Nginx-1.11_vhost.conf

#-----------------------------------------------#
# Íà÷àëî áëîêà êîíôèãóðàöèè õîñòà
#-----------------------------------------------#

server {
    listen                    %ip%:%httpport%;
    listen                    %ip%:%httpsport% ssl http2;
    server_name               %host% %aliases%;
    root                      "%hostdir%/web";
    index                     index.php index.html index.htm;
    autoindex                 on;  # Âûâîäèòü ëèñòèíã êàòàëîãà åñëè íå íàéäåí èíäåêñíûé ôàéë
    limit_conn                perip 64; # Îãðàíè÷åíèå êîë-âà ñîåäèíåíèé ñ îäíîãî IP

    # Ñîçäàíèå ñåðòèôèêàòîâ íà ïðèìåðå ôàéëîâ îò COMODO
    # copy /b domain.crt+COMODORSADomainValidationSecureServerCA.crt+COMODORSAAddTrustCA.crt server.crt
    # copy /b COMODORSADomainValidationSecureServerCA.crt+COMODORSAAddTrustCA.crt trusted.crt
    # openssl.exe dhparam -out dhparam.pem 2048

    ssl_certificate           "%sprogdir%/userdata/config/cert_files/server.crt";
    ssl_certificate_key       "%sprogdir%/userdata/config/cert_files/server.key";
    ssl_dhparam               "%sprogdir%/userdata/config/cert_files/dhparam.pem";
    # ssl_trusted_certificate "%sprogdir%/userdata/config/cert_files/trusted.crt";

    # Îòñåêàåì èçâåñòíûõ áîòîâ (ñïèñîê ìîæíî äîïîëíèòü ÷åðåç ðàçäåëèòåëü "|")
    if ($http_user_agent ~* (MJ12bot|Solomono|Ahrefs|SISTRIX|LinkpadBot|nmap|nikto|wikto|sqlmap|bsqlbf|w3af|acunetix|havij|appscan)) {
        return 444;
    }

    # Çàïðåùàåì ÷òåíèå ñêðûòûõ ôàéëîâ (íà÷èíàþùèõñÿ ñ òî÷êè)
    # Äîñòóï ê êàòàëîãàì /.well/ è /.known/ áóäåò ðàçðåø¸í (ñïèñîê ìîæíî äîïîëíèòü ÷åðåç ðàçäåëèòåëü "|")
    location ~* /\.(?!(well|known)\/) {
        deny all;
    }

    # Çàïðåùàåì áðàóçåðàì ñàìèì îïðåäåëÿòü òèï äîêóìåíòà (îïðåäåëÿåò ñåðâåð)
    more_set_headers "X-Content-Type-Options: nosniff";

    # Âêëþ÷àåì Content-Security-Policy (ðàçðåøåíèÿ: +Google Ànalytics +Google Fonts +ßíäåêñ Ìåòðèêà)
    # more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://mc.yandex.ru https://yastatic.net; img-src 'self' https://ssl.google-analytics.com https://mc.yandex.ru; connect-src https://mc.yandex.ru; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://themes.googleusercontent.com; frame-src 'self'; object-src 'none'";

    # Îãðàíè÷èâàåì ìåòîäû îáðàùåíèÿ ê ñåðâåðó (ñïèñîê ìîæíî äîïîëíèòü ÷åðåç ðàçäåëèòåëü "|")
    # if ($request_method !~* ^(GET|HEAD|POST)$){return 405;}

    # NEW! Îãðàíè÷èâàåì ñêîðîñòü íåçàâèñèìî îò ÷èñëà ñîåäèíåíèé
    # limit_traffic_rate rate_ip 1024k; # Îãðàíè÷èâàåì ñêîðîñòü ïî IP àäðåñó
    # limit_traffic_rate rate_uri 1024k; # Îãðàíè÷èâàåì ñêîðîñòü ïî URL àäðåñó

    # Ïðèíóäèòåëüíîå èñïîëüçîâàíèå HTTPS íà ñàéòå
    # more_set_headers "Strict-Transport-Security: max-age=15768000";
    # more_set_headers "Strict-Transport-Security: max-age=15768000; includeSubdomains;"; # (âêëþ÷àÿ ïîääîìåíû)
    # set $do_redirect  1;
    # if ($scheme ~* ^https$) {
    #     set $do_redirect 0;
    # }
    # if ($request_uri ~* ^/robots\.txt$) {
    #     set $do_redirect 0;
    # }
    # if ($do_redirect = 1) {
    #     return 301 https://$host$request_uri;
    # }

    # Çàïðåò èñïîëüçîâàíèÿ www ïðåôèêñà (www.xxx.com => xxx.com)
    # if ($host ~* ^www\.(.+)$) {
    #     set $host_without_www $1;
    #     return 301 $scheme://$1$request_uri;
    # }

    # Ïåðåíàïðàâëåíèå àáñîëþòíî âñåõ çàïðîñîâ ê PHP îáðàáîò÷èêó
    # location / {
    #     rewrite ^/(.*)$ /index.php last;
    # }

