From e9ae09f963b91505183647cbb0581f21123be3b4 Mon Sep 17 00:00:00 2001
From: Adrian <adrian.dev@kousz.ch>
Date: Thu, 17 Mar 2016 00:41:34 +0100
Subject: [PATCH 1/3] Update Nginx config

* Make only Let's Encrypt path available on port 80
* Protect WordPress admin URLs
* Seperate logs for hosts
* Update example PHP config
* Update README
---
 conf/nginx/README.md                        | 17 ++++++++---------
 conf/nginx/inc/allow-local                  |  4 ++++
 conf/nginx/inc/cgi-bin                      |  2 --
 conf/nginx/inc/letsencrypt                  |  2 --
 conf/nginx/inc/redirect-ssl                 |  5 +++--
 conf/nginx/inc/restrict-wp-access           |  9 +++++++++
 conf/nginx/inc/server-log                   |  2 ++
 conf/nginx/sites-available/example          | 14 +++++++++-----
 conf/nginx/sites-available/gogs             |  2 ++
 conf/nginx/sites-available/gollum           |  2 ++
 conf/nginx/sites-available/redirect-ssl-all |  6 +++++-
 conf/nginx/sites-available/seafile          |  2 ++
 conf/nginx/sites-available/trac             |  2 ++
 conf/nginx/sites-enabled/.empty             |  0
 conf/nginx/sites-enabled/example            |  1 -
 15 files changed, 48 insertions(+), 22 deletions(-)
 create mode 100644 conf/nginx/inc/allow-local
 create mode 100644 conf/nginx/inc/restrict-wp-access
 create mode 100644 conf/nginx/inc/server-log
 create mode 100644 conf/nginx/sites-enabled/.empty
 delete mode 120000 conf/nginx/sites-enabled/example

diff --git a/conf/nginx/README.md b/conf/nginx/README.md
index bcd2bbc..9ea5441 100644
--- a/conf/nginx/README.md
+++ b/conf/nginx/README.md
@@ -1,15 +1,14 @@
-Nginx Config Files
-==================
+# Nginx Config Files
 
 These are carefully crafted Nginx config files.
 
-Do not forget the following:
+## Installation
 
-	sudo chown -R wwwrun.www /var/lib/nginx # if on openSUSE
-	cd /etc/nginx/sites-conf
-	sudo ln -s example.ssl default.ssl
+	sed -i 's/example.com/your-host.org/' *
+	sudo cp -r * /etc/nginx
+	sudo ln -s example.ssl /etc/nginx/sites-conf/default.ssl
+	sudo mkdir -p /data/log/nginx
 
-You can configure your host simply by doing:
+If on openSUSE:
 
