91 lines
2.5 KiB
Plaintext
91 lines
2.5 KiB
Plaintext
# Определяем переменную для блокировки
|
|
map $remote_addr $blocked_ip {
|
|
default 0;
|
|
include /etc/nginx/blocked_ips.map;
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
|
|
root /var/www/public;
|
|
index index.php index.html;
|
|
|
|
# ========== ОСНОВНЫЕ НАСТРОЙКИ БЕЗОПАСНОСТИ ==========
|
|
|
|
# Защитные заголовки
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
# ========== ПРЕДВАРИТЕЛЬНЫЕ ПРОВЕРКИ ==========
|
|
|
|
# Если IP в черном списке
|
|
if ($blocked_ip) {
|
|
return 444;
|
|
}
|
|
|
|
# ========== ГЛОБАЛЬНЫЕ ОГРАНИЧЕНИЯ ==========
|
|
|
|
limit_conn conn_limit_per_ip 25;
|
|
limit_req zone=req_limit_per_ip burst=30 delay=15;
|
|
|
|
# ========== ОБРАБОТКА PHP ==========
|
|
|
|
location ~ \.php$ {
|
|
# Дефолтные лимиты для всех PHP запросов
|
|
limit_req zone=req_limit_per_ip burst=30 delay=15;
|
|
limit_conn conn_limit_per_ip 30;
|
|
|
|
try_files $uri =404;
|
|
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass 127.0.0.1:9000;
|
|
fastcgi_index index.php;
|
|
|
|
# Оптимизация из основного конфига
|
|
fastcgi_buffers 16 16k;
|
|
fastcgi_buffer_size 32k;
|
|
fastcgi_busy_buffers_size 240k;
|
|
fastcgi_temp_file_write_size 256k;
|
|
|
|
# Таймауты
|
|
fastcgi_connect_timeout 60s;
|
|
fastcgi_send_timeout 600s;
|
|
fastcgi_read_timeout 600s;
|
|
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
}
|
|
|
|
# ========== ОСНОВНОЙ LOCATION ==========
|
|
|
|
location / {
|
|
try_files $uri $uri/ /index.php?$query_string;
|
|
|
|
gzip_static on;
|
|
gzip_vary on;
|
|
}
|
|
|
|
# ========== ЗАЩИТА ФАЙЛОВОЙ СИСТЕМЫ ==========
|
|
|
|
location ~ /\. {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
return 404;
|
|
}
|
|
|
|
location ~* (\.env|\.git|\.svn|\.htaccess|composer\.json|composer\.lock) {
|
|
deny all;
|
|
return 404;
|
|
}
|
|
|
|
location ~* (eval|base64_encode|system\(|shell_exec|passthru|exec|phpinfo) {
|
|
deny all;
|
|
return 444;
|
|
}
|
|
}
|