AI加油站

nginx设定备忘

以下均以nginx的默认设定文件/etc/nginx/sites-available/default直接编辑为例。

1.定义CF的Ip范围

set_real_ip_from 173.245.48.0/20;

~ CF Ip range : ref to https://www.cloudflare.com/ips/

real_ip_header CF-Connecting-IP;

real_ip_recursive on;

2.定义流量控制,防止DDOS

limit_req_zone $binary_remote_addr zone=admin_limit:3m rate=1r/s;

3.http转https

server {
listen 80 default_server;
server_name acconf.com;
return 301 https://acconf.com/$request_uri;
}

4.https的设定

erver {
listen 443 ssl http2;
server_name acconf.com
charset utf-8;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate /etc/nginx/mysite-cert.pem;
ssl_certificate_key /etc/nginx/mysite-privatekey.pem;

error_page 403 404 500 503 =307 /error.html;
error_page 401 /auth.html;
root /var/www/html;
server_tokens off;
disable_symlinks on;
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 64m;
large_client_header_buffers 2 1k;

index index.php index.html index.htm;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Cache-Control "no-cache";
add_header x-cache-enabled "true";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";

#注意,上面的会导致“wordpress的区块编辑器”不能使用

location / {
limit_req zone=admin_limit burst=10 nodelay;
try_files $uri $uri/ /index.php?$args;
}

5.php的关联设定

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.x-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
client_max_body_size 1m;
}

6.wordpress的安全设定

location ~* /(wp-config\.php|readme\.html|license\.txt|\.htaccess|\.env|\.git) {
deny all;
}

location ~* /wp-content/uploads/ {
autoindex off;
}

location ~* /(\.|wp-config\.bak|wp-config\.php\.bak) {
deny all;
}
rewrite /wp-admin$ https://$host$uri/ permanent;
rewrite ^/wp-signup\.php$ /404-siteguard break;
rewrite ^/wp-activate\.php$ /404-siteguard break;
rewrite ^/login_12345(.*)$ /wp-login.php$1 break;

location ~* /login_12345|/wp-login\.php|/xmlrpc\.php|/wp-admin/((?!(admin-ajax\.php|images/)).)*$ {
allow my_ipv4/32;
allow 127.0.0.1;
deny all;

auth_basic "AuthRestrict";
auth_basic_user_file "/etc/nginx/security/.htpasswd";
limit_req zone=admin_limit burst=10 nodelay;
}

In

,