I am running Nginx with Nginx Amplify. In my Amplify>Analyzer>Static Analysis Section I am gettin the following errors:
Regex location has no anchors in regex pattern Regex location has a regex pattern without ^ or $. This is a configuration style that is prone to errors. It may also lead to a situation when requests partially matching the regex pattern are incorrectly routed to this location. Always use ^ or $ achor in a regex pattern.
Check the following files: /etc/nginx/conf.d/01-mail.example.com, line 27 /etc/nginx/conf.d/01-mail.example.com, line 89 /etc/nginx/sites-enabled/03-example2.com.conf, line 176 /etc/nginx/sites-enabled/03-example2.com.conf, line 199 /etc/nginx/sites-enabled/03-example2.com.conf, line 265
My 01-mail.example.com virtual host file looks like this:
server {
# Restrict access to LAN & Work IP & Apartment IP's
allow xxx.xxx.xx.x/24; # LAN IP Address
allow xxx.xx.xxx.xxx/32; # Work IP address
allow xxx.xx.xxx.xxx/32; # Apt. IP Address
deny all;
#error_page 403 =444;
# Begin Server Directives
server_name mail.example.com;
root /var/www/roundcube/;
index index.php index.html index.htm;
# Logs
error_log /var/log/nginx/mail.example.com.error.log;
access_log /var/log/nginx/mail.example.com.access.log;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
# Pass FastCGI to PHP7.4 with included settings in the snippet
include snippets/fastcgi-php.conf;
}
location ~ /.well-known/acme-challenge {
allow all;
}
location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(bin|SQL)/ {
deny all;
}
# A long browser cache lifetime can speed up repeat visits to your page
location ~ \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 360d;
}
listen *:443 ssl;
http2 on;
ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/ssl/private/dhparams4096.pem; # Managed by admin
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/mail.example.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = mail.example.com) {
return 301 https://$host$request_uri;
}
# managed by Certbot
# Restrict access to LAN & Work IP & Apartment IP's
allow xxx.xxx.xx.x/24; # LAN IP Address
allow xxx.xx.xxx.xxx/32; # Work IP address
allow xxx.xx.xxx.xxx/32; # Apt. IP Address
deny all;
#error_page 403 =444;
# Begin Server Directives
listen *:80;
server_name mail.example.com;
root /var/www/roundcube/;
index index.php index.html index.htm;
error_log /var/log/nginx/mail.example.com.error.log;
access_log /var/log/nginx/mail.example.com.error.log;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
#try_files $uri =404;
# Pass FastCGI to PHP7.4 with included settings in the snippet
include snippets/fastcgi-php.conf;
}
location ~ /.well-known/acme-challenge {
allow all;
}
location = ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(bin|SQL)/ {
deny all;
}
# LINUXBABE + Extra Extensions
# A long browser cache lifetime can speed up repeat visits to your page
location ~ \.(txt|flv|pdf|avi|mov|ppt|wmv|mp3|ogg|webm|aac|jpg|ogg|ogv|svgz|eot|otf|mp4|rss|atom|zip|tgz|gz|rar|bz2|doc|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|jpeg|gif|png|swf|jpeg|webp|svg|woff|woff2|ttf|css|js|ico|xml|otf|woff|woff2)$ {
access_log off;
log_not_found off;
expires 1y;
}
}
It seems the lines Amplify is referencing is:
location ~ /.well-known/acme-challenge {
on line 27, and …
location ~ /.well-known/acme-challenge {
on line 89.
My 03-example2.com.conf virtual host file looks like this:
server {
listen 80;
server_name example2.com www.example2.com;
return 301 https://$host$request_uri;
}
server {
listen *:443 ssl;
http2 on;
server_name example2.com www.example2.com;
root /var/www/example2.com/;
