nginx.conf
user nginx; pid /var/run/nginx.pid; worker_processes auto; worker_rlimit_nofile 65535; events { use epoll; multi_accept on; worker_connections 65535; } http { # DDoS Defense limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s; limit_conn_status 429; limit_req_status 429; client_body_buffer_size 128k; client_header_buffer_size 3m; large_client_header_buffers 4 256k; client_body_timeout 5; client_header_timeout 5; reset_timedout_connection on; send_timeout 5; keepalive_timeout 5 5; keepalive_requests 100000; charset utf-8; sendfile on; tcp_nopush on; tcp_nodelay on; server_tokens off; log_not_found off; types_hash_max_size 2048; client_max_body_size 100M; # MIME include mime.types; default_type application/octet-stream; # logging access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log warn; # load configs include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; }
default.conf
server { listen 80 default_server; server_name _; return 444; #Nginx No Response }
general.conf
# security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # . files location ~ /\.(?!well-known) { deny all; }
nginx/sites-available/your_domain_name.conf
server { listen 80; server_name www.domain.com; return 301 https://domain.com$request_uri; } server { listen 80; server_name domain.com; root /var/www/html/domain/public; if ($http_x_forwarded_proto = "http") { return 301 https://$server_name$request_uri; } index index.html index.htm index.php; location / { try_files $uri $uri/ /index.php?$query_string; } location ~ \.php$ { try_files $uri = 404; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; include fastcgi_params; limit_conn conn_limit_per_ip 10; limit_req zone=req_limit_per_ip burst=10 nodelay; } include general.conf; }