Ee engine & plugin nginx.conf location


#1

Hello,

First thank you for such a great set of tools. I’m using iThemes Security plugin and I notice it wants to write rules and settings to /var/www/[site name]/htdocs/nginx.conf - the plugin is nginx aware.

As a newcomer to ee engine and nginx; am I correct in that this location per an ee install is NOT picked up or referenced in the site’s virtual config?

Note, this is a ee engine --wpfc install. The sites-enabled file has no directive for /var/www/[site name]/htdocs/nginx.conf

Thank you!


#2

@David Edwards
plz post the contents of /var/www/[site name]/htdocs/nginx.conf file


#3

Hi Harshad Yeola,

Here’s the contents. Note, I understand the W3TC section is probably not per the recommended set-up or pre-installed W3TC, but as I’m using Genesis Framework I have W3TC Pro to also enable transient / fragment cache and am using memcached for that.

BEGIN iThemes Security

    # BEGIN Ban Users  
            # Begin HackRepair.com Blacklist  
            if ($http_user_agent ~* "^[Ww]eb[Bb]andit"){ return 403; }  
            if ($http_user_agent ~* "^binlar"){ return 403; }  
            if ($http_user_agent ~* "^BlackWidow"){ return 403; }  
            if ($http_user_agent ~ "^Bolt"){ return 403; }  
            if ($http_user_agent ~* "^casper"){ return 403; }  
            if ($http_user_agent ~* "^ChinaClaw"){ return 403; }  
            if ($http_user_agent ~* "^cmsworldmap"){ return 403; }  
            if ($http_user_agent ~* "^comodo"){ return 403; }  
            if ($http_user_agent ~* "^Custo"){ return 403; }  
            if ($http_user_agent ~ "^Default"){ return 403; }  
            if ($http_user_agent ~* "^diavol"){ return 403; }  
            if ($http_user_agent ~* "^DIIbot"){ return 403; }  
            if ($http_user_agent ~* "^DISCo"){ return 403; }  
            if ($http_user_agent ~* "^dotbot"){ return 403; }  
            if ($http_user_agent ~* "^eCatch"){ return 403; }  
            if ($http_user_agent ~* "^EirGrabber"){ return 403; }  
            if ($http_user_agent ~* "^EmailCollector"){ return 403; }  
            if ($http_user_agent ~* "^EmailSiphon"){ return 403; }  
            if ($http_user_agent ~* "^EmailWolf"){ return 403; }  
            if ($http_user_agent ~* "^ExtractorPro"){ return 403; }  
            if ($http_user_agent ~* "^EyeNetIE"){ return 403; }  
            if ($http_user_agent ~* "^feedfinder"){ return 403; }  
            if ($http_user_agent ~* "^FlashGet"){ return 403; }  
            if ($http_user_agent ~* "^flicky"){ return 403; }  
            if ($http_user_agent ~* "^GetRight"){ return 403; }  
            if ($http_user_agent ~* "^GetWeb!"){ return 403; }  
            if ($http_user_agent ~* "^Go-Ahead-Got-It"){ return 403; }  
            if ($http_user_agent ~* "^Go!Zilla"){ return 403; }  
            if ($http_user_agent ~* "^GrabNet"){ return 403; }  
            if ($http_user_agent ~* "^Grafula"){ return 403; }  
            if ($http_user_agent ~* "^HMView"){ return 403; }  
            if ($http_user_agent ~* "^ia_archiver"){ return 403; }  
            if ($http_user_agent ~* "^InterGET"){ return 403; }  
            if ($http_user_agent ~* "^InternetSeer.com"){ return 403; }  
            if ($http_user_agent ~* "^jakarta"){ return 403; }  
            if ($http_user_agent ~* "^Java"){ return 403; }  
            if ($http_user_agent ~* "^JetCar"){ return 403; }  
            if ($http_user_agent ~* "^kmccrew"){ return 403; }  
            if ($http_user_agent ~* "^larbin"){ return 403; }  
            if ($http_user_agent ~* "^LeechFTP"){ return 403; }  
            if ($http_user_agent ~* "^Maxthon$"){ return 403; }  
            if ($http_user_agent ~* "^microsoft.url"){ return 403; }  
            if ($http_user_agent ~* "^Mozilla.*Indy"){ return 403; }  
            if ($http_user_agent ~* "^Mozilla.*NEWT"){ return 403; }  
            if ($http_user_agent ~* "^MSFrontPage"){ return 403; }  
            if ($http_user_agent ~* "^Navroad"){ return 403; }  
            if ($http_user_agent ~* "^NearSite"){ return 403; }  
            if ($http_user_agent ~* "^NetAnts"){ return 403; }  
            if ($http_user_agent ~* "^NetSpider"){ return 403; }  
            if ($http_user_agent ~* "^NetZIP"){ return 403; }  
            if ($http_user_agent ~* "^nutch"){ return 403; }  
            if ($http_user_agent ~* "^Octopus"){ return 403; }  
            if ($http_user_agent ~* "^PageGrabber"){ return 403; }  
            if ($http_user_agent ~* "^pavuk"){ return 403; }  