##
# SECURITY HEADERS
##
# Strict Transport Security Response Header
# Use "always" Paramater to help prevent MITM attacks.
# ADMIN Note: Including the Preload Paramerter will cause web browsers to cache this header
# permanently in their browser code for about two months. Use only if you want to permanently
# commit this header to your site. If you change it, it will take a long time for changes to
# be reflected in the web browsers.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Content Security Policy (CSP)
#add_header Content-Security-Policy "frame-ancestors 'self';";
# https://gabriel.nu/tutorials/Ubuntu-20.04-NGINX-LEMP-secure-web-server-for-WordPress-DIY.html
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
#add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'";
# https://walterebert.com/blog/using-csp-wordpress/
#add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: http: https: *.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com; font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;" always;
# https://nowherelan.com/2018/12/27/secure-your-wordpress-site-with-the-content-security-policy-csp-http-header-in-apache/
#add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: http: https: *.gravatar.com *.wp.com *.wordpress.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http: https: *.wp.com *.wordpress.com; style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com *.wp.com *.wordpress.com; font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com *.wp.com *.wordpress.com; frame-src 'self' 'unsafe-inline' 'unsafe-eval' http: https: *.wp.com *.wordpress.com"
# Secure MIME Types with X-Content-Type-Options. Below line adds the X-Frame-Options header in Nginx.
add_header X-Content-Type-Options "nosniff" always;
# Referrer Policy
#add_header Referrer-Policy "strict-origin";
# https://gabriel.nu/tutorials/Ubuntu-20.04-NGINX-LEMP-secure-web-server-for-WordPress-DIY.html
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# Permissions Policy
add_header Permissions-Policy "geolocation=(), autoplay=(), encrypted-media=(), midi=(), usb=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=(self)";
# X-FastCGI-Cache
# This line adds the X-FastCGI-Cache header in the HTTP response. It can be used to validate whether
# the request has been served from the FastCGI cache or not.
# ADMIN Note: Linuxbabe originally had this directive in "location ~ \.php$ {", however, we don't use it
# there because it invalidates any other currently used headers and only implements itself.
add_header X-FastCGI-Cache $upstream_cache_status always;
# Clear Site Data
# When we use a webpage, we can leave various pieces of data in the browser that we’d like to clear
# out if the user logs out or deletes their account. Clear Site Data gives us a reliable way to do
# that.
# ADMIN Note: We decided to enable it globally on all pages via:
add_header Clear-Site-Data "*";
# X-Frame Options
# Prevent click jacking by adding an X-Frame-Options header
add_header x-frame-options "SAMEORIGIN" always;
# X-SSS Protections
# Enable X-XSS-Protection header in Nginx
add_header X-XSS-Protection "1; mode=block" always;
# LINUXBABE
# If you allow people to upload files, or are concerned about intruders using a different flaw to get
# files onto your server AND the content on your domain should not be accessed via other websites
# possibly trying to impersonate you, then yes X-Permitted-Cross-Domain-Policies "none" will provide a
# security benefit. The attack is less relevant these days, as any user of modern software first
# needs to be tricked into allowing Flash or active PDF content.
# If your website is just a regular website with nothing that requires a login to access, then you don't need it.
# https://www.linuxbabe.com/ubuntu/install-wordpress-ubuntu-20-04-nginx-mariadb-php7-4-lemp
# https://security.stackexchange.com/questions/166024/does-the-x-permitted-cross-domain-policies-header-have-any-benefit-for-my-websit
add_header X-Permitted-Cross-Domain-Policies none;
# LINUXBABE (User recommendation)
# Ignore Cache Control
# Keep fastcgi working if it's not getting hits
# ADMIN Note: Only use this if fastcgi cache status is not getting hits
#fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
##
# SSL
##
# Certificate Path (signed)
ssl_certificate /etc/letsencrypt/live/example2.com/fullchain.pem; # Managed by ADMIN
# Certificate Path (intermediate)
ssl_certificate_key /etc/letsencrypt/live/example2.com/privkey.pem; # Managed by ADMIN
# Certificate Path (Chain of trust of OCSP response using Root CA and intermediate certificates)
ssl_trusted_certificate /etc/letsencrypt/live/example2.com/chain.pem; # Managed by ADMIN
# Perfect Forward Secrecy (Diffie Hellman 4096) Path
ssl_dhparam /etc/ssl/private/dhparams4096.pem; # Managed by ADMIN
# Mozilla Modern Compatibilty
# Strict Settings with OCSP stapling turned on for A+ Rating at ssllabs.com
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLERequires nginx >= 1.13.0 else use TLSv1.2 # Dropping TLSv1.1 for modern compatability.
