I am running Nginx with Nginx Amplify. In my Amplify>Analyzer>Static Analysis Section I am gettin the following errors:
Regex location has no regex pattern
Regex location has a valid modifier, but does not have a regex pattern.
Performance-wise it is more efficient to configure exact or prefix matching for locations that do not require regex matching. It is also less prone to errors. Please refer to the documentation describing location directive to learn more.
Check the following files:
/etc/nginx/conf.d/mail.example.com.conf, line 27
/etc/nginx/conf.d/mail.example.com.conf, line 89
/etc/nginx/sites-enabled/03-example2.com.conf, line 176
/etc/nginx/sites-enabled/03-example2.com.conf, line 265
My "mail.example.conf
" virtual host looks like this:
server {
# Restrict access to LAN & Other IP's
allow 192.168.x.x/24; # AC3200 LAN IP Address
allow x.x.x.x/32; # Work IP address
allow x.x.x.x/32; # Apt. IP Address
deny all;
#error_page 403 =444;
# Begin Server Directives
server_name mail.example.com;
root /var/www/roundcube/;
index index.php index.html index.htm;
# Logs
error_log /var/log/nginx/mail.example.com.error.log;
access_log /var/log/nginx/mail.example.com.access.log;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
# Pass FastCGI to PHP7.4 with included settings in the snippet
include snippets/fastcgi-php.conf;
}
location ~ /.well-known/acme-challenge {
allow all;
}
location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(bin|SQL)/ {
deny all;
}
# A long browser cache lifetime can speed up repeat visits to your page
location ~ \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 360d;
}
listen *:443 ssl;
http2 on;
ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/ssl/private/dhparams4096.pem; # Managed by admin
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/mail.example.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = mail.example.com) {
return 301 https://$host$request_uri;
}
# managed by Certbot
# Restrict access to LAN & Moms IP & Apartment IP's
allow x.x.x.x/24; # LAN IP Address
allow x.x.x.x/32; # Work IP address
allow x.x.x.x/32; # Apt. IP Address
deny all;
#error_page 403 =444;
# Begin Server Directives
listen *:80;
server_name mail.example.com;
root /var/www/roundcube/;
index index.php index.html index.htm;
error_log /var/log/nginx/mail.example.com.error.log;
access_log /var/log/nginx/mail.example.com.error.log;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
#try_files $uri =404;
# Pass FastCGI to PHP7.4 with included settings in the snippet
include snippets/fastcgi-php.conf;
}
location ~ /.well-known/acme-challenge {
allow all;
}
location = ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(bin|SQL)/ {
deny all;
}
# LINUXBABE + Extra Extensions
# A long browser cache lifetime can speed up repeat visits to your page
location ~ \.(txt|flv|pdf|avi|mov|ppt|wmv|mp3|ogg|webm|aac|jpg|ogg|ogv|svgz|eot|otf|mp4|rss|atom|zip|tgz|gz|rar|bz2|doc|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|jpeg|gif|png|swf|jpeg|webp|svg|woff|woff2|ttf|css|js|ico|xml|otf|woff|woff2)$ {
access_log off;
log_not_found off;
expires 1y;
}
}
In this file it seems Amplify is talking about this line:
location ~ /.well-known/acme-challenge {
My /etc/nginx/sites-enabled/03-example2.com.conf
file looks like:
server {
listen 80;
server_name example2.com www.example2.com;
return 301 https://$host$request_uri;
}
server {
listen *:443 ssl;
http2 on;
server_name example2.com www.example2.com;
root /var/www/example2.com/;
##
# SECURITY HEADERS
##
# Strict Transport Security Response Header
# Use "always" Paramater to help prevent MITM attacks.
# ADMIN Note: Including the Preload Paramerter will cause web browsers to cache this header
# permanently in their browser code for about two months. Use only if you want to permanently
# commit this header to your site. If you change it, it will take a long time for changes to
# be reflected in the web browsers.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Content Security Policy (CSP)
#add_header Content-Security-Policy "frame-ancestors 'self';";
# https://gabriel.nu/tutorials/Ubuntu-20.04-NGINX-LEMP-secure-web-server-for-WordPress-DIY.html
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
#add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'";
# https://walterebert.com/blog/using-csp-wordpress/
#add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: http: https: *.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com; font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;" always;
# https://nowherelan.com/2018/12/27/secure-your-wordpress-site-with-the-content-security-policy-csp-http-header-in-apache/
#add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: http: https: *.gravatar.com *.wp.com *.wordpress.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http: https: *.wp.com *.wordpress.com; style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com *.wp.com *.wordpress.com; font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com *.wp.com *.wordpress.com; frame-src 'self' 'unsafe-inline' 'unsafe-eval' http: https: *.wp.com *.wordpress.com"