            if ($http_user_agent ~* "^pcBrowser"){ return 403; }  
            if ($http_user_agent ~* "^PeoplePal"){ return 403; }  
            if ($http_user_agent ~* "^planetwork"){ return 403; }  
            if ($http_user_agent ~* "^psbot"){ return 403; }  
            if ($http_user_agent ~* "^purebot"){ return 403; }  
            if ($http_user_agent ~* "^pycurl"){ return 403; }  
            if ($http_user_agent ~* "^RealDownload"){ return 403; }  
            if ($http_user_agent ~* "^ReGet"){ return 403; }  
            if ($http_user_agent ~* "^Rippers"){ return 403; }  
            if ($http_user_agent ~* "^SeaMonkey$"){ return 403; }  
            if ($http_user_agent ~* "^sitecheck.internetseer.com"){ return 403; }  
            if ($http_user_agent ~* "^SiteSnagger"){ return 403; }  
            if ($http_user_agent ~* "^skygrid"){ return 403; }  
            if ($http_user_agent ~* "^SmartDownload"){ return 403; }  
            if ($http_user_agent ~* "^sucker"){ return 403; }  
            if ($http_user_agent ~* "^SuperBot"){ return 403; }  
            if ($http_user_agent ~* "^SuperHTTP"){ return 403; }  
            if ($http_user_agent ~* "^Surfbot"){ return 403; }  
            if ($http_user_agent ~* "^tAkeOut"){ return 403; }  
            if ($http_user_agent ~* "^Teleport"){ return 403; }  
            if ($http_user_agent ~* "^Toata"){ return 403; }  
            if ($http_user_agent ~* "^turnit"){ return 403; }  
            if ($http_user_agent ~* "^vikspider"){ return 403; }  
            if ($http_user_agent ~* "^VoidEYE"){ return 403; }  
            if ($http_user_agent ~* "^WebAuto"){ return 403; }  
            if ($http_user_agent ~* "^WebCopier"){ return 403; }  
            if ($http_user_agent ~* "^WebFetch"){ return 403; }  
            if ($http_user_agent ~* "^WebLeacher"){ return 403; }  
            if ($http_user_agent ~* "^WebReaper"){ return 403; }  
            if ($http_user_agent ~* "^WebSauger"){ return 403; }  
            if ($http_user_agent ~* "^WPScan"){ return 403; }  
            if ($http_user_agent ~* "^WebStripper"){ return 403; }  
            if ($http_user_agent ~* "^WebWhacker"){ return 403; }  
            if ($http_user_agent ~* "^WebZIP"){ return 403; }  
            if ($http_user_agent ~* "^Wget"){ return 403; }  
            if ($http_user_agent ~* "^Widow"){ return 403; }  
            if ($http_user_agent ~* "^WWW-Mechanize"){ return 403; }  
            if ($http_user_agent ~* "^WWWOFFLE"){ return 403; }  
            if ($http_user_agent ~* "^Zeus"){ return 403; }  
            if ($http_user_agent ~* "^zmeu"){ return 403; }  
            if ($http_user_agent ~* "CazoodleBot"){ return 403; }  
            if ($http_user_agent ~* "discobot"){ return 403; }  
            if ($http_user_agent ~* "ecxi"){ return 403; }  
            if ($http_user_agent ~* "GT::WWW"){ return 403; }  
            if ($http_user_agent ~* "heritrix"){ return 403; }  
            if ($http_user_agent ~* "HTTP::Lite"){ return 403; }  
            if ($http_user_agent ~* "HTTrack"){ return 403; }  
            if ($http_user_agent ~* "ia_archiver"){ return 403; }  
            if ($http_user_agent ~* "id-search"){ return 403; }  
            if ($http_user_agent ~* "id-search.org"){ return 403; }  
            if ($http_user_agent ~* "IDBot"){ return 403; }  
            if ($http_user_agent ~* "IRLbot"){ return 403; }  
            if ($http_user_agent ~* "LinksManager.com_bot"){ return 403; }  
            if ($http_user_agent ~* "linkwalker"){ return 403; }  
            if ($http_user_agent ~* "lwp-trivial"){ return 403; }  
            if ($http_user_agent ~* "MFC_Tear_Sample"){ return 403; }  
            if ($http_user_agent ~* "panscient.com"){ return 403; }  
            if ($http_user_agent ~* "PECL::HTTP"){ return 403; }  
            if ($http_user_agent ~* "PHPCrawl"){ return 403; }  
            if ($http_user_agent ~* "PleaseCrawl"){ return 403; }  
            if ($http_user_agent ~* "SBIder"){ return 403; }  
            if ($http_user_agent ~* "Snoopy"){ return 403; }  
            if ($http_user_agent ~* "Steeler"){ return 403; }  
            if ($http_user_agent ~* "URI::Fetch"){ return 403; }  
            if ($http_user_agent ~* "urllib"){ return 403; }  
            if ($http_user_agent ~* "User-Agent"){ return 403; }  
            if ($http_user_agent ~* "webalta"){ return 403; }  
            if ($http_user_agent ~* "WebCollage"){ return 403; }  
            if ($http_user_agent ~* "zermelo"){ return 403; }  
            if ($http_user_agent ~* "ZyBorg"){ return 403; }  