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # About 40000 sessions
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
##
# LOGS
##
# ADMIN Note: Adding "if=$log_ip" to the end of access log lines will exclude your own ip address from access logs to prevent skewing data
# Access Log (Netdata)
access_log /var/log/nginx/example2.com.access.log netdata if=$log_ip;
# Access Log (Amplify)
access_log /var/log/nginx/example2.com.access.log apm if=$log_ip;
# Error Log
error_log /var/log/nginx/example2.com.error.log warn;
##
# PAGESPEED
##
# ADMIN Note: Pagespeed is broken on Nginx v1.25.1 and up, so we should comment all of it out here and in the "nginx.conf" file
# Settings per this virtual host
# Enable Pagespeed module
#pagespeed on;
#pagespeed Domain http*://*.example2.com;
# Settings per all virtual hosts
#include /etc/nginx/pagespeed.conf;
##
# LOCATION DIRECTIVES 1
##
index index.php index.html index.htm index.nginx-debian.html;
# ADMIN
# https://serverfault.com/questions/1137324/difference-between-3-similar-nginx-location-directives-provided-in-three-separat/1137342#1137342
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
### BEGIN: "Converter for Media" Wordpress Plugin
set $ext_avif ".avif";
if ($http_accept !~* "image/avif") {
set $ext_avif "";
}
set $ext_webp ".webp";
if ($http_accept !~* "image/webp") {
set $ext_webp "";
}
location ~ /wp-content/(?<path>.+)\.(?<ext>jpe?g|png|gif|webp)$ {
add_header Vary Accept;
expires 365d;
try_files
/wp-content/uploads-webpc/$path.$ext$ext_avif
/wp-content/uploads-webpc/$path.$ext$ext_webp
$uri =404;
}
### END: "Converter for Media" Wordpress Plugin
# ADMIN
# https://serverfault.com/questions/755662/nginx-disable-htaccess-and-hidden-files-but-allow-well-known-directory
# location ~ /.well-known {
location ~ /\.well-known {
allow all;
}
# ADMIN
location = /favicon.ico {
log_not_found off;
access_log off;
}
# ADMIN
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# LINUXBABE
location ~ ^/wp-json/ {
rewrite ^/wp-json/(.*?)$ /?rest_route=/$1 last;
}
# LINUXBABE
location ~ /wp-sitemap.*\.xml {
try_files $uri $uri/ /index.php$is_args$args;
}
# LINUXBABE
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
# LINUXBABE
location = /50x.html {
root /var/www/html;
}
# ADMIN
# DISALLOW ACCESS of /xmlrpc.php
# EXCEPT FROM internal IP's and Home & Apartment IP's.
#location ^~ /xmlrpc.php$ {
#allow xxx.xxx.xx.x/24; # LAN IP Address
#allow xxx.xxx.xx.x/32; # Home IP address
#allow xxx.xxx.xx.x/32; # Apt. IP Address
#deny all;
# Pass FastCGI to PHP7.4 with included settings in the snippet
#include snippets/fastcgi-php.conf;
#}
# ADMIN
# DISALLOW ACCESS of /admin
# EXCEPT FROM internal IP's and Home & Apartment IP's
location ^~ /admin/ {
#satify all;
allow xxx.xxx.xx.x/24; # LAN IP Address
allow xxx.xxx.xx.x/32; # Home IP address
allow xxx.xxx.xx.x/32; # Apt. IP Address
deny all;
# Require basic auth login for allowed IP's
auth_basic "You Don't belong here. Get out!";
auth_basic_user_file /etc/nginx/basic_auth/auth.admin;
# Pass FastCGI to PHP7.4 with included settings in the snippet
include snippets/fastcgi-php.conf;
}
# ADMIN
# DISALLOW ACCESS of /wp-login.php
# EXCEPT FROM internal IP's and Home & Apartment IP's.
#location ^~ /wp-login.php {
#allow xxx.xxx.xx.x/24; # LAN IP Address
#allow xxx.xxx.xx.x; # Home IP address
#allow xxx.xxx.xx.x; # Apt. IP Address
#deny all;
# Require basic auth login for allowed IP's
#auth_basic "You Don't belong here. Get out!";
#auth_basic_user_file /etc/nginx/basic_auth/auth.wp-login;
# Pass FastCGI to PHP7.4 with included settings in the snippet
#include snippets/fastcgi-php.conf;
#}
# ADMIN
# DISALLOW ACCESS of PHP In Upload Folder
location /wp-content/uploads/ {
location ~ \.php$ {
deny all;
}
}
# ADMIN
# DISALLOW ACCESS of hidden files
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
##
# BEGIN: CACHE / SKIP CACHE
##
# LINUXBABE
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
# Don't Skip Cache by Default
set $skip_cache 0;
# LINUXBABE
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
# POST requests should always go to PHP
if ($request_method = POST) {
set $skip_cache 1;
}
# LINUXBABE
# URLs containing query strings should always go to PHP
# ADMIN Note: You might want to be sure to turn off query strings in H-code wordpress theme, and other themes
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
if ($query_string != "") {
set $skip_cache 1;
}
# LINUXBABE
# Don't cache uris containing the following segments
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
# https://easyengine.io/wordpress-nginx/tutorials/plugins/woocommerce/
# https://docs.cleavr.io/guides/woocommerce/
if ($request_uri ~* "/wp-admin/|/wp-json/|/login/|/register/|/shopping-cart.*|.*add-to-cart.*|.*empty-cart.*|/cart.*|/checkout.*|/addons.*|/my-account.*|/wishlist.*|/xmlrpc.php|wp-.*.php|^/feed/*|/tag/.*/feed/*|index.php|/.*sitemap.*\.(xml|xsl)") {
set $skip_cache 1;
