#####################################################################
# === Place your custom rules for Nginx here ===
#
# Some examples:
# - Engintron & CloudFlare
# - HTTP to HTTPS redirects when using CloudFlare
# - Setting up domains with dedicated IPs on the system
# - Cache exclusions for domains, subdomains or even directories
# - Any other global or domain specific rule (redirect, process etc.)
#
# For up to date info check out the Engintron wiki at:
# https://engintron.com/docs
#
# *** Updated for Engintron v2.4 ***
#
#####################################################################
# === FOR USE WITH CLOUDFLARE ===
#
# a) If your server has a single shared IP ONLY and you wish to use CloudFlare for any (or all) of your sites
# you will have to specify this shared IP address below otherwise you'll get errors from CloudFlare.
# This change will simply tell Nginx to skip DNS resolving and just forward traffic to the shared IP.
# Uncomment the following line if all your sites on the shared (main) IP of your server are on CloudFlare:
#
# set $PROXY_DOMAIN_OR_IP "XXX.XXX.XXX.XXX"; # Use your cPanel's shared IP address here
#
# b) If you utilize CloudFlare on a cPanel server with BOTH a shared IP and dedicated IPs for domains, you will
# have to set the IP for each such domain ONLY at the "WHEN TO SPECIFY A DOMAIN IP" section lower in this file.
#
# c) It is possible to force-redirect all your domains on CloudFlare to HTTPS if you have TLS/SSL enabled
# in CloudFlare's "Crypto" settings page. Make sure you use "Flexible SSL" there so CloudFlare proxies
# traffic from HTTPS to Nginx's HTTP port (80). This way you'll also be able to serve sites over HTTPS with
# no actual TLS/SSL certificate installed on the server, as long as they exist in CloudFlare and have
# CloudFlare's shared TLS/SSL certificate enabled there. To redirect to HTTPS, simply specify a block similar
# to the one below and make sure you set the domains you DO NOT want to automatically redirect to HTTPS.
#
# # === Protocol redirect handling when using CloudFlare [start] ===
#
# set $redirToSSL "";
# if ($http_cf_visitor ~ '{"scheme":"http"}') {
# set $redirToSSL "on";
# }
#
# # Set each domain you DO NOT want to automatically redirect to HTTPS when using CloudFlare only below
# # and repeat the process with additional "if" blocks for more domains
#
# if ($host ~ 'domain-to-exclude-from-redirect.com') {
# set $redirToSSL "off";
# }
# if ($redirToSSL = "on") {
# return 301 https://$host$request_uri;
# }
#
# # === Protocol redirect handling when using CloudFlare [finish] ===
# === WHEN TO SPECIFY A DOMAIN IP ===
# By default, Nginx will redirect requests to the right domain IP by using DNS resolving.
# However there are cases where you want to specify an IP for use with Nginx:
# - When you use CloudFlare for certain domains only on your server,
# regardless of whether these domains use the server's shared IP or a dedicated IP.
# - When you are working on a domain which does not yet (DNS) resolve to your server,
# but you want to access it by modifying your computer's "hosts" file.
#
# To specify the domain IP in such cases, simply enter a domain or subdomain in an "if" block
# (as shown below) and inside that block set the appropriate shared or dedicated IP to point to.
#
# To specify the IP for a domain simply uncomment the following 3 lines and make sure you replace
# example.com with your actual domain or subdomain and also replace XXX.XXX.XXX.XXX with the actual
# IP assigned to that domain. To specify the IP for more domains, simply copy that "if" block
# (per domain) and change accordingly.
#
# if ($host ~ "example.com") {
# set $PROXY_DOMAIN_OR_IP "XXX.XXX.XXX.XXX";
# }
# === DOMAIN AND URL PATH EXCLUSIONS FROM CACHING ===
# If you wish to exclude certain domains, subdomains or even full URL paths from micro-caching and/or
# static file caching, simply specify them below and use a colon (|) character as a separator.
# Remember that if you specify a "naked" domain name, e.g. mynicedomain.com, every subdomain e.g.
# support.mynicedomain.com will also be excluded from caching. Decide wisely!
# If you wish to disable ONLY micro-caching, then comment the line "set $CACHE_BYPASS_FOR_STATIC".
# If you wish to disable ONLY static file caching, then comment the line "set $CACHE_BYPASS_FOR_DYNAMIC".
#
# Note: Don't include the "http(s)://" portion of a URL.
#
# if ($SITE_URI ~* "example.com|example2.com/path|example3.com/some/other/path|subdomain.example4.com") {
# set $CACHE_BYPASS_FOR_DYNAMIC 1; # Disables micro-caching
# set $CACHE_BYPASS_FOR_STATIC 1; # Disables static file caching
# }
# === HOST NODE (OR OTHER NON-PHP) APSS ON CPANEL ===
# One of the nice-to-have things with Engintron is that it makes it a breeze to proxy requests to any port in your server, supporting apps that would never otherwise work with standard cPanel domains. Such an example is a Node.js app running on port 3000 or ElasticSearch, a popular search engine written in Java (works on port 9200), which usually comes with frontends that also work on non-standard web ports (e.g. Cerebro uses port 9000).
#
# If you want to proxy both HTTP and HTTPS traffic to a given app, you have to do 2 things:
#
# First create a domain or subdomain in cPanel for the app, even if you don't need to host the app within the typical folder structure in cPanel. This way you allow cPanel to create a domain reference so it can utilize AutoSSL and therefore have an SSL certificate issued for that domain/subdomain. Of course, to resolve (owner) permission issues, you should at least have your app inside the given user's home folder (/home/USERNAME/).
#
# Then create a proxying rule here and define the internal app port as well as the protocol (e.g. if you need to enforce HTTP because your app does not "speak" HTTPS):
#
# An example rule for a Node.js app that listens on port 3000, supports HTTP only & needs to respond to a naked or www subdomain would be:
#
# if ($host ~ "mynodeapp.com") {
# set $PROXY_SCHEME "http";
# set $PROXY_TO_PORT 3000;
# }
#
# If you want the app to proxy a certain subdomain, make the rule stricter (replacing ~ with =):
#
# if ($host = "app.mynodeapp.com") {
# set $PROXY_SCHEME "http";
# set $PROXY_TO_PORT 3000;
# }
# === COMMON PROTECTION FROM USELESS/BAD BOTS ===
# Comment out the following line to enable common bot protection
# include common_simple_protection.conf;
# OPTIONAL / CUSTOM BOT PROTECTION
# Block premium, AI or other bots, e.g. "amazonbot" or OpenAI's ChatGPT bots like "gptbot" or "chatgpt-user".
# if ($http_user_agent ~* (bot_x_here|bot_y_here)) {
# return 444;
# }
# === IP BLOCKING ===
# ~ Determine IPs with most connections...
# Check access log file:
# $ cat /var/log/nginx/access.log | cut -f1 -d ' ' | sort | uniq -c | sort -g
#
# ~ Tool to use for IP range to CIDR: https://www.ipaddressguide.com/cidr
#
# Add IPs to block following this format:
# deny 1.2.3.4;