Sindbad~EG File Manager
#####
# Quick comment about this file.
# Some of the configuration depends on the type of servers being deployed.
# Check at the end of the file the include part with the comment for more information.
# Also check the CHECKLIST.md file, it document the different between the type of servers being deployed.
#
# When deployed on an ipxtender server, some configuration must be tweaked. Check the comment on the file.
# It's mainly : #lua_code_cache, user, worker_processes, worker_cpu_affinity, error_log, limit_rate, limit_req*, ssl_certificate*, ssl_session*, lua_shared_dict, ssl_session_cache
#
# Also check lua/lib/o2switch_common.lua that is depends on the type of server being deployed too
####
user nobody;
worker_processes 6; # Auto on an ipxtender, X on a shared hosting. Most of the time X = 3
worker_rlimit_nofile 65535;
# worker_cpu_affinity auto; # Un-comment this on ipxtender server
pcre_jit on;
error_log /var/log/openrestyerror.log crit; # Make sure this is on 'crit' on a production server
events {
worker_connections 16192;
multi_accept on;
accept_mutex off;
use epoll;
}
http {
###
# Raw server config & optimization (must be before the map_* to avoid warning at start)
###
server_tokens off;
more_set_headers 'Server: o2switch-PowerBoost-v3';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 10;
types_hash_max_size 2048;
aio threads;
server_names_hash_bucket_size 512;
proxy_ignore_client_abort on;
postpone_output 1460;
request_pool_size 32k;
reset_timedout_connection on;
connection_pool_size 256;
map_hash_max_size 4096;
map_hash_bucket_size 256;
variables_hash_max_size 2048;
variables_hash_bucket_size 128;
###
# RealIP stuff
###
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
real_ip_header X-Forwarded-For;
###
# Load the MaxMind DB
###
geoip2 /etc/nginx/openresty/geoip_db/GeoIP2-Country.mmdb {
auto_reload 30m;
$geoip2_data_country_code default=FR source=$remote_addr country iso_code;
}
geoip2 /etc/nginx/openresty/geoip_db/GeoIP2-ISP.mmdb {
auto_reload 30m;
$geoip2_data_asn default=0 source=$remote_addr autonomous_system_number;
}
###
# Maps
###
map $http_x_forwarded_proto $thescheme {
default $scheme;
https https;
}
map $http_x_forwarded_proto $theport {
default '';
https 443;
http 80;
https,https 443;
http,http 443;
}
# Liste blanche pour le rate-limit classique
geo $whitelist {
default 0;
82.64.127.72 1;
include whitelist_wl.conf;
}
map $whitelist $map_perip {
0 $binary_remote_addr;
1 "";
}
map $whitelist $map_host {
0 $host;
1 "";
}
geo $realip_remote_addr $cloudflare_ip {
default 0;
#103.21.244.0/22 1;
#103.22.200.0/22 1;
#103.31.4.0/22 1;
#104.16.0.0/12 1;
#108.162.192.0/18 1;
#131.0.72.0/22 1;
#141.101.64.0/18 1;
#162.158.0.0/15 1;
#172.64.0.0/13 1;
#173.245.48.0/20 1;
#188.114.96.0/20 1;
#190.93.240.0/20 1;
#197.234.240.0/22 1;
#198.41.128.0/17 1;
#199.27.128.0/21 1;
2400:cb00::/32 1;
2405:8100::/32 1;
2405:b500::/32 1;
2606:4700::/32 1;
2803:f800::/32 1;
2c0f:f248::/32 1;
2a06:98c0::/29 1;
}
# Adresses IP potentiellement malveillantes
geo $jabatus {
default 0;
include jabatus.conf;
}
geo $blackpost {
default 0;
include blackpost.conf;
}
geo $jsget {
default 0;
include jsget.conf;
}
# Liste blanche adresses IP potentiellement malveillantes
geo $jabatuswl {
default 0;
include jabatus_wl_lua.conf;
}
include restrict.inc;
include jabatus_wl_custom.inc;
# Country list / exceptions de pays
geo $tcallow {
default 1;
include zone.fr.allow;
include zone.be.allow;
include zone.ch.allow;
include zone.de.allow;
}
# Maps used by the custom security rules that a customer can activate
include custom_security/998-exceptions.conf;
include custom_security/999-badbots.conf;
include custom_security/999-seobots.conf;
include custom_security/999-adminuri.conf;
include custom_security/999-tor.conf;
include custom_security/999-badips.conf;
include custom_security/999-blockwpphp.conf;
