Create a folder and the configuration file /etc/nginx/common/protect.conf
mkdir -p /etc/nginx/common -p && nano /etc/nginx/common/protect.conf
Then copy the following content in protect.conf :
# Deny access to readme.(txt|html) or license.(txt|html) or example.(txt|html) and other common git related files
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
deny all;
}
# Deny access to backup extensions & log files
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all;
}
# deny access to hidden files and directories
location ~ /\.(?!well-known\/) {
deny all;
}
# deny access to base64 encoded urls
location ~* "(base64_encode)(.*)(\()" {
deny all;
}
# deny access to url with the javascript eval() function
location ~* "(eval\()" {
deny all;
}
# deny access to url which include "127.0.0.1"
location ~* "(127\.0\.0\.1)" {
deny all;
}
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
deny all;
}
location ~* "(<|%3C).*script.*(>|%3)" {
deny all;
}
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
deny all;
}
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
deny all;
}
location ~* "(https?|ftp|php):/" {
deny all;
}
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
deny all;
}
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
deny all;
}
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
deny all;
}
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|boot\.ini|etc/passwd|eval\(|self/environ|(wp-)?config\.|cgi-|muieblack)" {
deny all;
}
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" {
deny all;
}
Include it in your vhost configuration with :
include /etc/nginx/common/protect.conf;