-	cd /etc/nginx/sites-available
-	sudo sed -i 's/example.com/your-host.org/' *
+	sudo chown -R wwwrun.www /var/lib/nginx
diff --git a/conf/nginx/inc/allow-local b/conf/nginx/inc/allow-local
new file mode 100644
index 0000000..4866d91
--- /dev/null
+++ b/conf/nginx/inc/allow-local
@@ -0,0 +1,4 @@
+allow 10.0.0.0/8;
+allow 172.16.0.0/12;
+allow 192.168.0.0/16;
+deny all;
diff --git a/conf/nginx/inc/cgi-bin b/conf/nginx/inc/cgi-bin
index af56659..17797e2 100644
--- a/conf/nginx/inc/cgi-bin
+++ b/conf/nginx/inc/cgi-bin
@@ -1,6 +1,4 @@
 fastcgi_pass unix:/run/php5-fpm.sock;
 include fastcgi_params;
 fastcgi_param SCRIPT_FILENAME /etc/nginx/cgi-bin.php;
-fastcgi_param SCRIPT_NAME "";
 fastcgi_param X_SCRIPT_FILENAME $request_filename;
-fastcgi_param X_SCRIPT_NAME "";
diff --git a/conf/nginx/inc/letsencrypt b/conf/nginx/inc/letsencrypt
index e7a4db0..cf5fae4 100644
--- a/conf/nginx/inc/letsencrypt
+++ b/conf/nginx/inc/letsencrypt
@@ -1,5 +1,3 @@
-listen 80;
-
 location /.well-known/acme-challenge {
 	alias /data/letsencrypt;
 }
diff --git a/conf/nginx/inc/redirect-ssl b/conf/nginx/inc/redirect-ssl
index 6b5f3d7..385fb49 100644
--- a/conf/nginx/inc/redirect-ssl
+++ b/conf/nginx/inc/redirect-ssl
@@ -1,2 +1,3 @@
-listen 80;
-return 301 https://$host$request_uri;
+location / {
+	return 301 https://$host$request_uri;
+}
diff --git a/conf/nginx/inc/restrict-wp-access b/conf/nginx/inc/restrict-wp-access
new file mode 100644
index 0000000..80ff763
--- /dev/null
+++ b/conf/nginx/inc/restrict-wp-access
@@ -0,0 +1,9 @@
+location /wp-admin {
+	include inc/allow-local;
+	error_page 403 $scheme://$host/404;
+}
+
+location ~ /wp-login.php {
+	include inc/allow-local;
+	error_page 403 $scheme://$host/404;
+}
diff --git a/conf/nginx/inc/server-log b/conf/nginx/inc/server-log
new file mode 100644
index 0000000..310de01
--- /dev/null
+++ b/conf/nginx/inc/server-log
@@ -0,0 +1,2 @@
+access_log /data/log/nginx/$server_name-access.log;
+error_log /data/log/nginx/$server_name-error.log;
diff --git a/conf/nginx/sites-available/example b/conf/nginx/sites-available/example
index 85d57f2..c3cf23f 100644
--- a/conf/nginx/sites-available/example
+++ b/conf/nginx/sites-available/example
@@ -1,14 +1,16 @@
 server {
-	server_name localhost *.local;
+	server_name test.example.com;
 
-	listen 80;
 	listen 443 ssl;
 
 	root /usr/share/nginx/html;
+	index index.php index.html index.htm;
 
-	# redirect server error pages to the static page /50x.html
+	include inc/server-log;
 
-	error_page 500 502 503 504 /50x.html;
+	location / {
+		try_files $uri $uri/ /index.php$is_args$args;
+	}
 
 	# PHP processing
 
@@ -18,13 +20,15 @@ server {
 		fastcgi_intercept_errors on;
 	}
 
+	include inc/restrict-wp-access;
+
 	# AWstats
 
 	location /awstats {
-		# You may want to secure this location by appending a random string
 		alias /usr/local/awstats/wwwroot/cgi-bin;
 		access_log off;
 		include inc/cgi-bin;
+		include inc/allow-local;
 	}
 
 	location /awstatsicons {
diff --git a/conf/nginx/sites-available/gogs b/conf/nginx/sites-available/gogs
index b0af6b5..ef2acfe 100644
--- a/conf/nginx/sites-available/gogs
+++ b/conf/nginx/sites-available/gogs
@@ -3,6 +3,8 @@ server {
 
 	listen 443 ssl;
 
+	include inc/server-log;
+
 	location / {
 		proxy_pass http://localhost:3000;
 		include proxy_params;
diff --git a/conf/nginx/sites-available/gollum b/conf/nginx/sites-available/gollum
index db94154..28141f5 100644
--- a/conf/nginx/sites-available/gollum
+++ b/conf/nginx/sites-available/gollum
@@ -1,6 +1,8 @@
 server {
 	server_name www.example.com;
 
