View Raw # 5q12-indexer secure nginx config
server {
listen 5012;
server_name 5q12-indexer;
# Document root
root {WEB_PATH};
index index.php;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# Main indexer entry point - allow direct access
location = / {
try_files $uri /index.php$is_args$args;
}
location = /index.php {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# Allow CSS and font files from local_api/style directory only
location ~ ^/\.indexer_files/local_api/style/.*\.(css|woff2)$ {
# Set proper MIME types
location ~* \.css$ {
add_header Content-Type "text/css";
}
location ~* \.woff2$ {
add_header Content-Type "font/woff2";
}
# Cache static assets
expires 1d;
add_header Cache-Control "public, immutable";
# Security headers for static content
add_header X-Content-Type-Options "nosniff" always;
try_files $uri =404;
}
# Allow PNG files from icons directory only
location ~ ^/\.indexer_files/icons/.*\.png$ {
# Set proper MIME type for images
add_header Content-Type "image/png";
# Cache icons
expires 7d;
add_header Cache-Control "public, immutable";
# Security headers for images
add_header X-Content-Type-Options "nosniff" always;
try_files $uri =404;
}
# Explicitly deny access to sensitive directories and files
location ~ ^/\.indexer_files/(?!local_api/style/|icons/) {
deny all;
return 404;
}
# Deny access to the files directory - everything must go through index.php
location ~ ^/files/ {
deny all;
return 404;
}
# Deny access to any PHP files except index.php
location ~ \.php$ {
deny all;
return 404;
}
# Deny access to configuration and sensitive files
location ~ /\.(ht|git|env|log|sqlite|json)$ {
deny all;
return 404;
}
# Deny access to backup and temporary files
location ~ \.(bak|backup|old|tmp|temp|swp|swo|~)$ {
deny all;
return 404;
}
# Deny access to common sensitive filenames
location ~ ^/(config|configuration|settings|private|admin|api|\.well-known) {
deny all;
return 404;
}
# Block common attack patterns
location ~ /(wp-|wordpress|admin|phpmyadmin|mysql|database) {
deny all;
return 404;
}
# Default deny all other requests
location / {
try_files $uri /index.php$is_args$args;
}
# Protect against buffer overflow attacks
client_max_body_size 10M;
client_body_buffer_size 128k;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
# Rate limiting (optional - uncomment if needed)
# limit_req_zone $binary_remote_addr zone=indexer:10m rate=10r/s;
# limit_req zone=indexer burst=20 nodelay;
}