# Secure MIME Types with X-Content-Type-Options. Below line adds the X-Frame-Options header in Nginx.
add_header X-Content-Type-Options "nosniff" always;
# Referrer Policy
#add_header Referrer-Policy "strict-origin";
# https://gabriel.nu/tutorials/Ubuntu-20.04-NGINX-LEMP-secure-web-server-for-WordPress-DIY.html
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# Permissions Policy
add_header Permissions-Policy "geolocation=(), autoplay=(), encrypted-media=(), midi=(), usb=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=(self)";
# X-FastCGI-Cache
# This line adds the X-FastCGI-Cache header in the HTTP response. It can be used to validate whether
# the request has been served from the FastCGI cache or not.
# ADMIN Note: Linuxbabe originally had this directive in "location ~ \.php$ {", however, we don't use it
# there because it invalidates any other currently used headers and only implements itself.
add_header X-FastCGI-Cache $upstream_cache_status always;
# Clear Site Data
# When we use a webpage, we can leave various pieces of data in the browser that we’d like to clear
# out if the user logs out or deletes their account. Clear Site Data gives us a reliable way to do
# that.
# ADMIN Note: We decided to enable it globally on all pages via:
add_header Clear-Site-Data "*";
# X-Frame Options
# Prevent click jacking by adding an X-Frame-Options header
add_header x-frame-options "SAMEORIGIN" always;
# X-SSS Protections
# Enable X-XSS-Protection header in Nginx
add_header X-XSS-Protection "1; mode=block" always;
# LINUXBABE
# If you allow people to upload files, or are concerned about intruders using a different flaw to get
# files onto your server AND the content on your domain should not be accessed via other websites
# possibly trying to impersonate you, then yes X-Permitted-Cross-Domain-Policies "none" will provide a
# security benefit. The attack is less relevant these days, as any user of modern software first
# needs to be tricked into allowing Flash or active PDF content.
# If your website is just a regular website with nothing that requires a login to access, then you don't need it.
# https://www.linuxbabe.com/ubuntu/install-wordpress-ubuntu-20-04-nginx-mariadb-php7-4-lemp
# https://security.stackexchange.com/questions/166024/does-the-x-permitted-cross-domain-policies-header-have-any-benefit-for-my-websit
add_header X-Permitted-Cross-Domain-Policies none;
# LINUXBABE (User recommendation)
# Ignore Cache Control
# Keep fastcgi working if it's not getting hits
# ADMIN Note: Only use this if fastcgi cache status is not getting hits
#fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
##
# SSL
##
# Certificate Path (signed)
ssl_certificate /etc/letsencrypt/live/example2.com/fullchain.pem; # Managed by ADMIN
# Certificate Path (intermediate)
ssl_certificate_key /etc/letsencrypt/live/example2.com/privkey.pem; # Managed by ADMIN
# Certificate Path (Chain of trust of OCSP response using Root CA and intermediate certificates)
ssl_trusted_certificate /etc/letsencrypt/live/example2.com/chain.pem; # Managed by ADMIN
# Perfect Forward Secrecy (Diffie Hellman 4096) Path
ssl_dhparam /etc/ssl/private/dhparams4096.pem; # Managed by ADMIN
# Mozilla Modern Compatibilty
# Strict Settings with OCSP stapling turned on for A+ Rating at ssllabs.com
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLERequires nginx >= 1.13.0 else use TLSv1.2 # Dropping TLSv1.1 for modern compatability.
