Add config/nginx.conf

config/nginx.conf

@@ -0,0 +1,77 @@
+# /etc/nginx/nginx.conf
+
+user rocky;
+
+worker_processes 1;
+
+# The maximum number of simultaneous connections that can be opened
+events { worker_connections 1024; }
+
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+    server_tokens off;
+    keepalive_timeout  65;
+    # ✅ Define the "main" log format
+    log_format blocked '$time_local: Blocked request from $http_x_real_ip $request';
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+                    
+    server {
+        listen 80;
+        server_name localhost www.rcosta.uk rcosta.uk;
+
+        root /var/www/html;
+        index index.php index.html;
+
+        location / {
+            try_files $uri $uri/ /index.php?$query_string;
+        }
+
+        location ~ \.php$ {
+            fastcgi_pass   127.0.0.1:9000;
+            fastcgi_index  index.php;
+            fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include        fastcgi_params;
+        }
+
+        # Sets the path, format, and configuration for a buffered log write.
+        access_log /dev/stdout main;
+        error_log /dev/stderr warn;    
+
+        location ~ ^/(status|ping)$ {
+          allow 127.0.0.1;
+          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+          fastcgi_index index.php;
+          include fastcgi_params;
+          #fastcgi_pass 127.0.0.1:9000;
+          fastcgi_pass  unix:/var/run/php82-fpm.sock;
+        }
+
+
+
+    ## Block common exploits
+    location ~* (<|%3C).*script.*(>|%3E) { access_log /var/log/nginx/blocked.log blocked; deny all; }
+    location ~* base64_(en|de)code\(.*\) { access_log /var/log/nginx/blocked.log blocked; deny all; }
+    location ~* (%24&x) { access_log /var/log/nginx/blocked.log blocked; deny all; }
+    location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /var/log/nginx/blocked.log blocked; deny all; }
+    location ~* \.\.\/  { access_log /var/log/nginx/blocked.log blocked; deny all; }
+    location ~* ~$ { access_log /var/log/nginx/blocked.log blocked; deny all; }
+    location ~* proc/self/environ { access_log /var/log/nginx/blocked.log blocked; deny all; }
+    location ~* /\.(htaccess|htpasswd|svn) { access_log /var/log/nginx/blocked.log blocked; deny all; }
+    location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /var/log/nginx/blocked.log blocked; deny all; }
+    location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /var/log/nginx/blocked.log blocked; deny all; }
+    location ~* /(.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }
+
+
+   }
+
+
+}