Laravel pagoda security configuration

One 、 Site directory security ：

Prevent cross station attack (open_basedir)

Write access logs

Two 、web The configuration file

server{
  listen 8080;
  server_name laravel.test;
  index index.php index.html index.htm default.php default.htm default.html;
  root /www/wwwroot/laravel/public;

  # Error page configuration , Note that 、 Delete or modify 
  #error_page 404 /404.html;
  #error_page 502 /502.html;

  #PHP-INFO-START  PHP Reference configuration , You can annotate or modify 
  include enable-php-73.conf;

  #URL rewrite , After modification, the pseudo-static rules set by the panel will be invalidated 
  #include /vhost/rewrite/xiaobai.test.conf;

  # Forbidden files or directories 
  location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md){
    return 404;
  }

  # One click application SSL Certificate validation directory related settings 
  location ~ \.well-known{
  	allow all;
  }

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
    expires      30d;
    error_log off;
    access_log /dev/null;
  }

  location ~ .*\.(js|css)?$ {
    expires      12h;
    error_log off;
    access_log /dev/null; 
  }
  access_log  /www/wwwlogs/xiaobai.test.log;
  error_log  /www/wwwlogs/xiaobai.test.error.log;
}

enable-php-73.conf

location ~ [^/]\.php(/|$){
  try_files $uri =404;
  fastcgi_pass  unix:/tmp/php-cgi-73.sock;#php-cgi monitor 
  fastcgi_index index.php;
  include fastcgi.conf;
  include pathinfo.conf;
}
 
 #  General configuration 
location ~ \.php$ {
  fastcgi_pass   127.0.0.1:9000;#php-fpm monitor 
  fastcgi_index  index.php;
  fastcgi_param  SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
  include        fastcgi_params;
}

fastcgi.conf

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

pathinfo.conf

set $real_script_name $fastcgi_script_name;
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
                set $real_script_name $1;
                set $path_info $2;
 }
fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
fastcgi_param SCRIPT_NAME $real_script_name;
fastcgi_param PATH_INFO $path_info;

3、 ... and 、 Pseudostatic

/www/server/panel/vhost/rewrite/xiaobai.test.conf

location / {
	try_files $uri $uri/ /index.php?$query_string;
}
#  or 
location / {
  if (!-e $request_filename){
    rewrite  ^(.*)$  /index.php?s=$1  last;   break;
  }
}

Four 、 Anti theft chain