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # About 40000 sessions
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
##
# LOGS
##
# ADMIN Note: Adding "if=$log_ip" to the end of access log lines will exclude your own ip address from access logs to prevent skewing data
# Access Log (Netdata)
access_log /var/log/nginx/example2.com.access.log netdata if=$log_ip;
# Access Log (Amplify)
access_log /var/log/nginx/example2.com.access.log apm if=$log_ip;
# Error Log
error_log /var/log/nginx/example2.com.error.log warn;
##
# PAGESPEED
##
# ADMIN Note: Pagespeed is broken on Nginx v1.25.1 and up, so we should comment all of it out here and in the "nginx.conf" file
# Settings per this virtual host
# Enable Pagespeed module
#pagespeed on;
#pagespeed Domain http*://*.example2.com;
# Settings per all virtual hosts
#include /etc/nginx/pagespeed.conf;
##
# LOCATION DIRECTIVES 1
##
index index.php index.html index.htm index.nginx-debian.html;
# ADMIN
# https://serverfault.com/questions/1137324/difference-between-3-similar-nginx-location-directives-provided-in-three-separat/1137342#1137342
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
### BEGIN: "Converter for Media" Wordpress Plugin
set $ext_avif ".avif";
if ($http_accept !~* "image/avif") {
set $ext_avif "";
}
set $ext_webp ".webp";
if ($http_accept !~* "image/webp") {
set $ext_webp "";
}
location ~ /wp-content/(?<path>.+)\.(?<ext>jpe?g|png|gif|webp)$ {
add_header Vary Accept;
expires 365d;
try_files
/wp-content/uploads-webpc/$path.$ext$ext_avif
/wp-content/uploads-webpc/$path.$ext$ext_webp
$uri =404;
}
### END: "Converter for Media" Wordpress Plugin
# ADMIN
# https://serverfault.com/questions/755662/nginx-disable-htaccess-and-hidden-files-but-allow-well-known-directory
# location ~ /.well-known {
location ~ /\.well-known {
allow all;
}
# ADMIN
location = /favicon.ico {
log_not_found off;
access_log off;
}
# ADMIN
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# LINUXBABE
location ~ ^/wp-json/ {
rewrite ^/wp-json/(.*?)$ /?rest_route=/$1 last;
}
# LINUXBABE
location ~ /wp-sitemap.*\.xml {
try_files $uri $uri/ /index.php$is_args$args;
}
# LINUXBABE
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
# LINUXBABE
location = /50x.html {
root /var/www/html;
}
# ADMIN
# DISALLOW ACCESS of /xmlrpc.php
# EXCEPT FROM internal IP's and Home & Apartment IP's.
#location ^~ /xmlrpc.php$ {
#allow xxx.xxx.xx.x/24; # AC3200 LAN IP Address
#allow xxx.xx.xxx.xxx/32; # Home IP address
#allow xxx.xx.xxx.xxx/32; # Apt. IP Address
#deny all;
# Pass FastCGI to PHP7.4 with included settings in the snippet
#include snippets/fastcgi-php.conf;
#}
# ADMIN
# DISALLOW ACCESS of /admin
# EXCEPT FROM internal IP's and Home & Apartment IP's
location ^~ /admin/ {
#satify all;
allow xxx.xxx.xx.x/24; # AC3200 LAN IP Address
allow xxx.xx.xxx.xxx/32; # Home IP address
allow xxx.xx.xxx.xxx/32; # Apt. IP Address
deny all;
# Require basic auth login for allowed IP's
auth_basic "You Don't belong here. Get out!";
auth_basic_user_file /etc/nginx/basic_auth/auth.admin;
# Pass FastCGI to PHP7.4 with included settings in the snippet
include snippets/fastcgi-php.conf;
}
# ADMIN
# DISALLOW ACCESS of /wp-login.php
# EXCEPT FROM internal IP's and Home & Apartment IP's.
#location ^~ /wp-login.php {
#allow xxx.xxx.xx.x/24; # AC3200 LAN IP Address
#allow xxx.xx.xxx.xxx; # Home IP address
#allow xxx.xx.xxx.xxx; # Apt. IP Address
#deny all;
# Require basic auth login for allowed IP's
#auth_basic "You Don't belong here. Get out!";
#auth_basic_user_file /etc/nginx/basic_auth/auth.wp-login;
# Pass FastCGI to PHP7.4 with included settings in the snippet
#include snippets/fastcgi-php.conf;
#}
# ADMIN
# DISALLOW ACCESS of PHP In Upload Folder
location /wp-content/uploads/ {
location ~ \.php$ {
deny all;
}
}
# ADMIN
# DISALLOW ACCESS of hidden files
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
##
# BEGIN: CACHE / SKIP CACHE
##
# LINUXBABE
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
# Don't Skip Cache by Default
set $skip_cache 0;
# LINUXBABE
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
# POST requests should always go to PHP
if ($request_method = POST) {
set $skip_cache 1;
}
# LINUXBABE
# URLs containing query strings should always go to PHP
# ADMIN Note: You might want to be sure to turn off query strings in H-code wordpress theme, and other themes
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
if ($query_string != "") {
set $skip_cache 1;
}
# LINUXBABE
# Don't cache uris containing the following segments
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
# https://easyengine.io/wordpress-nginx/tutorials/plugins/woocommerce/
# https://docs.cleavr.io/guides/woocommerce/
if ($request_uri ~* "/wp-admin/|/wp-json/|/login/|/register/|/shopping-cart.*|.*add-to-cart.*|.*empty-cart.*|/cart.*|/checkout.*|/addons.*|/my-account.*|/wishlist.*|/xmlrpc.php|wp-.*.php|^/feed/*|/tag/.*/feed/*|index.php|/.*sitemap.*\.(xml|xsl)") {
set $skip_cache 1;
