user www www; worker_processes auto; worker_cpu_affinity auto; error_log /home/wwwlogs/error_nginx.log warn;#debug | info | notice | warn | error | crit ] pid /var/run/nginx.pid; worker_rlimit_nofile 51200; events { use epoll; worker_connections 51200; multi_accept on; } http { log_format realip '$realip_remote_addr - $remote_user $time_local ' '"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ' ; include mime.types; default_type application/octet-stream; server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 1024m; client_body_buffer_size 10m; sendfile on; tcp_nopush on; keepalive_timeout 120; server_tokens off; tcp_nodelay on; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; #Gzip Compression gzip on; gzip_buffers 16 8k; gzip_comp_level 6; gzip_http_version 1.1; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml text/javascript application/javascript application/x-javascript text/x-json application/json application/x-web-app-manifest+json text/css text/plain text/x-component font/opentype application/x-font-ttf application/vnd.ms-fontobject image/x-icon; gzip_disable "MSIE [1-6]\.(?!.*SV1)"; #If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency. open_file_cache max=1000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 5; open_file_cache_errors on; ######################## default ############################ server { listen 80 default_server; return 444; } server { if ($http_user_agent ~* (ApacheBench|webbench|HttpClient|Scrapy)) { return 444; } if ($http_user_agent ~ "FeedDemon|Indy Library|WinHttp|Alexa Toolbar|AskTbFXTV|AhrefsBot|Python-urllib|Jullo|Feedly|jaunty|Java|ZmEu|CrawlDaddy|Microsoft URL Control|^$" ) { return 444; } if ($request_uri ~* (.*)\.(bak|mdb|db|sql|conf|ini|cnf)$){ return 444; } if ($request_method !~ ^(GET|HEAD|POST)$) { return 403; } if ($query_string ~ "[a-zA-Z0-9_]=http://") { return 444; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { return 444; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { return 444; } if ($request_uri ~* "[+|(%20)]select[+|(%20)]") { return 444; } if ($request_uri ~* "[+|(%20)]delete[+|(%20)]") { return 444; } if ($request_uri ~* "[+|(%20)]update[+|(%20)]") { return 444; } if ($request_uri ~* "[+|(%20)]insert[+|(%20)]") { return 444; } if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { return 444; } #Nginx HTTP 2.0 will only be used for https listen 8080; server_name _; access_log /home/wwwlogs/access_nginx.log realip; root /home/wwwroot/web; index index.html index.htm index.php; location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } location /ftp/{ autoindex on; autoindex_exact_size off; autoindex_localtime on; autoindex_format html; gunzip on; } location /video/ { mp4; mp4_buffer_size 4m; aio on; directio 4m; } location ~ \.php$ { fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~(tweentyfourteen|twentyeleven|twentyfifteen|twentyten|twentytwelve)/(.*)\.php {return 400;} location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ { expires 30d; access_log off; } location ~ .*\.(js|css)?$ { expires 7d; access_log off; } location = /favicon.ico { log_not_found off; access_log off; } # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). location ~ /\. { deny all; } # Deny access to any files with a .php extension in the uploads directory location ~* /(?:uploads|files)/.*\.php$ { deny all; } } ########################## vhost ############################# include vhost/*.conf; }