+	include inc/server-log;
+
 	location / {
 		proxy_pass http://localhost:4567/;
 		include proxy_params;
diff --git a/conf/nginx/sites-available/redirect-ssl-all b/conf/nginx/sites-available/redirect-ssl-all
index 8896042..c386be2 100644
--- a/conf/nginx/sites-available/redirect-ssl-all
+++ b/conf/nginx/sites-available/redirect-ssl-all
@@ -1,4 +1,8 @@
 server {
-	include inc/redirect-ssl;
 	server_name *.example.com;
+
+	listen 80;
+
+	include inc/redirect-ssl;
+	include inc/letsencrypt;
 }
diff --git a/conf/nginx/sites-available/seafile b/conf/nginx/sites-available/seafile
index 496cf9c..525158d 100644
--- a/conf/nginx/sites-available/seafile
+++ b/conf/nginx/sites-available/seafile
@@ -3,6 +3,8 @@ server {
 
 	listen 443 ssl;
 
+	include inc/server-log;
+
 	location / {
 		proxy_pass http://localhost:8000;
 		include proxy_params;
diff --git a/conf/nginx/sites-available/trac b/conf/nginx/sites-available/trac
index 24492fe..525b488 100644
--- a/conf/nginx/sites-available/trac
+++ b/conf/nginx/sites-available/trac
@@ -1,6 +1,8 @@
 server {
 	server_name          trac.example.com;
 
+	include inc/server-log;
+
 	client_max_body_size 20M;
 
 	location / {
diff --git a/conf/nginx/sites-enabled/.empty b/conf/nginx/sites-enabled/.empty
new file mode 100644
index 0000000..e69de29
diff --git a/conf/nginx/sites-enabled/example b/conf/nginx/sites-enabled/example
deleted file mode 120000
index 2fa0a13..0000000
--- a/conf/nginx/sites-enabled/example
+++ /dev/null
@@ -1 +0,0 @@
-../sites-available/example
\ No newline at end of file

From a8cbac271f439d9464a48dbafd6a82572f4fd721 Mon Sep 17 00:00:00 2001
From: Adrian <adrian.dev@kousz.ch>
Date: Thu, 17 Mar 2016 00:48:44 +0100
Subject: [PATCH 2/3] Small fix in Nginx config

---
 conf/nginx/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/nginx/README.md b/conf/nginx/README.md
index 9ea5441..cb23b7c 100644
--- a/conf/nginx/README.md
+++ b/conf/nginx/README.md
@@ -4,7 +4,7 @@ These are carefully crafted Nginx config files.
 
 ## Installation
 
-	sed -i 's/example.com/your-host.org/' *
+	sed -i 's/example.com/your-host.org/' sites-available/*
 	sudo cp -r * /etc/nginx
 	sudo ln -s example.ssl /etc/nginx/sites-conf/default.ssl
 	sudo mkdir -p /data/log/nginx

From 5e482a7f08bd34a65e9dec4486e4a1bc2c46b372 Mon Sep 17 00:00:00 2001
From: Adrian <adrian.dev@kousz.ch>
Date: Thu, 17 Mar 2016 00:41:34 +0100
Subject: [PATCH 3/3] Update Nginx config

* Make only Let's Encrypt path available on port 80
* Protect WordPress admin URLs
* Seperate logs for hosts
* Update example PHP config
* Update README
---
 conf/nginx/README.md                        | 17 ++++++++---------
 conf/nginx/inc/allow-local                  |  4 ++++
 conf/nginx/inc/cgi-bin                      |  2 --
 conf/nginx/inc/letsencrypt                  |  4 +---
 conf/nginx/inc/redirect-ssl                 |  5 +++--
 conf/nginx/inc/restrict-wp-access           |  9 +++++++++
 conf/nginx/inc/server-log                   |  2 ++
 conf/nginx/sites-available/example          | 14 +++++++++-----
 conf/nginx/sites-available/gogs             |  2 ++
 conf/nginx/sites-available/gollum           |  2 ++
 conf/nginx/sites-available/redirect-ssl-all |  6 +++++-
 conf/nginx/sites-available/seafile          |  2 ++
 conf/nginx/sites-available/trac             |  2 ++
 conf/nginx/sites-enabled/.empty             |  0
 conf/nginx/sites-enabled/example            |  1 -
 15 files changed, 49 insertions(+), 23 deletions(-)
 create mode 100644 conf/nginx/inc/allow-local
 create mode 100644 conf/nginx/inc/restrict-wp-access
 create mode 100644 conf/nginx/inc/server-log
 create mode 100644 conf/nginx/sites-enabled/.empty
 delete mode 120000 conf/nginx/sites-enabled/example

diff --git a/conf/nginx/README.md b/conf/nginx/README.md
index bcd2bbc..cb23b7c 100644
--- a/conf/nginx/README.md
+++ b/conf/nginx/README.md
@@ -1,15 +1,14 @@
-Nginx Config Files
-==================
+# Nginx Config Files
 
 These are carefully crafted Nginx config files.
 
