add default.conf to block ip access, add subdomain block as comment in sample_nginx.conf, sample_nginx_https.conf.

Author: bluebamus

config/web-server/nginx/gunicorn/conf.d/default.conf

@@ -0,0 +1,5 @@
+# ip access drop
+server {
+    listen 80 default_server;
+    return 444;
+}

config/web-server/nginx/gunicorn/sample_nginx.conf

@@ -1,10 +1,14 @@
 server {
     listen       portnumber;
     server_name  domain www.domain;
-    
+
     access_log /log/nginx/filename.com.gunicorn_access.log main;
     error_log  /log/nginx/filename.com.gunicorn_error.log warn;
- 
+
+    # if ($host !~* ^(domain\.com|www\.domain\.com)$) {
+    #     return 444;
+    # }
+
     # Django media
     location /media  {
         autoindex off;
@@ -20,7 +24,7 @@ server {
         gzip_static on;
         expires max;
         #alias /www/django_sample/static;
-        # normally static folder is named as /static 
+        # normally static folder is named as /static
         alias /www/webroot/static;  # your Django project's static files - amend as required
         #include /etc/nginx/mime.types;
     }
@@ -31,37 +35,37 @@ server {
         # proxy_redirect http:// https://;
 
     }
- 
+
     # Allow Lets Encrypt Domain Validation Program
     location ^~ /.well-known/acme-challenge/ {
         allow all;
         root /www/webroot;
     }
- 
+
     # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
     location ~ /\. {
         deny all;
     }
- 
+
     # Block (log file, binary, certificate, shell script, sql dump file) access.
     location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key|yml|lock)$ {
         deny all;
     }
- 
+
     # Block access
     location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml|access_log|error_log|gruntfile\.js)$ {
         deny all;
     }
- 
+
     location = /favicon.ico {
         log_not_found off;
         access_log off;
     }
- 
+
     location = /robots.txt {
         log_not_found off;
         access_log off;
-    }  
+    }
 
     if ($bad_bot) {
         return 403;

config/web-server/nginx/gunicorn/sample_nginx_https.conf

@@ -3,6 +3,10 @@ server {
     server_name  domain www.domain;
 
     rewrite ^ https://$host$request_uri permanent;
+
+    # if ($host !~* ^(domain\.com|www\.domain\.com)$) {
+    #     return 444;
+    # }
 }
 
 server {
@@ -59,33 +63,33 @@ server {
         proxy_set_header Host $host;
         # proxy_redirect http:// https://;
     }
- 
+
     # Allow Lets Encrypt Domain Validation Program
     location ^~ /.well-known/acme-challenge/ {
         allow all;
         root /www/webroot;
     }
- 
+
     # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
     location ~ /\. {
         deny all;
     }
- 
+
     # Block (log file, binary, certificate, shell script, sql dump file) access.
     location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key|yml|lock)$ {
         deny all;
     }
- 
+
     # Block access
     location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml|access_log|error_log|gruntfile\.js)$ {
         deny all;
     }
- 
+
     location = /favicon.ico {
         log_not_found off;
         access_log off;
     }
- 
+
     location = /robots.txt {
         log_not_found off;
         access_log off;

config/web-server/nginx/php/conf.d/default.conf

@@ -0,0 +1,5 @@
+# ip access drop
+server {
+    listen 80 default_server;
+    return 444;
+}

config/web-server/nginx/php/sample_nginx.conf

@@ -5,37 +5,42 @@ server {
 
     access_log /log/nginx/filename.com.php_access.log main;
     error_log  /log/nginx/filename.com.php_error.log warn;
- 
+
+    # if ($host !~* ^(domain\.com|www\.domain\.com)$) {
+    #     return 444;
+    # }
+
+
     location / {
         index  index.php index.html;
     }
- 
+
     # Allow Lets Encrypt Domain Validation Program
     location ^~ /.well-known/acme-challenge/ {
         allow all;
         root /www/webroot;
     }
- 
+
     # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
     location ~ /\. {
         deny all;
     }
- 
+
     # Block (log file, binary, certificate, shell script, sql dump file) access.
     location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key|yml|lock)$ {
         deny all;
     }
- 
+
     # Block access
     location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml|access_log|error_log|gruntfile\.js)$ {
         deny all;
     }
- 
+
     location = /favicon.ico {
         log_not_found off;
         access_log off;
     }
- 
+
     location = /robots.txt {
         log_not_found off;
         access_log off;
@@ -44,12 +49,12 @@ server {
     location ~* \.(js|css|png|jpg|jpeg|gif|ico) {
         access_log off;
     }
- 
+
     # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
     location ~* /(?:uploads|default/files|data)/.*\.php$ {
         deny all;
     }
- 
+
     # Add PHP handler
     location ~ [^/]\.php(/|$) {
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;

