mirror of
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker.git
synced 2025-09-02 18:50:13 +00:00
03d91fea48
This example includes a modified /utilities/https_vhosts.php file which will do the includes for you on any vhosts you create using Enginetron. Please use this example ONLY as a guide.
125 lines
4 KiB
Text
Executable file
125 lines
4 KiB
Text
Executable file
# Common definitions for static content (HTTPS)
|
|
|
|
# TLS/SSL common
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:SSL:50m;
|
|
ssl_session_tickets off;
|
|
|
|
# Diffie-Hellman parameter for DHE ciphersuites (2048 bits)
|
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
|
|
|
# Protocols & Ciphers
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Initialize important variables
|
|
set $CACHE_BYPASS_FOR_DYNAMIC 0;
|
|
set $CACHE_BYPASS_FOR_STATIC 0;
|
|
set $PROXY_DOMAIN_OR_IP $host;
|
|
set $PROXY_TO_PORT 8443;
|
|
set $SITE_URI "$host$request_uri";
|
|
|
|
# Generic query string to request a page bypassing Nginx's caching entirely for both dynamic & static content
|
|
if ($query_string ~* "nocache") {
|
|
set $CACHE_BYPASS_FOR_DYNAMIC 1;
|
|
set $CACHE_BYPASS_FOR_STATIC 1;
|
|
}
|
|
|
|
# Proxy requests to "localhost"
|
|
if ($host ~* "localhost") {
|
|
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
|
|
}
|
|
|
|
# Proxy cPanel specific subdomains
|
|
if ($host ~* "^webmail\.") {
|
|
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
|
|
set $PROXY_TO_PORT 2096;
|
|
}
|
|
if ($host ~* "^cpanel\.") {
|
|
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
|
|
set $PROXY_TO_PORT 2083;
|
|
}
|
|
if ($host ~* "^whm\.") {
|
|
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
|
|
set $PROXY_TO_PORT 2087;
|
|
}
|
|
if ($host ~* "^webdisk\.") {
|
|
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
|
|
set $PROXY_TO_PORT 2078;
|
|
}
|
|
if ($host ~* "^(cpcalendars|cpcontacts)\.") {
|
|
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
|
|
set $PROXY_TO_PORT 2080;
|
|
}
|
|
|
|
# Set custom rules like domain/IP exclusions or redirects here
|
|
include custom_rules;
|
|
|
|
location / {
|
|
try_files $uri $uri/ @backend;
|
|
}
|
|
|
|
location @backend {
|
|
include proxy_params_common;
|
|
# === MICRO CACHING ===
|
|
# Comment the following line to disable 1 second micro-caching for dynamic HTML content
|
|
include proxy_params_dynamic;
|
|
}
|
|
|
|
# Enable browser cache for static content files (TTL is 1 hour)
|
|
location ~* \.(?:json|xml|rss|atom)$ {
|
|
include proxy_params_common;
|
|
include proxy_params_static;
|
|
expires 1h;
|
|
}
|
|
|
|
# Enable browser cache for CSS / JS (TTL is 30 days)
|
|
location ~* \.(?:css|js)$ {
|
|
include proxy_params_common;
|
|
include proxy_params_static;
|
|
expires 30d;
|
|
}
|
|
|
|
# Enable browser cache for images (TTL is 60 days)
|
|
location ~* \.(?:ico|jpg|jpeg|gif|png|webp)$ {
|
|
include proxy_params_common;
|
|
include proxy_params_static;
|
|
expires 60d;
|
|
}
|
|
|
|
# Enable browser cache for archives, documents & media files (TTL is 60 days)
|
|
location ~* \.(?:3gp|7z|avi|bmp|bz2|csv|divx|doc|docx|eot|exe|flac|flv|gz|less|mid|midi|mka|mkv|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogm|ogv|opus|pdf|ppt|pptx|rar|rtf|swf|tar|tbz|tgz|tiff|txz|wav|webm|wma|wmv|xls|xlsx|xz|zip)$ {
|
|
set $CACHE_BYPASS_FOR_STATIC 1;
|
|
include proxy_params_common;
|
|
include proxy_params_static;
|
|
expires 60d;
|
|
}
|
|
|
|
# Enable browser cache for fonts & fix @font-face cross-domain restriction (TTL is 60 days)
|
|
location ~* \.(eot|ttf|otf|woff|woff2|svg|svgz)$ {
|
|
include proxy_params_common;
|
|
include proxy_params_static;
|
|
expires 60d;
|
|
add_header Access-Control-Allow-Origin *;
|
|
}
|
|
|
|
# Prevent logging of favicon and robot request errors
|
|
location = /favicon.ico {
|
|
include proxy_params_common;
|
|
include proxy_params_static;
|
|
expires 60d;
|
|
log_not_found off;
|
|
}
|
|
|
|
location = /robots.txt {
|
|
include proxy_params_common;
|
|
include proxy_params_static;
|
|
expires 1d;
|
|
log_not_found off;
|
|
}
|
|
|
|
# Deny access to files like .htaccess or .htpasswd
|
|
location ~ /\.ht {
|
|
deny all;
|
|
}
|