-Do not forget the following:
+## Installation
 
-	sudo chown -R wwwrun.www /var/lib/nginx # if on openSUSE
-	cd /etc/nginx/sites-conf
-	sudo ln -s example.ssl default.ssl
+	sed -i 's/example.com/your-host.org/' sites-available/*
+	sudo cp -r * /etc/nginx
+	sudo ln -s example.ssl /etc/nginx/sites-conf/default.ssl
+	sudo mkdir -p /data/log/nginx
 
-You can configure your host simply by doing:
+If on openSUSE:
 
-	cd /etc/nginx/sites-available
-	sudo sed -i 's/example.com/your-host.org/' *
+	sudo chown -R wwwrun.www /var/lib/nginx
diff --git a/conf/nginx/inc/allow-local b/conf/nginx/inc/allow-local
new file mode 100644
index 0000000..4866d91
--- /dev/null
+++ b/conf/nginx/inc/allow-local
@@ -0,0 +1,4 @@
+allow 10.0.0.0/8;
+allow 172.16.0.0/12;
+allow 192.168.0.0/16;
+deny all;
diff --git a/conf/nginx/inc/cgi-bin b/conf/nginx/inc/cgi-bin
index af56659..17797e2 100644
--- a/conf/nginx/inc/cgi-bin
+++ b/conf/nginx/inc/cgi-bin
@@ -1,6 +1,4 @@
 fastcgi_pass unix:/run/php5-fpm.sock;
 include fastcgi_params;
 fastcgi_param SCRIPT_FILENAME /etc/nginx/cgi-bin.php;
-fastcgi_param SCRIPT_NAME "";
 fastcgi_param X_SCRIPT_FILENAME $request_filename;
-fastcgi_param X_SCRIPT_NAME "";
diff --git a/conf/nginx/inc/letsencrypt b/conf/nginx/inc/letsencrypt
index e7a4db0..4406625 100644
--- a/conf/nginx/inc/letsencrypt
+++ b/conf/nginx/inc/letsencrypt
@@ -1,5 +1,3 @@
-listen 80;
-
 location /.well-known/acme-challenge {
-	alias /data/letsencrypt;
+	alias /data/letsencrypt/challenge;
 }
diff --git a/conf/nginx/inc/redirect-ssl b/conf/nginx/inc/redirect-ssl
index 6b5f3d7..385fb49 100644
--- a/conf/nginx/inc/redirect-ssl
+++ b/conf/nginx/inc/redirect-ssl
@@ -1,2 +1,3 @@
-listen 80;
-return 301 https://$host$request_uri;
+location / {
+	return 301 https://$host$request_uri;
+}
diff --git a/conf/nginx/inc/restrict-wp-access b/conf/nginx/inc/restrict-wp-access
new file mode 100644
index 0000000..80ff763
--- /dev/null
+++ b/conf/nginx/inc/restrict-wp-access
@@ -0,0 +1,9 @@
+location /wp-admin {
+	include inc/allow-local;
+	error_page 403 $scheme://$host/404;
+}
+
+location ~ /wp-login.php {
+	include inc/allow-local;
+	error_page 403 $scheme://$host/404;
+}
diff --git a/conf/nginx/inc/server-log b/conf/nginx/inc/server-log
new file mode 100644
index 0000000..310de01
--- /dev/null
+++ b/conf/nginx/inc/server-log
@@ -0,0 +1,2 @@
+access_log /data/log/nginx/$server_name-access.log;
+error_log /data/log/nginx/$server_name-error.log;
diff --git a/conf/nginx/sites-available/example b/conf/nginx/sites-available/example
index 85d57f2..c3cf23f 100644
--- a/conf/nginx/sites-available/example
+++ b/conf/nginx/sites-available/example
@@ -1,14 +1,16 @@
 server {
-	server_name localhost *.local;
+	server_name test.example.com;
 
