a-zA-Z0-9_]+)") {
set $CACHE_BYPASS_FOR_DYNAMIC 1;
set $EXPIRES_FOR_DYNAMIC 0;
}
# Invision Power Board (IPB)
if ($cookie_member_id ~ "^[1-9][0-9]*$") {
set $CACHE_BYPASS_FOR_DYNAMIC 1;
set $EXPIRES_FOR_DYNAMIC 0;
}
# Admin sections & generic entry point names for CMSs
if ($request_uri ~* "(/administrator|com_user|com_users|com_contact|com_mailto|/component/user|/component/users|/component/contact|/component/mailto|/wp-admin|/wp-login.php|/ucp.php|/login|/logout|/connect|/signin|/signup|/register)") {
set $CACHE_BYPASS_FOR_DYNAMIC 1;
set $EXPIRES_FOR_DYNAMIC 0;
}
# Disable caching when the "Cache-Control" header is set to "private"
if ($http_cache_control ~* "private") {
set $CACHE_BYPASS_FOR_DYNAMIC 1;
set $EXPIRES_FOR_DYNAMIC 0;
}
# Proxy cache settings
proxy_no_cache $CACHE_BYPASS_FOR_DYNAMIC;
proxy_cache_bypass $CACHE_BYPASS_FOR_DYNAMIC;
proxy_cache engintron_dynamic;
proxy_cache_key "$MOBILE$request_method$scheme$host$request_uri";
proxy_cache_lock on;
proxy_cache_methods GET HEAD;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; # Additional options: http_403 http_404
proxy_cache_valid 200 1s; # Adjust for longer server-side cache times (unfortunately, we cannot use a variable here)
proxy_ignore_headers Cache-Control Expires Set-Cookie Vary;
# Force client-side caching for dynamic content (commented by default)
# See explanation at the top of this file
#expires $EXPIRES_FOR_DYNAMIC;
#proxy_hide_header Cache-Control;
#proxy_hide_header Expires;
#proxy_hide_header Pragma;
#proxy_hide_header Set-Cookie;
#proxy_hide_header Vary;

51
Engintron_for_cPanel_WHM_Configuration_Example/proxy_params_static Executable file
View file

@ -0,0 +1,51 @@
# /**
# * @version 1.8.3
# * @package Engintron for cPanel/WHM
# * @author Fotis Evangelou
# * @url https://engintron.com
# * @copyright Copyright (c) 2010 - 2017 Nuevvo Webware P.C. All rights reserved.
# * @license GNU/GPL license: https://www.gnu.org/copyleft/gpl.html
# */
# === STATIC ASSET CACHING ===
# Proxy Cache Settings for static files ONLY.
# Nginx can cache static files and directly serve them without issuing calls
# to Apache on every static file request.
# By default Engintron will set a 1 minute (1m) cache time for static files.
# To increase, simply adjust the value for "proxy_cache_valid"
# Respects the different "Expires" header set per file type in "default.conf"
# for client-side caching.
# Every other header is ignored, stripped or reset from the request to
# maximize caching.
# This cache is turned off when certain criteria are met, e.g. when a site
# manager logs into WordPress' backend/admin section.
# Admin sections for CMSs
if ($request_uri ~* "(/administrator|/wp-admin|/wp-login.php)") {
set $CACHE_BYPASS_FOR_STATIC 1;
}
# Proxy cache settings
proxy_no_cache $CACHE_BYPASS_FOR_STATIC;
proxy_cache_bypass $CACHE_BYPASS_FOR_STATIC;
proxy_cache engintron_static;
proxy_cache_key "$request_method$scheme$host$request_uri";
proxy_cache_lock on;
proxy_cache_min_uses 1;
proxy_cache_revalidate on;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; # Additional options: http_403 http_404
proxy_cache_valid 200 301 302 1m; # Adjust for longer server-side cache times (unfortunately, we cannot use a variable here)
proxy_ignore_headers Cache-Control Expires Set-Cookie Vary;
proxy_hide_header Cache-Control;
proxy_hide_header Expires;
proxy_hide_header Pragma;
proxy_hide_header Set-Cookie;
proxy_hide_header Vary;
# Reset headers
add_header Pragma "public";
# Disable logging
access_log off;