include custom_security/999-blockdevfiles.conf;
include custom_security/999-underattack-wl.conf;
###
# Rate limits and bandwidth limits
###
# limit_rate 5M; # Only on ipxtender. Maybe on the forwarder being the caches servers
limit_conn_zone $map_host zone=max_conn_to_server:6m; # Nombre d'acces total a un vhost
limit_conn_zone $map_perip zone=perip:6m; # Nombre d'access simultanes et par ip
limit_req_zone $map_perip zone=globalddos:10m rate=50r/s; # Rate-limit du nombre de requetes globales par ip
limit_req_zone $map_perip zone=o2sapi:4m rate=40r/m; # Rate limit ^/o2s-cgi/api.cgi
# Moved to the main_vhosts location, cant have multiple limit_req, the first one is the only one executed
# limit_req zone=globalddos burst=160;
# Ces variables servent a definir des limites de requetes par contextes (si useragent vide, si page de login, etc)
limit_req_zone $limit_empty zone=emptyua:2m rate=2r/m;
limit_req_zone $limit_speedbot zone=speedbots:2m rate=2r/m;
limit_req_zone $limit_urirate zone=login:2m rate=60r/m;
# The 3 levels rate limits used by the custom waf rules that a customer can activate
limit_req_zone $rateLimitedOrigin zone=rateLimitedOrigin5:2m rate=5r/m;
limit_req_zone $rateLimitedOrigin zone=rateLimitedOrigin20:2m rate=20r/m;
limit_req_zone $rateLimitedOrigin zone=rateLimitedOrigin40:2m rate=40r/m;
limit_req_status 429; # Maybe set this to 429
###
# Logging
###
map $http_cookie $logCookieChallenge{
default "";
~o2s-chl=(?<mc>[^\;]+) $mc;
}
log_format custom_server_time '$host - $server_name - $remote_addr - $remote_port - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent $request_length $bytes_sent $server_port '
'"$http_referer" "$http_user_agent" req_time=$request_time upstr=$upstream_addr '
'up_co_time=$upstream_connect_time up_resp_time=$upstream_response_time o2s-chl=$logCookieChallenge wl=$map_underattack_wl';
access_log /eacc/web custom_server_time;
# access_log off; # Access log off maybe be necessary on ipxtender server or forwarder, when having high trafic
###
# Buffers & Max-Size & Files caches
###
client_max_body_size 512M;
client_body_buffer_size 512M;
proxy_buffering on;
proxy_request_buffering off;
output_buffers 4 32k;
client_header_buffer_size 64k;
large_client_header_buffers 4 256k;
proxy_buffers 256 16k;
proxy_buffer_size 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 1m;
open_file_cache max=2000 inactive=5m;
open_file_cache_valid 2m;
open_file_cache_min_uses 2;
open_file_cache_errors on;
###
# Micro-Cache
###
proxy_temp_path /eacc/nginx_proxy/;
proxy_cache_path /eacc/nginx levels=1:2 keys_zone=microcache:2m max_size=4m inactive=3600m;
###
# Timeouts
###
proxy_connect_timeout 40s;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
# Keep it small to avoid slow-loris like attack (HTTP 408)
# It's not the total time but the time between two operations so it's not normal if a client wait more than XX seconds.
client_header_timeout 30s;
client_body_timeout 30s;
send_timeout 30s;
###
# Compression
###
gzip on;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
gzip_proxied any;
gzip_http_version 1.0;
gzip_min_length 1000;
gzip_comp_level 7; # Dont change this, it's not worth it and use a LOT more CPU on the server side.
gzip_buffers 16 8k;
gzip_types text/plain text/xml text/css application/x-javascript application/xml application/javascript application/xml+rss text/javascript application/atom+xml application/xhtml+xml image/svg+xml application/x-font-woff application/font-woff2;
brotli on;
brotli_static on;
brotli_types text/plain text/xml text/css application/x-javascript application/xml application/javascript application/xml+rss text/javascript application/atom+xml application/xhtml+xml image/svg+xml application/x-font-woff application/font-woff2;
brotli_comp_level 7; # Dont change this, it's not worth it and use a LOT more CPU on the server side.