-	listen 80;
 	listen 443 ssl;
 
 	root /usr/share/nginx/html;
+	index index.php index.html index.htm;
 
-	# redirect server error pages to the static page /50x.html
+	include inc/server-log;
 
-	error_page 500 502 503 504 /50x.html;
+	location / {
+		try_files $uri $uri/ /index.php$is_args$args;
+	}
 
 	# PHP processing
 
@@ -18,13 +20,15 @@ server {
 		fastcgi_intercept_errors on;
 	}
 
+	include inc/restrict-wp-access;
+
 	# AWstats
 
 	location /awstats {
-		# You may want to secure this location by appending a random string
 		alias /usr/local/awstats/wwwroot/cgi-bin;
 		access_log off;
 		include inc/cgi-bin;
+		include inc/allow-local;
 	}
 
 	location /awstatsicons {
diff --git a/conf/nginx/sites-available/gogs b/conf/nginx/sites-available/gogs
index b0af6b5..ef2acfe 100644
--- a/conf/nginx/sites-available/gogs
+++ b/conf/nginx/sites-available/gogs
@@ -3,6 +3,8 @@ server {
 
 	listen 443 ssl;
 
+	include inc/server-log;
+
 	location / {
 		proxy_pass http://localhost:3000;
 		include proxy_params;
diff --git a/conf/nginx/sites-available/gollum b/conf/nginx/sites-available/gollum
index db94154..28141f5 100644
--- a/conf/nginx/sites-available/gollum
+++ b/conf/nginx/sites-available/gollum
@@ -1,6 +1,8 @@
 server {
 	server_name www.example.com;
 
+	include inc/server-log;
+
 	location / {
 		proxy_pass http://localhost:4567/;
 		include proxy_params;
diff --git a/conf/nginx/sites-available/redirect-ssl-all b/conf/nginx/sites-available/redirect-ssl-all
index 8896042..c386be2 100644
--- a/conf/nginx/sites-available/redirect-ssl-all
+++ b/conf/nginx/sites-available/redirect-ssl-all
@@ -1,4 +1,8 @@
 server {
-	include inc/redirect-ssl;
 	server_name *.example.com;
+
+	listen 80;
+
+	include inc/redirect-ssl;
+	include inc/letsencrypt;
 }
diff --git a/conf/nginx/sites-available/seafile b/conf/nginx/sites-available/seafile
index 496cf9c..525158d 100644
--- a/conf/nginx/sites-available/seafile
+++ b/conf/nginx/sites-available/seafile
@@ -3,6 +3,8 @@ server {
 
 	listen 443 ssl;
 
+	include inc/server-log;
+
 	location / {
 		proxy_pass http://localhost:8000;
 		include proxy_params;
diff --git a/conf/nginx/sites-available/trac b/conf/nginx/sites-available/trac
index 24492fe..525b488 100644
--- a/conf/nginx/sites-available/trac
+++ b/conf/nginx/sites-available/trac
@@ -1,6 +1,8 @@
 server {
 	server_name          trac.example.com;
 
+	include inc/server-log;
+
 	client_max_body_size 20M;
 
 	location / {
diff --git a/conf/nginx/sites-enabled/.empty b/conf/nginx/sites-enabled/.empty
new file mode 100644
index 0000000..e69de29
diff --git a/conf/nginx/sites-enabled/example b/conf/nginx/sites-enabled/example
deleted file mode 120000
index 2fa0a13..0000000
--- a/conf/nginx/sites-enabled/example
+++ /dev/null
@@ -1 +0,0 @@
-../sites-available/example
\ No newline at end of file