}
# LINUXBABE
# Don't use the cache for logged in users or recent commenters
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}
# LINUXBABE
# Cache Bypass for specified IP's
# Test the upstream (PHP-FPM and MariaDB) response time. By adding the following
# lines we tell Nginx to bypass the FastCGI cache for our own public and local IP addresses.
# Skip the fastCGI Cache for "Apartment Public IP|Work Public IP|Apartment LAN Subdomain".
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
#if ($remote_addr ~* "xxx.xxx.xx.x|108.231.125.254|xxx.xxx.xx.x|192.168.25..*") {
# set $skip_cache 1;
#}
##
# END: CACHE / SKIP CACHE
##
# LINUXBABE
# Google Sitemaps / Yoast SEO Rules:
# If you use the Yoast SEO or Google XML Sitemap plugins to generate sitemap, then
# you need to move the Yoast/Google XML rewrite rules here, below the skip cache rules (below this line).
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
# Rules:
##
# LOCATION DIRECTIVES 2
##
# LINUXBABE
# Pass Fastcgi to PHP
location ~ \.php$ {
# Pass FastCGI to PHP7.4 with included settings in the snippet
include snippets/fastcgi-php.conf;
# FastCGI Cache
#fastcgi_cache off;
fastcgi_cache example2.com;
fastcgi_cache_valid 200 301 302 12h;
fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
fastcgi_cache_min_uses 1;
fastcgi_cache_lock on;
# Tell Nginx to send requests to upstream PHP-FPM server, instead of trying to find files in the
# cache. If the value of $skip_cache is 1, then the first directive tells Nginx to send request
# to upstream PHP-FPM server, instead of trying to find files in the cache.
# ADMIN Note: fastcgi_cache_bypass $skip_cache and fastcgi_no_cache $skip_cache should be
# uncommented if using google XML sitemap plugin, or Yoast SEO Plugin, or if you want to
# enable the skip cache rules above.
fastcgi_cache_bypass $skip_cache;
# This directive tells Nginx not to cache the response.
fastcgi_no_cache $skip_cache;
}
##
# NGINX CACHE PURGING in WORDPRESS with Nginx_Cache_Purge MODULE
##
# Cache Purge
# This enables the ngx_http_cache_purge_module.so module to work with Nginx Helper in Wordpress.
# Cache Purging should be restricted to allowed IP addresses.
# If not set, an attacker may be able to wipe your nginx fastcgi cache using simple GET requests. # (Linuxbabe User Comment).
# This location block enables cache purge but restricts it to your ip address and to your loopback address.
# Note: This is broken and we haven't tried to fix it. So, we are using wordpress Nginx Helper cache purge instead. Comment this out.
#location ~ /purge(/.*) {
#allow 127.0.0.1; # Server Loopback Address
#allow xxx.xxx.xx.x; # Server IPv4 address
#deny all;
# Enable http-cache-purge module in nginx for above IP addresses
#fastcgi_cache_purge example2.com "$scheme$request_method$host$1";
#}
# LINUXBABE (+ ADMIN Extra Extensions)
# Speed up repeat visits to your page with a long browser cache lifetime
location ~ \.(txt|flv|pdf|avi|mov|ppt|wmv|mp3|ogg|webm|aac|jpg|ogg|ogv|svgz|eot|otf|mp4|rss|atom|zip|tgz|gz|rar|bz2|doc|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|jpeg|gif|png|swf|jpeg|webp|svg|woff|woff2|ttf|css|js|ico|xml|otf|woff|woff2)$ {
access_log off;
log_not_found off;
expires 1y;
}
}
It seems the lines Amplify is referencing is:
location ~ /\.well-known {
on line 176,
location ~ /wp-sitemap.*\.xml {
on line 199, and
location ~ /\. {
on line 265.
What should I find and replace in each of the corresponding lines to satisfy Amplify’s recommended suggestions?