MaxGMG
не пашет реврайт именно
конфиг дефолтный самого nginx
работают идельно любые скрипты к примеру dle и wp
допустим вот конфиг для wp
############ WordPress ####################
# Disable logging for favicon and robots.txt
location = /favicon.ico {
try_files /favicon.ico @empty;
access_log off;
log_not_found off;
expires max;
}
location @empty {
empty_gif;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
try_files $uri /index.php?$args;
}
# Limit access to avoid brute force attack
# if you getting error please add this (limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;) to your /etc/nginx/nginx.conf
#location = /wp-login.php {
# limit_req zone=one burst=1 nodelay;
# include fastcgi_params;
# fastcgi_pass 127.0.0.1:9000;
#}
#Deny access to wp-content folders for suspicious files
location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ {
deny all;
}
location ~ ^/wp-content/uploads/sucuri {
deny all;
}
location ~ ^/wp-content/updraft {
deny all;
}
#Disable execution of scripts other than PHP from your document root
location ~* .(pl|cgi|py|sh|lua|asp)$ {
return 444;
}
#Disable access to your configuration files and other files that you don’t want to users are able to see
location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) {
deny all;
}
# Disable wp-config.txt
location = /wp-config.txt {
deny all;
access_log off;
log_not_found off;
}
# Disallow php in upload folder and add webp rewrite
location /wp-content/uploads/ {
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
# webp rewrite rules
location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri $uri =404;
}
}
# nginx block xmlrpc.php requests
location /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
return 444;
}
# nginx block wpscann on plugins folder
location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ {
deny all;
error_page 403 =404 / ;
}
# block access to install.php and upgrade.php
location ^~ /wp-admin/install.php {
deny all;
error_page 403 =404 / ;
}
location ^~ /wp-admin/upgrade.php {
deny all;
error_page 403 =404 / ;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Stop scann for the follow files on plugins folder
location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ {
deny all;
error_page 403 =404 / ;
}
# Stop scann for the follow files on themes folder
location ~* ^/wp-content/themes/.+\.(txt|log|md)$ {
deny all;
error_page 403 =404 / ;
}
#This module will allow us to pattern match certain key files and inject random text in the files that
# is non-destructive / non-invasive and will most importantly alter the md5sum calculated on such files. All transparent to WPScan.
location ~* ^/(license.txt|wp-includes/(.*)/.+\.(js|css)|wp-admin/(.*)/.+\.(js|css))$ {
sub_filter_types text/css text/javascript text/plain;
sub_filter_once on;
sub_filter ';' '; /* $msec */ ';
}
#Direct PHP File Access
#If somehow, a hacker successfully sneaks in a PHP file onto your site,
#they’ll be able to run this file by loading file which effectively becomes a backdoor to infiltrate your site.
#We should disable direct access to any PHP files by adding the following rules:
location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
deny all;
access_log off;
log_not_found off;
}
#Dotfiles
#Similar to PHP file, a dotfile like .htaccess, .user.ini, and .git may contain sensitive information.
#To be on the safer side, it’s better to disable direct access to these files.
location ~ /\.(svn|git)/* {
deny all;
access_log off;
log_not_found off;
}
location ~ /\.ht {
deny all;
access_log off;
log_not_found off;
}
location ~ /\.user.ini {
deny all;
access_log off;
log_not_found off;
}
# Deny access to uploads that aren’t images, videos, music, etc.
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
deny all;
}
# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
deny all;
access_log off;
log_not_found off;
}
#WordFence
location ~ \.user\.ini$ {
deny all;
}
# WordPress: deny wp-content, wp-includes php files
location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
deny all;
}
# WordPress: deny wp-content/uploads nasty stuff
location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
deny all;
}
# WordPress: deny general stuff
location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
deny all;
}
# NGINX RESTRICTIONS
# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\.(curl|heic|swf|tiff|rss|atom|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off;
log_not_found off;
expires max;
}
# Web fonts send expires headers
location ~* \.(?:eot|otf|ttf|woff|woff2)$ {
expires max;
access_log off;
add_header Cache-Control "public";
}
# SVGs & MP4 WEBM send expires headers - this rule is set specific to ns site
location ~* \.(?:svg|svgz|mp4|webm)$ {
expires max;
access_log off;
add_header Cache-Control "public";
