Labs/kartoteka
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7a10c7feba8876eb6a40f0bfec8e3ed46989abc4
kartoteka/docker/app.conf
brusnitsyn 7a10c7feba
Some checks failed
Build and Push Docker Image / test (push) Has been cancelled
Details
Build and Push Docker Image / build (push) Has been cancelled
Details
Обновление 1.0
2026-01-13 18:55:37 +09:00

91 lines
2.5 KiB
Plaintext
Raw Blame History

# Определяем переменную для блокировки
map $remote_addr $blocked_ip {
default 0;
include /etc/nginx/blocked_ips.map;
}
server {
listen 80;
server_name _;
root /var/www/public;
index index.php index.html;
# ========== ОСНОВНЫЕ НАСТРОЙКИ БЕЗОПАСНОСТИ ==========
# Защитные заголовки
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# ========== ПРЕДВАРИТЕЛЬНЫЕ ПРОВЕРКИ ==========
# Если IP в черном списке
if ($blocked_ip) {
return 444;
}
# ========== ГЛОБАЛЬНЫЕ ОГРАНИЧЕНИЯ ==========
limit_conn conn_limit_per_ip 25;
limit_req zone=req_limit_per_ip burst=30 delay=15;
# ========== ОБРАБОТКА PHP ==========
location ~ \.php$ {
# Дефолтные лимиты для всех PHP запросов
limit_req zone=req_limit_per_ip burst=30 delay=15;
limit_conn conn_limit_per_ip 30;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
# Оптимизация из основного конфига
fastcgi_buffers 64 64k;
fastcgi_buffer_size 128k;
fastcgi_busy_buffers_size 512k;
fastcgi_temp_file_write_size 612k;
# Таймауты
fastcgi_connect_timeout 600s;
fastcgi_send_timeout 600s;
fastcgi_read_timeout 600s;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
# ========== ОСНОВНОЙ LOCATION ==========
location / {
try_files $uri $uri/ /index.php?$query_string;
gzip_static on;
gzip_vary on;
}
# ========== ЗАЩИТА ФАЙЛОВОЙ СИСТЕМЫ ==========
location ~ /\. {
deny all;
access_log off;
log_not_found off;
return 404;
}
location ~* (\.env|\.git|\.svn|\.htaccess|composer\.json|composer\.lock) {
deny all;
return 404;
}
location ~* (eval|base64_encode|system\(|shell_exec|passthru|exec|phpinfo) {
deny all;
return 444;
}
}
Reference in New Issue View Git Blame Copy Permalink