From dffae61f68358e9d813bf61bf9bf19939941a248 Mon Sep 17 00:00:00 2001
From: Ashley Rich <hello@ashleyrich.com>
Date: Tue, 17 Nov 2015 20:01:46 +0000
Subject: [PATCH] Security and exclusions restructure

---
 global/security.conf                       | 13 ----------
 per-site/exclusions.conf                   | 30 ++++++++++++++++++++++
 per-site/logs.conf                         | 17 ------------
 sites-available/fastcgi-cache.com          |  4 +--
 sites-available/multisite-subdirectory.com |  4 +--
 sites-available/multisite-subdomain.com    |  4 +--
 sites-available/singlesite.com             |  4 +--
 sites-available/ssl.com                    |  4 +--
 8 files changed, 40 insertions(+), 40 deletions(-)
 create mode 100644 per-site/exclusions.conf
 delete mode 100644 per-site/logs.conf

diff --git a/global/security.conf b/global/security.conf
index 0886a44..f05d178 100644
--- a/global/security.conf
+++ b/global/security.conf
@@ -1,16 +1,3 @@
-# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
-# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
-location ~ /\. {
-	deny all;
-}
-
-# Deny access to any files with a .php extension in the uploads directory
-# Works in sub-directory installs and also in multisite network
-# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
-location ~* /(?:uploads|files)/.*\.php$ {
-	deny all;
-}
-
 # Hide Nginx version in error messages and reponse headers.
 server_tokens off;
 
diff --git a/per-site/exclusions.conf b/per-site/exclusions.conf
new file mode 100644
index 0000000..23d452e
--- /dev/null
+++ b/per-site/exclusions.conf
@@ -0,0 +1,30 @@
+# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
+# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+location ~ /\. {
+	deny all;
+}
+
+# Deny access to any files with a .php extension in the uploads directory
+# Works in sub-directory installs and also in multisite network
+# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+location ~* /(?:uploads|files)/.*\.php$ {
+	deny all;
+}
+
+# Don't record error/access logs for favicon.io.
+location = /favicon.ico {
+	log_not_found off;
+	access_log off;
+}
+
+# Don't record error/access logs for robots.txt.
+location = /robots.txt {
+	log_not_found off;
+	access_log off;
+}
+
+# Don't record error/access logs for static assets.
+location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|css|js)$ {
+    log_not_found off;
+    access_log off;
+}
\ No newline at end of file
diff --git a/per-site/logs.conf b/per-site/logs.conf
deleted file mode 100644
index f6e51e0..0000000
--- a/per-site/logs.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Don't record error/access logs for favicon.io.
-location = /favicon.ico {
-	log_not_found off;
-	access_log off;
-}
-
-# Don't record error/access logs for robots.txt.
-location = /robots.txt {
-	log_not_found off;
-	access_log off;
-}
-
-# Don't record error/access logs for static assets.
-location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|css|js)$ {
-    log_not_found off;
-    access_log off;
-}
\ No newline at end of file
diff --git a/sites-available/fastcgi-cache.com b/sites-available/fastcgi-cache.com
index 9ce93a0..8340521 100644
--- a/sites-available/fastcgi-cache.com
+++ b/sites-available/fastcgi-cache.com
@@ -20,8 +20,8 @@ server {
 	access_log /sites/fastcgi-cache.com/logs/access.log;
 	error_log /sites/fastcgi-cache.com/logs/error.log;
 
-	# Log exclusions
-	include per-site/logs.conf;
+	# Exclusions
+	include per-site/exclusions.conf;
 
 	# Cache static content
     include per-site/cache.conf;
diff --git a/sites-available/multisite-subdirectory.com b/sites-available/multisite-subdirectory.com
index 3af3a89..581bf67 100644
--- a/sites-available/multisite-subdirectory.com
+++ b/sites-available/multisite-subdirectory.com
@@ -15,8 +15,8 @@ server {
 	access_log /sites/multisite-subdirectory.com/logs/access.log;
 	error_log /sites/multisite-subdirectory.com/logs/error.log;
 
-	# Log exclusions
-	include per-site/logs.conf;
+	# Exclusions
+	include per-site/exclusions.conf;
 
     # Cache static content
     include per-site/cache.conf;
diff --git a/sites-available/multisite-subdomain.com b/sites-available/multisite-subdomain.com
index beebe0d..5b78fe9 100644
--- a/sites-available/multisite-subdomain.com
+++ b/sites-available/multisite-subdomain.com
@@ -15,8 +15,8 @@ server {
 	access_log /sites/multisite-subdomain.com/logs/access.log;
 	error_log /sites/multisite-subdomain.com/logs/error.log;
 
-	# Log exclusions
-	include per-site/logs.conf;
+	# Exclusions
+	include per-site/exclusions.conf;
 
 	# Cache static content
     include per-site/cache.conf;
diff --git a/sites-available/singlesite.com b/sites-available/singlesite.com
index 8af2aaf..31029c6 100644
--- a/sites-available/singlesite.com
+++ b/sites-available/singlesite.com
@@ -15,8 +15,8 @@ server {
 	access_log /sites/singlesite.com/logs/access.log;
 	error_log /sites/singlesite.com/logs/error.log;
 
-	# Log exclusions
-	include per-site/logs.conf;
+	# Exclusions
+	include per-site/exclusions.conf;
 
 	# Cache static content
     include per-site/cache.conf;
diff --git a/sites-available/ssl.com b/sites-available/ssl.com
index ab4dead..9cfca58 100644
--- a/sites-available/ssl.com
+++ b/sites-available/ssl.com
@@ -20,8 +20,8 @@ server {
 	access_log /sites/ssl.com/logs/access.log;
 	error_log /sites/ssl.com/logs/error.log;
 
-	# Log exclusions
-    include per-site/logs.conf;
+	# Exclusions
+    include per-site/exclusions.conf;
 
 	# Cache static content
     include per-site/cache.conf;