}
# Media: images, icons, video, audio send expires headers.
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|aac|m4a|mp3|ogg|ogv|webp)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
# Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires 30d;
}
# CSS and Javascript send expires headers.
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
# HTML send expires headers.
location ~* \.(html)$ {
expires 7d;
access_log off;
add_header Cache-Control "public";
}
# Security settings for better privacy
# Deny hidden files
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
}
# Use the directory /var/www/html to valide acme-challenge
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
# #
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# #
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
deny all;
}
# Deny backup extensions & log files and return 403 forbidden
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all;
}
# common nginx configuration to block sql injection and other attacks
location ~* "(eval\()" {
deny all;
}
location ~* "(127\.0\.0\.1)" {
deny all;
}
location ~* "([a-z0-9]{2000})" {
deny all;
}
location ~* "(javascript\
(.*)(\;)" {
deny all;
}
location ~* "(base64_encode)(.*)(\()" {
deny all;
}
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
deny all;
}
location ~* "(<|%3C).*script.*(>|%3)" {
deny all;
}
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
deny all;
}
location ~* "(boot\.ini|etc/passwd|self/environ)" {
deny all;
}
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
deny all;
}
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
deny all;
}
location ~* "(https?|ftp|php):/" {
deny all;
}
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
deny all;
}
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
deny all;
}
location ~ "(~|`|<|>|
;|%|\\|\s|\{|\}|\[|\]|\|)" {
deny all;
}
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all;
}
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all;
}
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
deny all;
}
а вот этот для dle
rewrite ^/page/(.*)$ /index.php?cstart=$1 last;
location / {
rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})(/?)+$" /index.php?year=$1&month=$2&day=$3 last;
rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/page/([0-9]+)(/?)+$" /index.php?year=$1&month=$2&day=$3&cstart=$4 last;
rewrite "^/([0-9]{4})/([0-9]{2})(/?)+$" /index.php?year=$1&month=$2 last;
rewrite "^/([0-9]{4})/([0-9]{2})/page/([0-9]+)(/?)+$" /index.php?year=$1&month=$2&cstart=$3 last;
rewrite "^/([0-9]{4})(/?)+$" /index.php?year=$1 last;
rewrite "^/([0-9]{4})/page/([0-9]+)(/?)+$" /index.php?year=$1&cstart=$2 last;
rewrite "^/([^.]+)/page/([0-9]+)(/?)+$" /index.php?do=cat&category=$1&cstart=$2 last;
rewrite "^/([^.]+)(/?)+$" /index.php?do=cat&category=$1 last;
index index.php index.html index.htm;
}
location /tags/ {
rewrite ^/tags/([^/]*)(/?)+$ /index.php?do=tags&tag=$1 last;
rewrite ^/tags/([^/]*)/page/([0-9]+)(/?)+$ /index.php?do=tags&tag=$1&cstart=$2 last;
}
location /user/ {
rewrite ^/user/([^/]*)/rss.xml$ /engine/rss.php?subaction=allnews&user=$1 last;
rewrite ^/user/([^/]*)(/?)+$ /index.php?subaction=userinfo&user=$1 last;
rewrite ^/user/([^/]*)/page/([0-9]+)(/?)+$ /index.php?subaction=userinfo&user=$1&cstart=$2 last;
rewrite ^/user/([^/]*)/news(/?)+$ /index.php?subaction=allnews&user=$1 last;
rewrite ^/user/([^/]*)/news/page/([0-9]+)(/?)+$ /index.php?subaction=allnews&user=$1&cstart=$2 last;
rewrite ^/user/([^/]*)/news/rss.xml(/?)+$ /engine/rss.php?subaction=allnews&user=$1 last;
}
location /lastnews/ {
rewrite ^/lastnews/(/?)+$ index.php?do=lastnews last;