}
# LINUXBABE
# Don't use the cache for logged in users or recent commenters
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}
# LINUXBABE
# Cache Bypass for specified IP's
# Test the upstream (PHP-FPM and MariaDB) response time. By adding the following
# lines we tell Nginx to bypass the FastCGI cache for our own public and local IP addresses.
# Skip the fastCGI Cache for "Apartment Public IP|Work Public IP|Apartment LAN Subdomain".
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
#if ($remote_addr ~* "xxx.xx.xxx.xxx|108.231.125.254|xxx.xx.xxx.xxx|192.168.25..*") {
# set $skip_cache 1;
#}
##
# END: CACHE / SKIP CACHE
##
# LINUXBABE
# Google Sitemaps / Yoast SEO Rules:
# If you use the Yoast SEO or Google XML Sitemap plugins to generate sitemap, then
# you need to move the Yoast/Google XML rewrite rules here, below the skip cache rules (below this line).
# https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
# Rules:
##
# LOCATION DIRECTIVES 2
##
# LINUXBABE
# Pass Fastcgi to PHP
location ~ \.php$ {
# Pass FastCGI to PHP7.4 with included settings in the snippet
include snippets/fastcgi-php.conf;
# FastCGI Cache
#fastcgi_cache off;
fastcgi_cache example2.com;
fastcgi_cache_valid 200 301 302 12h;
fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
fastcgi_cache_min_uses 1;
fastcgi_cache_lock on;
# Tell Nginx to send requests to upstream PHP-FPM server, instead of trying to find files in the
# cache. If the value of $skip_cache is 1, then the first directive tells Nginx to send request
# to upstream PHP-FPM server, instead of trying to find files in the cache.
# ADMIN Note: fastcgi_cache_bypass $skip_cache and fastcgi_no_cache $skip_cache should be
# uncommented if using google XML sitemap plugin, or Yoast SEO Plugin, or if you want to
# enable the skip cache rules above.
fastcgi_cache_bypass $skip_cache;
# This directive tells Nginx not to cache the response.
fastcgi_no_cache $skip_cache;
}
##
# NGINX CACHE PURGING in WORDPRESS with Nginx_Cache_Purge MODULE
##
# Cache Purge
# This enables the ngx_http_cache_purge_module.so module to work with Nginx Helper in Wordpress.
# Cache Purging should be restricted to allowed IP addresses.
# If not set, an attacker may be able to wipe your nginx fastcgi cache using simple GET requests. # (Linuxbabe User Comment).
# This location block enables cache purge but restricts it to your ip address and to your loopback address.
# Note: This is broken and we haven't tried to fix it. So, we are using wordpress Nginx Helper cache purge instead. Comment this out.
#location ~ /purge(/.*) {
#allow 127.0.0.1; # Server Loopback Address
#allow xxx.xx.xx.x; # Server IPv4 address
#deny all;
# Enable http-cache-purge module in nginx for above IP addresses
#fastcgi_cache_purge example2.com "$scheme$request_method$host$1";
#}
# LINUXBABE (+ ADMIN Extra Extensions)
# Speed up repeat visits to your page with a long browser cache lifetime
location ~ \.(txt|flv|pdf|avi|mov|ppt|wmv|mp3|ogg|webm|aac|jpg|ogg|ogv|svgz|eot|otf|mp4|rss|atom|zip|tgz|gz|rar|bz2|doc|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|jpeg|gif|png|swf|jpeg|webp|svg|woff|woff2|ttf|css|js|ico|xml|otf|woff|woff2)$ {
access_log off;
log_not_found off;
expires 1y;
}
}
In this file it seems Amplify is talking about these lines:
location ~ /\.well-known {
and
location ~ /\. {
In both files, what should I find and replace in the corresponding lines to satisfy Amplify's suggestions?