config/web-server/nginx/php/sample_nginx_https.conf

@@ -2,6 +2,10 @@ server {
     listen       portnumber;
     server_name  domain www.domain;
 
+    # if ($host !~* ^(domain\.com|www\.domain\.com)$) {
+    #     return 444;
+    # }
+
     return       301 https://$host$request_uri;
 }
 

config/web-server/nginx/uwsgi/conf.d/default.conf

@@ -0,0 +1,5 @@
+# ip access drop
+server {
+    listen 80 default_server;
+    return 444;
+}

config/web-server/nginx/uwsgi/sample_nginx.conf

@@ -1,10 +1,14 @@
 server {
     listen       portnumber;
     server_name  domain www.domain;
-    
+
     access_log /log/nginx/filename.com.uwsgi_access.log main;
     error_log  /log/nginx/filename.com.uwsgi_error.log warn;
- 
+
+    # if ($host !~* ^(domain\.com|www\.domain\.com)$) {
+    #     return 444;
+    # }
+
     # Django media
     location /media  {
         gzip_static on;
@@ -18,61 +22,61 @@ server {
         gzip_static on;
         expires max;
         #alias /www/django_sample/static;
-        # normally static folder is named as /static 
+        # normally static folder is named as /static
         alias /www/webroot/static;  # your Django project's static files - amend as required
         #include /etc/nginx/mime.types;
     }
 
     location / {
         uwsgi_pass appname:serviceport;
 
-        uwsgi_max_temp_file_size 20480m; 
-        uwsgi_buffering off; 
-        uwsgi_ignore_client_abort on; 
-        uwsgi_buffers 2560 160k; 
-        uwsgi_buffer_size 2560k; 
-        uwsgi_connect_timeout 30s; 
-        uwsgi_send_timeout 30s; 
-        uwsgi_read_timeout 30s; 
-        uwsgi_busy_buffers_size 2560k; 
-        uwsgi_temp_file_write_size 2560k; 
-        proxy_read_timeout 30s; 
-    	proxy_connect_timeout 75s; 
+        uwsgi_max_temp_file_size 20480m;
+        uwsgi_buffering off;
+        uwsgi_ignore_client_abort on;
+        uwsgi_buffers 2560 160k;
+        uwsgi_buffer_size 2560k;
+        uwsgi_connect_timeout 30s;
+        uwsgi_send_timeout 30s;
+        uwsgi_read_timeout 30s;
+        uwsgi_busy_buffers_size 2560k;
+        uwsgi_temp_file_write_size 2560k;
+        proxy_read_timeout 30s;
+        proxy_connect_timeout 75s;
 
         # proxy_redirect http:// https://;
 
     }
- 
+
     # Allow Lets Encrypt Domain Validation Program
     location ^~ /.well-known/acme-challenge/ {
         allow all;
         root /www/webroot;
     }
- 
+
     # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
     location ~ /\. {
         deny all;
     }
- 
+
     # Block (log file, binary, certificate, shell script, sql dump file) access.
     location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key|yml|lock)$ {
         deny all;
     }
- 
+
     # Block access
     location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml|access_log|error_log|gruntfile\.js)$ {
         deny all;
     }
- 
+
     location = /favicon.ico {
         log_not_found off;
         access_log off;
     }
- 
+
     location = /robots.txt {
         log_not_found off;
         access_log off;
-    }  
+    }
 
     if ($bad_bot) {
         return 403;

config/web-server/nginx/uwsgi/sample_nginx_https.conf

@@ -3,6 +3,10 @@ server {
     server_name  domain www.domain;
 
     rewrite ^ https://$host$request_uri permanent;
+
+    # if ($host !~* ^(domain\.com|www\.domain\.com)$) {
+    #     return 444;
+    # }
 }
 
 server {