brotli_min_length 1000;
###
# Header optimization
###
etag off;
if_modified_since off;
###
# SSL / TLS & Optimisations
###
ssl_certificate_key "/var/cpanel/ssl/cpanel/mycpanel.pem"; # Careful about the paths, it's not the same on a shared hosting vs. ipxtender
ssl_certificate "/var/cpanel/ssl/cpanel/mycpanel.pem"; # Same comment as abose
#ssl_session_cache off;
ssl_session_cache shared:SSLCACHE:10m; # On ipxtender, change the size of this cache to allow more cache on SSL
ssl_session_timeout 1h;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# Old config, 0-RTT dont work because of secp384r1
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
#ssl_ecdh_curve secp384r1;
# New config, with 0-RTT + better browser compatibility
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA;
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_buffer_size 4k;
ssl_early_data on; # Enable the 0-RTT TLS
resolver 8.8.8.8 8.8.4.4 valid=300s ipv6=off;
resolver_timeout 5s;
# Note : Specific to MAIN ipxtender (to test, not sure it's useful yet)
# ssl_session_tickets on;
# ssl_session_ticket_key ssl_session_tickets.key;
include mime.types;
default_type application/octet-stream;
###
# LUA init + define the lua cache
###
# ! Debug only, remove this on PROD !
#lua_code_cache off;
# Level 2 cache size, should be enough to contains all SSL files for all the Vhosts (at least)
# + all the proxyPass etc... conf for vhosts
lua_shared_dict cache_dict 25m; # Please tweak the size on ipxtender server, at least 256M
lua_shared_dict domain_req_counter_dict 10m; # Dict for the counter of requests on domain name
lua_shared_dict ip_req_counter_dict 20m; # Dict for the counter of requests for IP address
lua_shared_dict ip_blacklist_dict 10m; # Dict for the IP blacklist
lua_shared_dict sync_dict 1m; # Worker sync dict for the lru-cache
lua_shared_dict timer_shm 1m; # Timer sync dict
lua_shared_dict misc_dict 1m; # Miscellaneous dict
lua_package_path "/etc/nginx/openresty/lua/lua_modules/share/lua/5.1/?.lua;/etc/nginx/openresty/lua/?.lua;/usr/local/openresty/nginx/nginx/conf/lua/?.lua;/usr/local/openresty/nginx/conf/lua/?.lua;./lua/?.lua;;";
init_by_lua_file conf/lua/init.lua;
init_worker_by_lua_file conf/lua/init_worker.lua;
#####
# Note 1 : About the file to include, it depends on the context and the type of server being deployed
# It's differents if it's an Openresty server on a shared hosting or a Ipxtender front servers
# Please read the comment bellow and comment/uncomment the right line
#
# Note 2 : When deployed on a cache server, remove limit_req* lines otherwise the configuration will fail and openresty will not start
#####
# include internal_vhosts/backends.conf; # Include this on an ipxtender server (Cache backends definitions). Edit this file with the correct IP in the backend too.
include internal_vhosts/api_vhost_mutu.conf; # Include this if it's an openresty on shared hosting (Openresty Internal API)
# include internal_vhosts/api_vhost_edge.conf; # Include this on an ipxtender server or a cache server (PHP API + Openresty Internal API)
# include internal_vhosts/api_vhost_lslb.conf; # Include this on a cache server with Litespeed (PHP API)
# include internal_vhosts/api_vhost_varnish.conf; # Include this on a cache server with Varnish (PHP API)
include main_vhost.conf; # Include this on a ipxtender server or a shared hosting server (main vhost proxy pass). On Mutu, check/remove the fallback in the Vhost.
# include internal_vhosts/forwarder_vhost.conf; # Include this on a cache server (forwarder Vhost, change the vhost port to :80) or an ipxtender server (fallback, change vhost port to :8888)
# include internal_vhosts/monit_vhost.conf; # Include this if monit + netdata is installed. Allow access to {ip}:9999
}
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists