# Request limit zone to help mitigate attacks limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s; # Cleartext listener for LetsEncrypt and HTTPS redirects. server { listen 80; server_name ponepaste.org; location ^~ /.well-known/acme-challenge/ { root /var/www/letsencrypt/; } location / { return 301 https://ponepaste.org$request_uri; } } server { listen 443 ssl; listen [::]:443 ssl; # SSL Configuration ssl_certificate /etc/letsencrypt/live/ponepaste.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ponepaste.org/privkey.pem; add_header Strict-Transport-Security "max-age=63072000" always; # ModSecurity config; optional, but recommended. modsecurity on; modsecurity_rules_file /etc/modsecurity/modsecurity.conf; root /srv/http/ponepaste.org; index index.html index.php; server_name ponepaste.org; rewrite ^/$ /index.php last; rewrite ^/([0-9]+)$ /paste.php?id=$1 last; rewrite ^/page/([a-zA-Z0-9]+)/?$ /pages.php?page=$1 last; # simple routes that just map to $1.php rewrite ^/(archive|discover|profile|contact|report|event|captcha|login|logout)/?$ /$1.php last; # routes for users rewrite ^/user/([^/]+)/?$ /user.php?user=$1 last; rewrite ^/user/([^/]+)/([^/]+)/?$ /user.php?user=$1&q=$2 last; # routes for pastes rewrite ^/(download|raw|embed)/(.+)$ /paste.php?$1&id=$2 last; # weird registration routes that use a URL parameter rather than a different page (FIXME) rewrite ^/register$ /login.php last; rewrite ^/forgot$ /login.php last; location ~* \.(jpg|jpeg|png|gif|ico|css|js) { add_header "Cache-Control" "public"; expires 1h; } location / { try_files $uri $uri/ =404; } location ~ \.php$ { limit_req zone=ip burst=10 delay=8; include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php-fpm.sock; } # Deny directories that should not be publicly accessible. location ~ (/doc|/tmp|/includes|/config|/.git|/.ht|/js|/node_modules|/composer).* { deny all; } location ~ /\.ht { deny all; } }