From a8435cab14187fc5ecc42798a3cc3dea17c5b35f Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Thu, 30 May 2024 12:37:26 +0200
Subject: [PATCH] hosting-firewall-wordpress-2

---
 .../force-https-firewall-wordpress-2.stpl     | 95 +++++++++++++++++++
 .../force-https-firewall-wordpress-2.tpl      |  8 ++
 .../hosting-firewall-wordpress-2.stpl         | 95 +++++++++++++++++++
 .../hosting-firewall-wordpress-2.tpl          | 92 ++++++++++++++++++
 .../rate-limit-tpl/install_rate_limit_tpl.sh  |  5 +
 5 files changed, 295 insertions(+)
 create mode 100644 src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.stpl
 create mode 100644 src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.tpl
 create mode 100644 src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.stpl
 create mode 100644 src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.tpl

diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.stpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.stpl
new file mode 100644
index 00000000..5c3f22ac
--- /dev/null
+++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.stpl
@@ -0,0 +1,95 @@
+server {
+    listen      %ip%:%proxy_ssl_port% ssl http2;
+    server_name %domain_idn% %alias_idn%;
+    # ssl         on;
+    ssl_certificate      %ssl_pem%;
+    ssl_certificate_key  %ssl_key%;
+    error_log  /var/log/%web_system%/domains/%domain%.error.log error;
+
+    location / {
+        error_page 418 = @wordfence_lh;
+        error_page 419 = @wordfence_route;
+        error_page 420 = @wordfence_sync;
+
+        if ($request_uri ~ "^/\?wordfence_lh") { return 418; }
+        if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; }
+        if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; }
+
+        limit_conn addr 10;
+        limit_conn zone_site 30;
+        limit_req zone=one burst=28 delay=14;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location /wp-admin/ {
+        limit_conn addr 48;
+        limit_conn zone_site 60;
+        limit_req zone=one burst=80 delay=14;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location /wp-json/ {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=one burst=80 delay=14;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location @wordfence_lh {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location @wordfence_route {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location @wordfence_sync {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location /wp-json/wordfence/ {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location ~* ^.+\.(%proxy_extentions%)$ {
+        root           %sdocroot%;
+        access_log     /var/log/%web_system%/domains/%domain%.log combined;
+        access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
+        expires        max;
+        # try_files      $uri @fallback;
+    }
+
+    location /error/ {
+        alias   %home%/%user%/web/%domain%/document_errors/;
+    }
+
+    location @fallback {
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location ~ /wp-config.php    {return 404;}
+    location ~ /xmlrpc.php       {return 404;}
+    location ~ /\.ht    {return 404;}
+    location ~ /\.env   {return 404;}
+    location ~ /\.svn/  {return 404;}
+    location ~ /\.git/  {return 404;}
+    location ~ /\.hg/   {return 404;}
+    location ~ /\.bzr/  {return 404;}
+
+    disable_symlinks if_not_owner from=%docroot%;
+
+    include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
+    include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
+}
diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.tpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.tpl
new file mode 100644
index 00000000..5a463370
--- /dev/null
+++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.tpl
@@ -0,0 +1,8 @@
+server {
+    listen      %ip%:%proxy_port%;
+    server_name %domain_idn% %alias_idn%;
+    location / {
+        rewrite ^(.*) https://$host$1 permanent;
+    }
+include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
+}
diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.stpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.stpl
new file mode 100644
index 00000000..5c3f22ac
--- /dev/null
+++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.stpl
@@ -0,0 +1,95 @@
+server {
+    listen      %ip%:%proxy_ssl_port% ssl http2;
+    server_name %domain_idn% %alias_idn%;
+    # ssl         on;
+    ssl_certificate      %ssl_pem%;
+    ssl_certificate_key  %ssl_key%;
+    error_log  /var/log/%web_system%/domains/%domain%.error.log error;
+
+    location / {
+        error_page 418 = @wordfence_lh;
+        error_page 419 = @wordfence_route;
+        error_page 420 = @wordfence_sync;
+
+        if ($request_uri ~ "^/\?wordfence_lh") { return 418; }
+        if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; }
+        if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; }
+
+        limit_conn addr 10;
+        limit_conn zone_site 30;
+        limit_req zone=one burst=28 delay=14;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location /wp-admin/ {
+        limit_conn addr 48;
+        limit_conn zone_site 60;
