server {
    listen 80 default_server; # add "http2" after ssl
    listen [::]:80 default_server; # add "http2" after ssl

    set $base /var/www/REPLACEMEPROJECTDIRECTORY;

    root $base;

    index index.php index.html index.htm index.nginx-debian.html;

    server_name _ REPLACEMEIPADDRESS;

    client_max_body_size 8M;

    # security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;

    # cors headers
    add_header Content-Security-Policy "default-src data: blob: 'self' https://www.instagram.com https://vod-progressive.akamaized.net https://player.vimeo.com https://www.google-analytics.com https://stats.g.doubleclick.net; script-src blob: data: 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com/ https://stats.g.doubleclick.net https://maps.googleapis.com https://www.googletagmanager.com https://platform.twitter.com https://ajax.googleapis.com https://www.google-analytics.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' data: https://www.paypalobjects.com https://www.facebook.com https://maps.gstatic.com https://maps.googleapis.com https://www.google-analytics.com https://ssl.google-analytics.com https://s-static.ak.facebook.com https://gravatar.com http://0.gravatar.com http://1.gravatar.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com https://themes.googleusercontent.com; frame-src https://maps.googleapis.com https://www.google.com https://player.vimeo.com https://assets.zendesk.com https://embed.podcasts.apple.com https://platform.twitter.com https://www.instagram.com http://www.youtube.com https://www.youtube.com https://open.spotify.com https://www.facebook.com https://s-static.ak.facebook.com https://gravatar.com http://0.gravatar.com http://1.gravatar.com https://tautt.zendesk.com; object-src 'none'; worker-src data: 'self' blob:";

    # assets, media
    location ~ \.(js|css|png|jpg|jpeg|gif|ico|html|woff|woff2|ttf|svg|eot|otf|xls|xsl)$ {
        add_header "Access-Control-Allow-Origin" "*";
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }

    # default
    location / {
        try_files $uri $uri/ /index.php?q=$uri&$args;

        # Bad IPS
        deny 45.40.254.224;
        deny 46.246.58.10;
        deny 88.208.236.239;
        deny 108.162.229.0/24; # alaafood.us, bstbikerepair.us
        deny 128.199.141.0/24;
        deny 119.29.64.0/24; # "-"
        deny 141.101.69.0/24; # cleanfoodd.us
        deny 141.101.88.0/24; # lolrental.us, walkerrentals.us, allnaturalfood.us
        deny 141.101.96.0/24; # villarental.us, batteryrepair.us, "-"
        deny 159.65.32.0/24; # walkerrentals.us, bot hitting cron
        deny 162.158.79.191; # "http://www.google.com.hk"
        deny 162.158.134.0/24;
        deny 162.158.142.0/24; # textbookrentalstender.us, alaafood.us
        deny 172.68.59.0/24; # walkerrentals.us
        deny 172.68.211.0/24; # feelfood.us
        deny 172.68.246.0/24; # textbookrentalstender.us
    }

    # fastcgi
    location ~ \.php$ {
        # fastcgi
        fastcgi_pass                unix:/run/php/php8.0-fpm.sock;
        fastcgi_split_path_info     ^(.+\.php)(/.+)$;
        fastcgi_param               SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param               PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/;
        fastcgi_intercept_errors    off;

        fastcgi_buffer_size             128k;
        fastcgi_buffers                 256 16k;
        fastcgi_busy_buffers_size       256k;
        fastcgi_temp_file_write_size    256k;

        # default fastcgi_params
        include fastcgi_params;
        include snippets/fastcgi-php.conf;
    }

    # apache
    location ~ /\.ht {
        deny all;
    }

    # xmlrpc
    location = /xmlrpc.php {
        deny all;
        access_log off;
        log_not_found off;
    }

    # favicon
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # robots
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # no php in uploads
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
    }

    # no scripts
    location ~* .(pl|cgi|py|sh|lua)$ {
        return 444;
    }

    # sensitive files
    # location ~* .(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(.php)?|xtmpl)$|^(..*|Entries.*|Repository|Root|Tag|Template)$|.php_ {
    #     return 444;
    # }

    # no executable code in uploads
    location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
        deny all;
    }

    # no executable code in uploads
    location ~* /(?:uploads|files)/.*.php$ {
        deny all;
    }

    # includes execution
    location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
        deny all;
    }

    # deny wp-content, wp-includes php files
    location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
        deny all;
    }

    # deny wp-content/uploads nasty stuff
    location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
        deny all;
    }

    # deny wp-content/plugins (except earlier rules)
    location ~ ^/wp-content/plugins {
        deny all;
    }

    # deny scripts and styles concat
    location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
        deny all;
    }

    # deny general stuff
    location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
        deny all;
    }

    # assets, media
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }

    # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires 7d;
        access_log off;
    }

    # . files
    location ~ /\. {
        deny all;
    }

    # yoast
    location ~ ([^/]*)sitemap(.*).x(m|s)l$ {
        ## this rewrites sitemap.xml to /sitemap_index.xml
        rewrite ^/sitemap.xml$ /sitemap_index.xml permanent;
        ## this makes the XML sitemaps work
        rewrite ^/([a-z]+)?-?sitemap.xsl$ /index.php?yoast-sitemap-xsl=$1 last;
        rewrite ^/sitemap_index.xml$ /index.php?sitemap=1 last;
        rewrite ^/([^/]+?)-sitemap([0-9]+)?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
        ## The following lines are optional for the premium extensions
        ## News SEO
        rewrite ^/news-sitemap.xml$ /index.php?sitemap=wpseo_news last;
        ## Local SEO
        rewrite ^/locations.kml$ /index.php?sitemap=wpseo_local_kml last;
        rewrite ^/geo-sitemap.xml$ /index.php?sitemap=wpseo_local last;
        ## Video SEO
        rewrite ^/video-sitemap.xsl$ /index.php?yoast-sitemap-xsl=video last;
    }

}