    # END Ban Users  
    # BEGIN Tweaks  
                    # Rules to block access to WordPress specific files and wp-includes  
                    location ~ /\.ht { deny all; }  
                    location ~ wp-config.php { deny all; }  
                    location ~ readme.html { deny all; }  
                    location ~ readme.txt { deny all; }  
                    location ~ /install.php { deny all; }  
                    location ^wp-includes/(.*).php { deny all; }  
                    location ^/wp-admin/includes(.*)$ { deny all; }  

            # Rules to disable XML-RPC  
                    location ~ xmlrpc.php { deny all; }  


                    # Rules to prevent php execution in uploads  
                    location ^(.*)/uploads/(.*).php(.?){ deny all; }  

                    # Rules to block unneeded HTTP methods  
                    if ($request_method ~* "^(TRACE|DELETE|TRACK)"){ return 403; }  

                    # Rules to help reduce spam  
                    location /wp-comments-post.php {  
                            valid_referers jetpack.wordpress.com/jetpack-comment/ *.coralseait.com;  
                            set $rule_0 0;  
                            if ($request_method ~ "POST"){ set $rule_0 1$rule_0; }  
                            if ($invalid_referer) { set $rule_0 2$rule_0; }  
                            if ($http_user_agent ~ "^$"){ set $rule_0 3$rule_0; }  
                            if ($rule_0 = "3210") { return 403; }  
                    }  
    # END Tweaks  