+        limit_req zone=one burst=80 delay=14;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location /wp-json/ {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=one burst=80 delay=14;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location @wordfence_lh {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location @wordfence_route {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location @wordfence_sync {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location /wp-json/wordfence/ {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location ~* ^.+\.(%proxy_extentions%)$ {
+        root           %sdocroot%;
+        access_log     /var/log/%web_system%/domains/%domain%.log combined;
+        access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
+        expires        max;
+        # try_files      $uri @fallback;
+    }
+
+    location /error/ {
+        alias   %home%/%user%/web/%domain%/document_errors/;
+    }
+
+    location @fallback {
+        proxy_pass      https://%ip%:%web_ssl_port%;
+    }
+
+    location ~ /wp-config.php    {return 404;}
+    location ~ /xmlrpc.php       {return 404;}
+    location ~ /\.ht    {return 404;}
+    location ~ /\.env   {return 404;}
+    location ~ /\.svn/  {return 404;}
+    location ~ /\.git/  {return 404;}
+    location ~ /\.hg/   {return 404;}
+    location ~ /\.bzr/  {return 404;}
+
+    disable_symlinks if_not_owner from=%docroot%;
+
+    include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
+    include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
+}
diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.tpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.tpl
new file mode 100644
index 00000000..44f6162c
--- /dev/null
+++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.tpl
@@ -0,0 +1,92 @@
+server {
+    listen      %ip%:%proxy_port%;
+    server_name %domain_idn% %alias_idn%;
+    error_log  /var/log/%web_system%/domains/%domain%.error.log error;
+
+    location / {
+        error_page 418 = @wordfence_lh;
+        error_page 419 = @wordfence_route;
+        error_page 420 = @wordfence_sync;
+
+        if ($request_uri ~ "^/\?wordfence_lh") { return 418; }
+        if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; }
+        if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; }
+
+        limit_conn addr 10;
+        limit_conn zone_site 30;
+        limit_req zone=one burst=28 delay=14;
+        proxy_pass      http://%ip%:%web_port%;
+    }
+
+    location /wp-admin/ {
+        limit_conn addr 48;
+        limit_conn zone_site 60;
+        limit_req zone=one burst=80 delay=14;
+        proxy_pass      http://%ip%:%web_port%;
+    }
+
+    location /wp-json/ {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=one burst=80 delay=14;
+        proxy_pass      http://%ip%:%web_port%;
+    }
+
+    location @wordfence_lh {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      http://%ip%:%web_port%;
+    }
+
+    location @wordfence_route {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      http://%ip%:%web_port%;
+    }
+
+    location @wordfence_sync {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      http://%ip%:%web_port%;
+    }
+
+    location /wp-json/wordfence/ {
+        limit_conn addr 16;
+        limit_conn zone_site 30;
+        limit_req zone=wfone burst=240;
+        proxy_pass      http://%ip%:%web_port%;
+    }
+
+    location ~* ^.+\.(%proxy_extentions%)$ {
+        root           %docroot%;
+        access_log     /var/log/%web_system%/domains/%domain%.log combined;
+        access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
+        expires        max;
+        # try_files      $uri @fallback;
+    }
+
+    location /error/ {
+        alias   %home%/%user%/web/%domain%/document_errors/;
+    }
+
+    location @fallback {
+        proxy_pass      http://%ip%:%web_port%;
+    }
+
+    location ~ /wp-config.php    {return 404;}
+    location ~ /xmlrpc.php       {return 404;}
+    location ~ /\.ht    {return 404;}
+    location ~ /\.env   {return 404;}
+    location ~ /\.svn/  {return 404;}
+    location ~ /\.git/  {return 404;}
+    location ~ /\.hg/   {return 404;}
+    location ~ /\.bzr/  {return 404;}
+
+    disable_symlinks if_not_owner from=%docroot%;
+
+    include %home%/%user%/conf/web/nginx.%domain%.conf*;
+}
+
diff --git a/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh b/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh
index 4a910d0f..8f4d4e88 100644
--- a/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh
+++ b/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh
@@ -71,4 +71,9 @@ wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordp
 wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress.tpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl
 wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress.stpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl
 
+wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress-2.tpl http://c.myvestacp.com/tools/rate-limit-tpl/force-https-firewall-wordpress-2.tpl
+wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress-2.stpl http://c.myvestacp.com/tools/rate-limit-tpl/force-https-firewall-wordpress-2.stpl
+wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress-2.tpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress-2.tpl
+wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress-2.stpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress-2.stpl
+
 systemctl restart nginx