17
Engintron_for_cPanel_WHM_Configuration_Example/scgi_params Executable file
View file

@ -0,0 +1,17 @@
scgi_param REQUEST_METHOD $request_method;
scgi_param REQUEST_URI $request_uri;
scgi_param QUERY_STRING $query_string;
scgi_param CONTENT_TYPE $content_type;
scgi_param DOCUMENT_URI $document_uri;
scgi_param DOCUMENT_ROOT $document_root;
scgi_param SCGI 1;
scgi_param SERVER_PROTOCOL $server_protocol;
scgi_param REQUEST_SCHEME $scheme;
scgi_param HTTPS $https if_not_empty;
scgi_param REMOTE_ADDR $remote_addr;
scgi_param REMOTE_PORT $remote_port;
scgi_param SERVER_PORT $server_port;
scgi_param SERVER_NAME $server_name;

140
Engintron_for_cPanel_WHM_Configuration_Example/utilities/https_vhosts.php Executable file
View file

@ -0,0 +1,140 @@
#!/usr/bin/php
<?php
/**
* @version 1.8.3
* @package Engintron for cPanel/WHM
* @author Fotis Evangelou
* @url https://engintron.com
* @copyright Copyright (c) 2010 - 2017 Nuevvo Webware P.C. All rights reserved.
* @license GNU/GPL license: https://www.gnu.org/copyleft/gpl.html
*/
define('HTTPD_CONF_LAST_CHANGED', 10); /* In seconds */
define('HTTPD_CONF', '/usr/local/apache/conf/httpd.conf'); /* For EA4 the path is /etc/httpd/conf/httpd.conf */
define('HTTPD_HTTPS_PORT', '8443');
define('NGINX_DEFAULT_HTTPS_VHOST', '/etc/nginx/conf.d/default_https.conf');
define('NGINX_HTTPS_PORT', '443');
//date_default_timezone_set('UTC');
//ini_set('display_errors', 0);
//error_reporting(0);
function generate_https_vhosts() {
$hostnamePemFile = '';
if (file_exists('/var/cpanel/ssl/cpanel/cpanel.pem') && is_readable('/var/cpanel/ssl/cpanel/cpanel.pem')) {
$hostnamePemFile = '/var/cpanel/ssl/cpanel/cpanel.pem';
}
if (file_exists('/var/cpanel/ssl/cpanel/mycpanel.pem') && is_readable('/var/cpanel/ssl/cpanel/mycpanel.pem')) {
$hostnamePemFile = '/var/cpanel/ssl/cpanel/mycpanel.pem';
}
// Initialize the output for default_https.conf
$output = '
# Default definition block for HTTPS (Generated on '.date('Y.m.d H:i:s').') #
server {
listen '.NGINX_HTTPS_PORT.' ssl http2 default_server;
#listen [::]:443 ipv6only=on ssl http2 default_server;
server_name localhost;
# deny all; # DO NOT REMOVE OR CHANGE THIS LINE - Used when Engintron is disabled to block Nginx from becoming an open proxy
ssl_certificate '.$hostnamePemFile.';
ssl_certificate_key '.$hostnamePemFile.';
# OCSP Stapling
#ssl_trusted_certificate '.$hostnamePemFile.';
#ssl_stapling on;
#ssl_stapling_verify on;
include common_https.conf;
# Includes for Nginx Bad Bot Blocker
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
location = /nginx_status {
stub_status;
access_log off;
log_not_found off;
# Uncomment the following 2 lines to make the Nginx status page private.
# If you do this and you have Munin installed, graphs for Nginx will stop working.
#allow 127.0.0.1;
#deny all;
}
location = /whm-server-status {
proxy_pass http://127.0.0.1:8080;
# Comment the following 2 lines to make the Apache status page public
allow 127.0.0.1;
deny all;
}
}
';
// Process Apache vhosts
if (file_exists(HTTPD_CONF) && is_readable(HTTPD_CONF)) {
$file = file_get_contents(HTTPD_CONF);
$regex = "#\<VirtualHost [0-9a-f\.\:\[\]\s]+\:".HTTPD_HTTPS_PORT."\>(.+?)\<\/VirtualHost\>#s";
preg_match_all($regex, $file, $matches, PREG_PATTERN_ORDER);
if(count($matches[1])) {
foreach ($matches[1] as $vhost) {
if($hostnamePemFile && strpos($vhost, $hostnamePemFile)!== false) continue; // Skip the main hostname entry
preg_match("#ServerName (.+?)\n#s", $vhost, $name);
preg_match("#ServerAlias (.+?)\n#s", $vhost, $aliases);
preg_match("#SSLCertificateFile (.+?)(\n|\r)#s", $vhost, $certfile);
preg_match("#SSLCertificateKeyFile (.+?)(\n|\r)#s", $vhost, $certkeyfile);
preg_match("#SSLCACertificateFile (.+?)(\n|\r)#s", $vhost, $certcafile);
if($aliases[1]){
$vhostAliases = $aliases[1];
} else {
$vhostAliases = '';
}
$vhostDomains = trim($name[1].' '.$vhostAliases);
$vhostCertFile = $certfile[1];
$vhostCertKeyFile = $certkeyfile[1];
$fullChainCertName = str_replace('/var/cpanel/ssl/installed/certs/', '/etc/ssl/engintron/', $vhostCertFile);
if($certcafile[1]){
$vhostCertCAFile = $certcafile[1];
$vhostFullChainCert = file_get_contents($vhostCertFile)."\n".file_get_contents($vhostCertCAFile);
$ocspStapling = '
# OCSP Stapling
#ssl_trusted_certificate '.$fullChainCertName.';
#ssl_stapling on;
#ssl_stapling_verify on;
';
} else {
$vhostFullChainCert = file_get_contents($vhostCertFile);
$ocspStapling = '';
}
file_put_contents($fullChainCertName, $vhostFullChainCert);
$output .= '
# Definition block for domain(s): '.$vhostDomains.' #
server {
listen '.NGINX_HTTPS_PORT.' ssl http2;
#listen [::]:443 ipv6only=on ssl http2;
server_name '.$vhostDomains.';
# deny all; # DO NOT REMOVE OR CHANGE THIS LINE - Used when Engintron is disabled to block Nginx from becoming an open proxy
ssl_certificate '.$fullChainCertName.';
ssl_certificate_key '.$vhostCertKeyFile.';
'.$ocspStapling.'
include common_https.conf;
}
';
}
}
}
file_put_contents(NGINX_DEFAULT_HTTPS_VHOST, $output);
}
// Run the check
if (!file_exists(NGINX_DEFAULT_HTTPS_VHOST) || (file_exists(HTTPD_CONF) && is_readable(HTTPD_CONF) && (filemtime(HTTPD_CONF) + HTTPD_CONF_LAST_CHANGED) > time())) {
generate_https_vhosts();
echo "HTTPS vhosts for Nginx re-created.\n";
exit(1);
} else {
echo "No changes in Apache's vhosts configuration. HTTPS vhosts for Nginx unchanged.\n";
exit(0);
}