rewrite ^/lastnews/page/([0-9]+)(/?)+$ /index.php?do=lastnews&cstart=$1 last;
}
location /catalog/ {
rewrite ^/catalog/([^/]*)/rss.xml$ /engine/rss.php?catalog=$1 last;
rewrite ^/catalog/([^/]*)(/?)+$ /index.php?catalog=$1 last;
rewrite ^/catalog/([^/]*)/page/([0-9]+)(/?)+$ /index.php?catalog=$1&cstart=$2 last;
}
location /newposts {
rewrite ^/newposts(/?)+$ /index.php?subaction=newposts last;
rewrite ^/newposts/page/([0-9]+)(/?)+$ /index.php?subaction=newposts&cstart=$1 last;
}
location /favorites {
rewrite ^/favorites(/?)+$ /index.php?do=favorites last;
rewrite ^/favorites/page/([0-9]+)(/?)+$ /index.php?do=favorites&cstart=$1 last;
}
location ~ \.(html|xml) {
rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/page,([0-9]+),([0-9]+),(.*).html(/?)+$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&cstart=$5&news_name=$6 last;
rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/page,([0-9]+),(.*).html(/?)+$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&news_name=$5 last;
rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/print:page,([0-9]+),(.*).html(/?)+$" /engine/print.php?subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&news_name=$5 last;
rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/(.*).html(/?)+$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_name=$4 last;
rewrite "^/([^.]+)/page,([0-9]+),([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$4&news_page=$2&cstart=$3 last;
rewrite "^/([^.]+)/page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$3&news_page=$2 last;
rewrite "^/([^.]+)/print:page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /engine/print.php?news_page=$2&newsid=$3 last;
rewrite "^/([^.]+)/([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$2 last;
rewrite "^/page,([0-9]+),([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$3&news_page=$1&cstart=$2 last;
rewrite "^/page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$2&news_page=$1 last;
rewrite "^/print:page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /engine/print.php?news_page=$1&newsid=$2 last;
rewrite "^/([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$1 last;
rewrite "^/static/(.*).html(/?)+$" /index.php?do=static&page=$1 last;
rewrite ^/rules.html$ /index.php?do=rules last;
rewrite ^/statistics.html$ /index.php?do=stats last;
rewrite ^/addnews.html$ /index.php?do=addnews last;
rewrite ^/([^.]+)/rss.xml$ /engine/rss.php?do=cat&category=$1 last;
rewrite ^/page,([0-9]+),([^/]+).html$ /index.php?do=static&page=$2&news_page=$1 last;
rewrite ^/print:([^/]+).html$ /engine/print.php?do=static&page=$1 last;
rewrite ^/rss.xml$ /engine/rss.php last;
rewrite ^/sitemap.xml$ /uploads/sitemap.xml last;
rewrite ^/([^/]+).html$ /index.php?do=static&page=$1 last;
}
## Что-бы закрыть папки, которые были закрыты через .htaccess, используем подобные конструкции
location ~* (uploads|uploads/fotos|templates|language)/.+\.php {
deny all;
}
location ~* /templates/.+\.tpl {
deny all;
}
location ~* (engine/cache) {
deny all;
}
location ~ /\.ht {
deny all;
}
location ~* \.(jpg|jpeg|gif|png|ico|swf|css|js)$ {
expires 30d;
add_header Cache-Control public;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
где намного больше правил, все идеально работает
любые скрпиты вообще
панелька
https://www.aapanel.com (пушка вообще) если это важно.
я подозреваю что может быть такое что скрипт мой запускается на под-домене ? т.е. script.domain.com
но вроде не должно это вызывать проблем особых
уже сутки ломаю голову что блин может быть не так с конфигом.
на апаче стартует без проблем вообще.
готов заплатить за помощь (в битках)
телега @cr33p