server { listen 80 default_server; # add "http2" after ssl listen [::]:80 default_server; # add "http2" after ssl set $base /var/www/REPLACEMEPROJECTDIRECTORY; root $base; index index.php index.html index.htm index.nginx-debian.html; server_name _ REPLACEMEIPADDRESS; client_max_body_size 8M; # security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # gzip gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml; # cors headers add_header Content-Security-Policy "default-src data: blob: 'self' https://www.instagram.com https://vod-progressive.akamaized.net https://player.vimeo.com https://www.google-analytics.com https://stats.g.doubleclick.net; script-src blob: data: 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com/ https://stats.g.doubleclick.net https://maps.googleapis.com https://www.googletagmanager.com https://platform.twitter.com https://ajax.googleapis.com https://www.google-analytics.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' data: https://www.paypalobjects.com https://www.facebook.com https://maps.gstatic.com https://maps.googleapis.com https://www.google-analytics.com https://ssl.google-analytics.com https://s-static.ak.facebook.com https://gravatar.com http://0.gravatar.com http://1.gravatar.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com https://themes.googleusercontent.com; frame-src https://maps.googleapis.com https://www.google.com https://player.vimeo.com https://assets.zendesk.com https://embed.podcasts.apple.com https://platform.twitter.com https://www.instagram.com http://www.youtube.com https://www.youtube.com https://open.spotify.com https://www.facebook.com https://s-static.ak.facebook.com https://gravatar.com http://0.gravatar.com http://1.gravatar.com https://tautt.zendesk.com; object-src 'none'; worker-src data: 'self' blob:"; # assets, media location ~ \.(js|css|png|jpg|jpeg|gif|ico|html|woff|woff2|ttf|svg|eot|otf|xls|xsl)$ { add_header "Access-Control-Allow-Origin" "*"; expires 1M; access_log off; add_header Cache-Control "public"; } # default location / { try_files $uri $uri/ /index.php?q=$uri&$args; # Bad IPS deny 45.40.254.224; deny 46.246.58.10; deny 88.208.236.239; deny 108.162.229.0/24; # alaafood.us, bstbikerepair.us deny 128.199.141.0/24; deny 119.29.64.0/24; # "-" deny 141.101.69.0/24; # cleanfoodd.us deny 141.101.88.0/24; # lolrental.us, walkerrentals.us, allnaturalfood.us deny 141.101.96.0/24; # villarental.us, batteryrepair.us, "-" deny 159.65.32.0/24; # walkerrentals.us, bot hitting cron deny 162.158.79.191; # "http://www.google.com.hk" deny 162.158.134.0/24; deny 162.158.142.0/24; # textbookrentalstender.us, alaafood.us deny 172.68.59.0/24; # walkerrentals.us deny 172.68.211.0/24; # feelfood.us deny 172.68.246.0/24; # textbookrentalstender.us } # fastcgi location ~ \.php$ { # fastcgi fastcgi_pass unix:/run/php/php8.0-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/; fastcgi_intercept_errors off; fastcgi_buffer_size 128k; fastcgi_buffers 256 16k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; # default fastcgi_params include fastcgi_params; include snippets/fastcgi-php.conf; } # apache location ~ /\.ht { deny all; } # xmlrpc location = /xmlrpc.php { deny all; access_log off; log_not_found off; } # favicon location = /favicon.ico { log_not_found off; access_log off; } # robots location = /robots.txt { allow all; log_not_found off; access_log off; } # no php in uploads location ~* /(?:uploads|files)/.*\.php$ { deny all; } # no scripts location ~* .(pl|cgi|py|sh|lua)$ { return 444; } # sensitive files # location ~* .(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(.php)?|xtmpl)$|^(..*|Entries.*|Repository|Root|Tag|Template)$|.php_ { # return 444; # } # no executable code in uploads location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ { deny all; } # no executable code in uploads location ~* /(?:uploads|files)/.*.php$ { deny all; } # includes execution location ~* ^/(?:wp-content|wp-includes)/.*\.php$ { deny all; } # deny wp-content, wp-includes php files location ~* ^/(?:wp-content|wp-includes)/.*\.php$ { deny all; } # deny wp-content/uploads nasty stuff location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ { deny all; } # deny wp-content/plugins (except earlier rules) location ~ ^/wp-content/plugins { deny all; } # deny scripts and styles concat location ~* \/wp-admin\/load-(?:scripts|styles)\.php { deny all; } # deny general stuff location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ { deny all; } # assets, media location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires max; log_not_found off; } # assets, media location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { expires 7d; access_log off; } # . files location ~ /\. { deny all; } # yoast location ~ ([^/]*)sitemap(.*).x(m|s)l$ { ## this rewrites sitemap.xml to /sitemap_index.xml rewrite ^/sitemap.xml$ /sitemap_index.xml permanent; ## this makes the XML sitemaps work rewrite ^/([a-z]+)?-?sitemap.xsl$ /index.php?yoast-sitemap-xsl=$1 last; rewrite ^/sitemap_index.xml$ /index.php?sitemap=1 last; rewrite ^/([^/]+?)-sitemap([0-9]+)?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last; ## The following lines are optional for the premium extensions ## News SEO rewrite ^/news-sitemap.xml$ /index.php?sitemap=wpseo_news last; ## Local SEO rewrite ^/locations.kml$ /index.php?sitemap=wpseo_local_kml last; rewrite ^/geo-sitemap.xml$ /index.php?sitemap=wpseo_local last; ## Video SEO rewrite ^/video-sitemap.xsl$ /index.php?yoast-sitemap-xsl=video last; } }