29
Engintron_for_cPanel_WHM_Configuration_Example/utilities/https_vhosts.sh Executable file
View file

@ -0,0 +1,29 @@
#!/bin/bash
# /**
# * @version 1.8.3
# * @package Engintron for cPanel/WHM
# * @author Fotis Evangelou
# * @url https://engintron.com
# * @copyright Copyright (c) 2010 - 2017 Nuevvo Webware P.C. All rights reserved.
# * @license GNU/GPL license: https://www.gnu.org/copyleft/gpl.html
# */
COUNTER="0"
function generate_https_vhosts {
if [ -f /etc/nginx/utilities/https_vhosts.php ]; then
RUN_CHECK=$(/usr/bin/php -c /dev/null /etc/nginx/utilities/https_vhosts.php)
if [[ $RUN_CHECK == 1 ]]; then
service nginx reload;
fi
fi
sleep 10
}
while [ $COUNTER -lt 5 ]; do
generate_https_vhosts
COUNTER=$[$COUNTER+1]
done
exit 0

17
Engintron_for_cPanel_WHM_Configuration_Example/uwsgi_params Executable file
View file

@ -0,0 +1,17 @@
uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length;
uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param REQUEST_SCHEME $scheme;
uwsgi_param HTTPS $https if_not_empty;
uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;