    # Ïåðåíàïðàâëåíèå âñåõ çàïðîñîâ ê PHP îáðàáîò÷èêó
    # (åñëè òàêîé ôàéë èëè ïàïêà íå ñóùåñòâóþò)
    # location / {
    #     try_files $uri $uri/ /index.php?$query_string;
    # }

    # Çàïðåùàåì äîñòóï ê êîíôèãàì/áýêàïàì/ëîãàì (ñïèñîê ìîæíî äîïîëíèòü ÷åðåç ðàçäåëèòåëü "|")
    # location ~* ^.+\.(bak|conf|log|ini|sql|tar|tgz|gz)$ {
    #     deny all;
    # }

    location ~* ^.+\.(css|htc|js|bmp|gif|jpe?g|tiff?|png|cur|ico|woff2?|eot|ttc|ttf|otf|svg|swf)$ {
        expires 1d; # Êýøèðóåì ñòàòè÷åñêîå ñîäåðæèìîå
        # Ðàçðåøàåì êðîññ-äîìåííûå çàïðîñû
        # more_set_headers "Access-Control-Allow-Origin: *";
    }

    location ~* ^.+\.php$ {
        limit_conn perip 32; # Îãðàíè÷åíèå êîë-âà ñîåäèíåíèé ñ îäíîãî IP
        limit_req zone=dynamic burst=32 nodelay; # Îãðàíè÷åíèå ÷àñòîòû çàïðîñîâ ê PHP
        more_set_headers "X-Frame-Options: SAMEORIGIN"; # Çàïðåùàåì ôðåéìû íà ÷óæèõ ñàéòàõ
        more_set_headers "Cache-Control: max-age=0, no-cache, no-store, must-revalidate, no-transform"; # Çàïðåùàåì êýøèðîâàíèå îòâåòîâ
        try_files                         $uri =404;
        fastcgi_pass                      backend;
        fastcgi_param  TMP                "%sprogdir%/userdata/temp";
        fastcgi_param  TMPDIR             "%sprogdir%/userdata/temp";
        fastcgi_param  TEMP               "%sprogdir%/userdata/temp";
        include                           "%sprogdir%/modules/http/%httpdriver%/conf/fastcgi_params";
    }

    #-----------------------------------------------#
    # Ïîäêëþ÷åíèå âåá-èíñòðóìåíòîâ
    # Íå èçìåíÿéòå ýòîò áëîê êîíôèãóðàöèè
    #-----------------------------------------------#

    location /openserver/ {
        root            "%sprogdir%/modules/system/html";
        index           index.php;

        %allow%allow    all;
        allow           127.0.0.0/8;
        allow           ::1/128;
        allow           %ips%;
        deny            all;

        location /openserver/server-status {
            stub_status on;
            access_log  off;
        }

        location ~* ^.+\.(css|htc|js|bmp|gif|jpe?g|tiff?|png|cur|ico|woff2?|eot|ttc|ttf|otf|svg|swf)$ {
            expires 1d; # Êýøèðóåì ñòàòè÷åñêîå ñîäåðæèìîå
        }

        location ~* ^/openserver/.+\.php$ {
            limit_conn perip 32; # Îãðàíè÷åíèå êîë-âà ñîåäèíåíèé ñ îäíîãî IP
            limit_req zone=dynamic burst=32 nodelay; # Îãðàíè÷åíèå ÷àñòîòû çàïðîñîâ ê PHP
            more_set_headers "X-Frame-Options: SAMEORIGIN"; # Çàïðåùàåì ôðåéìû íà ÷óæèõ ñàéòàõ
            # more_set_headers "Cache-Control: max-age=0, no-cache, no-store, must-revalidate, no-transform"; # Çàïðåùàåì êýøèðîâàíèå îòâåòîâ
            try_files                         $uri =404;
            fastcgi_pass                      backend;
            fastcgi_param  TMP                "%sprogdir%/userdata/temp";
            fastcgi_param  TMPDIR             "%sprogdir%/userdata/temp";
            fastcgi_param  TEMP               "%sprogdir%/userdata/temp";
            include                           "%sprogdir%/modules/http/%httpdriver%/conf/fastcgi_params";
        }
    }

    #-----------------------------------------------#
    # Êîíôèãóðàöèÿ ñîîáùåíèé îá îøèáêàõ
    #-----------------------------------------------#

    error_page 500 /500.html;
    error_page 501 /501.html;
    error_page 502 504 /502.html;
    error_page 503 /503.html;
    error_page 404 /404.html;
    error_page 405 /405.html;

    location ~* ^/(500|501|502|503|404|405).html$ {
        root             "%sprogdir%/userdata/config/error_pages";
        expires          -1;
        more_set_headers "Content-Type: text/html; charset=utf-8";
        internal;
    }
}

#-----------------------------------------------#
# Êîíåö áëîêà êîíôèãóðàöèè õîñòà
#-----------------------------------------------#