END iThemes Security

BEGIN W3TC Minify cache

location ~ /wp-content/cache/minify..js$ {
types {}
default_type application/x-javascript;
expires modified 31536000s;
add_header X-Powered-By “W3 Total Cache/0.9.4”;
add_header Vary “Accept-Encoding”;
add_header Pragma “public”;
add_header Cache-Control “max-age=31536000, public”;
}
location ~ /wp-content/cache/minify.
.css$ {
types {}
default_type text/css;
expires modified 31536000s;
add_header X-Powered-By “W3 Total Cache/0.9.4”;
add_header Vary “Accept-Encoding”;
add_header Pragma “public”;
add_header Cache-Control “max-age=31536000, public”;
}
location ~ /wp-content/cache/minify.*js.gzip$ {
gzip off;
types {}
default_type application/x-javascript;
expires modified 31536000s;
add_header X-Powered-By “W3 Total Cache/0.9.4”;
add_header Vary “Accept-Encoding”;
add_header Pragma “public”;
add_header Cache-Control “max-age=31536000, public”;
add_header Content-Encoding gzip;
}
location ~ /wp-content/cache/minify.*css.gzip$ {
gzip off;
types {}
default_type text/css;
expires modified 31536000s;
add_header X-Powered-By “W3 Total Cache/0.9.4”;
add_header Vary “Accept-Encoding”;
add_header Pragma “public”;
add_header Cache-Control “max-age=31536000, public”;
add_header Content-Encoding gzip;
}

END W3TC Minify cache

BEGIN W3TC Browser Cache

gzip on;
gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
location ~ .(css|htc|less|js|js2|js3|js4)$ {
expires 31536000s;
add_header Pragma “public”;
add_header Cache-Control “max-age=31536000, public”;
add_header X-Powered-By “W3 Total Cache/0.9.4”;

location ~ .(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|s$
expires 31536000s;
add_header Pragma “public”;
add_header Cache-Control “max-age=31536000, public”;
add_header Link “<$scheme://$host$uri>; rel=“canonical””;
add_header X-Powered-By “W3 Total Cache/0.9.4”;
}

END W3TC Browser Cache

BEGIN W3TC CDN

location ~ .(ttf|ttc|otf|eot|woff|font.css)$ {
add_header Access-Control-Allow-Origin “*”;
}

END W3TC CDN

BEGIN W3TC Minify core

rewrite ^/wp-content/cache/minify./w3tc_rewrite_test$ /wp-content/plugins/w3-total-cache/pub/minify.php?w3tc_rewrite_test=1 last;
set $w3tc_enc “”;
if ($http_accept_encoding ~ gzip) {
set $w3tc_enc .gzip;
}
if (-f $request_filename$w3tc_enc) {
rewrite (.
) $1$w3tc_enc break;
}
rewrite ^/wp-content/cache/minify/(.+/[X]+.css)$ /wp-content/plugins/w3-total-cache/pub/minify.php?test_file=$1 last;
rewrite ^/wp-content/cache/minify/(.+.(css|js))$ /wp-content/plugins/w3-total-cache/pub/minify.php?file=$1 last;

END W3TC Minify core

BEGIN W3TC Skip 404 error handling by WordPress for static files

if (-f $request_filename) {
break;
}
if (-d $request_filename) {
break;
}
if ($request_uri ~ “(robots.txt|sitemap(index)?.xml(.gz)?|[a-z0-9-]±sitemap([0-9]+)?.xml(.gz)?|geo_sitemap.xml(.gz))”) {
break;
}
if ($request_uri ~* .(css|htc|less|js|js2|js3|js4|html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|xml|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mp$
return 404;
}

END W3TC Skip 404 error handling by WordPress for static files


#4

@David Edwards
perform these steps

ee site edit [site name]
and append
include /var/www/[site name]/htdocs/nginx.conf;

this will reload nginx and your security rules get added.


#5

Thank you very much Harshad!

Is that the preferred ‘ee engine’ way of supporting the plugins that use this going forward (for the road map)? I have to image many of us will be using various additional plugins, so I want to follow the intended best practice or planned best practice in the road map.

Cheers!


#6

@David
Yes, it is the preferred way of adding rules to nginx site. you can add rules to nginx conf of particular website but make sure that rules are correct.


#7

Hello @davidedwards,

I hope your query is resolved. I am closing this support ticket for now.

Feel free to create a new support ticket if you have any queries further. :slight_smile:


#8