126
Engintron_for_cPanel_WHM_Configuration_Example/win-utf Executable file
View file

@ -0,0 +1,126 @@
# This map is not a full windows-1251 <> utf8 map: it does not
# contain Serbian and Macedonian letters. If you need a full map,
# use contrib/unicode2nginx/win-utf map instead.
charset_map windows-1251 utf-8 {
82 E2809A ; # single low-9 quotation mark
84 E2809E ; # double low-9 quotation mark
85 E280A6 ; # ellipsis
86 E280A0 ; # dagger
87 E280A1 ; # double dagger
88 E282AC ; # euro
89 E280B0 ; # per mille
91 E28098 ; # left single quotation mark
92 E28099 ; # right single quotation mark
93 E2809C ; # left double quotation mark
94 E2809D ; # right double quotation mark
95 E280A2 ; # bullet
96 E28093 ; # en dash
97 E28094 ; # em dash
99 E284A2 ; # trade mark sign
A0 C2A0 ; # &nbsp;
A1 D18E ; # capital Byelorussian short U
A2 D19E ; # small Byelorussian short u
A4 C2A4 ; # currency sign
A5 D290 ; # capital Ukrainian soft G
A6 C2A6 ; # borken bar
A7 C2A7 ; # section sign
A8 D081 ; # capital YO
A9 C2A9 ; # (C)
AA D084 ; # capital Ukrainian YE
AB C2AB ; # left-pointing double angle quotation mark
AC C2AC ; # not sign
AD C2AD ; # soft hypen
AE C2AE ; # (R)
AF D087 ; # capital Ukrainian YI
B0 C2B0 ; # &deg;
B1 C2B1 ; # plus-minus sign
B2 D086 ; # capital Ukrainian I
B3 D196 ; # small Ukrainian i
B4 D291 ; # small Ukrainian soft g
B5 C2B5 ; # micro sign
B6 C2B6 ; # pilcrow sign
B7 C2B7 ; # &middot;
B8 D191 ; # small yo
B9 E28496 ; # numero sign
BA D194 ; # small Ukrainian ye
BB C2BB ; # right-pointing double angle quotation mark
BF D197 ; # small Ukrainian yi
C0 D090 ; # capital A
C1 D091 ; # capital B
C2 D092 ; # capital V
C3 D093 ; # capital G
C4 D094 ; # capital D
C5 D095 ; # capital YE
C6 D096 ; # capital ZH
C7 D097 ; # capital Z
C8 D098 ; # capital I
C9 D099 ; # capital J
CA D09A ; # capital K
CB D09B ; # capital L
CC D09C ; # capital M
CD D09D ; # capital N
CE D09E ; # capital O
CF D09F ; # capital P
D0 D0A0 ; # capital R
D1 D0A1 ; # capital S
D2 D0A2 ; # capital T
D3 D0A3 ; # capital U
D4 D0A4 ; # capital F
D5 D0A5 ; # capital KH
D6 D0A6 ; # capital TS
D7 D0A7 ; # capital CH
D8 D0A8 ; # capital SH
D9 D0A9 ; # capital SHCH
DA D0AA ; # capital hard sign
DB D0AB ; # capital Y
DC D0AC ; # capital soft sign
DD D0AD ; # capital E
DE D0AE ; # capital YU
DF D0AF ; # capital YA
E0 D0B0 ; # small a
E1 D0B1 ; # small b
E2 D0B2 ; # small v
E3 D0B3 ; # small g
E4 D0B4 ; # small d
E5 D0B5 ; # small ye
E6 D0B6 ; # small zh
E7 D0B7 ; # small z
E8 D0B8 ; # small i
E9 D0B9 ; # small j
EA D0BA ; # small k
EB D0BB ; # small l
EC D0BC ; # small m
ED D0BD ; # small n
EE D0BE ; # small o
EF D0BF ; # small p
F0 D180 ; # small r
F1 D181 ; # small s
F2 D182 ; # small t
F3 D183 ; # small u
F4 D184 ; # small f
F5 D185 ; # small kh
F6 D186 ; # small ts
F7 D187 ; # small ch
F8 D188 ; # small sh
F9 D189 ; # small shch
FA D18A ; # small hard sign
FB D18B ; # small y
FC D18C ; # small soft sign
FD D18D ; # small e
FE D18E ; # small yu
FF D18F ; # small ya
}