ผมคัดมาแล้ว ไม่ชนกับสคิปปกติทั่วๆไป รันในเครื่องที่มีลูกค้า 500โดเมนก็ไม่มีปัญหา
#some bot does not send user-agent, just block themif ($http_user_agent = “”) {set $proxyflag “forbidden”;return 403;}#security for timthumb remote code execution exploitif ($request_uri ~* “\.php.*src=.*(flickr\.com|picasa\.com|blogger\.com|wordpress\.com|img\.youtube\.com|wikimedia\.org|photobucket\.com|imgur\.com|imageshack\.us|tinypic\.com)”) {set $proxyflag “forbidden”;return 403;}#cached and upload folder should not have any php fileif ($request_uri ~* “/cache/.*\.php”) {set $proxyflag “forbidden”;return 500;}if ($request_uri ~* “/uploads?/.*\.php”) {set $proxyflag “forbidden”;return 500;}#bad behavior url (known botnet/trojan)if ($request_uri ~* “\?.*eval\(“) {set $proxyflag “forbidden”;return 500;}if ($request_body ~* “\?.*eval\(“) {set $proxyflag “forbidden”;return 500;}if ($request_body ~* “<!–mfunc”) {set $proxyflag “forbidden”;return 500;}if ($request_uri ~* “act=phptools”) {set $proxyflag “forbidden”;return 500;}if ($request_uri ~* “act=udp”) {set $proxyflag “forbidden”;return 500;}if ($request_uri ~* “(passthru|exec|system|eval).*base64_decode”) {set $proxyflag “forbidden”;return 500;}#disabled due to client incompatibility#set $testfilter “$request_method$http_referer”;#if ($testfilter = “POST”) {# set $proxyflag “forbidden”;# return 500;#}#sql injection requestif ($query_string ~* “union.?.?all.?.?select”) {set $proxyflag “forbidden”;return 500;}#known botnetif ($request_uri ~* “/(dvmessages|sh).php”) {set $proxyflag “forbidden”;return 500;}if ($request_body ~* “c_id=”) {set $proxyflag “forbidden”;return 500;}#sql injection toolsif ($http_user_agent ~* “Havij”) {set $proxyflag “forbidden”;return 500;}if ($http_user_agent ~* “sqlmap/”) {set $proxyflag “forbidden”;return 500;}if ( $http_user_agent ~* “baidu|yand” ) {set $proxyflag “forbidden”;return 500;}if ( $http_user_agent ~* “Baiduspider” ) {set $proxyflag “forbidden”;return 500;}if ( $http_user_agent ~* “AhrefsBot” ) {set $proxyflag “forbidden”;return 500;}if ( $http_user_agent ~* “rogerbot” ) {set $proxyflag “forbidden”;return 500;}if ( $http_user_agent ~* “exabot” ) {set $proxyflag “forbidden”;return 500;}if ( $http_user_agent ~* “MJ12bot” ) {set $proxyflag “forbidden”;return 500;}if ( $http_user_agent ~* “dotbot” ) {set $proxyflag “forbidden”;return 500;}if ( $http_user_agent ~* “gigabot” ) {set $proxyflag “forbidden”;return 500;}if ($http_user_agent ~* “PycURL/7.23.1”) {set $proxyflag “forbidden”;return 500;}if ( $http_user_agent ~* “BLEXBot” ) {set $proxyflag “forbidden”;return 500;}if ($request_method !~ ^(GET|POST|HEAD)$ ) {return 444;}#########tenfixlocation ~* ^/wp-content/uploads/.*.(php|pl|py|jsp|asp|htm|html|shtml|sh|cgi)$ {types { }default_type text/plain;}#location ~* .(administrator|[pP]hp[mM]y[aA]dmin) {# deny all;#}location ~* .(display_errors|set_time_limit|allow_url_include.*disable_functions.*open_basedir|set_magic_quotes_runtime|webconfig.txt.php|file_put_contentssever_root|wlwmanifest) {deny all;}location ~ /(\.ht|wp-config.php|readme.html|license.txt|nginx.conf|wp-config-sample.php|readme.txt|dbconfig.php) {deny all;}location ~* \.(pl|cgi|py|sh|lua)$ { return 444; }location ~* .(\;|’|\”|%22).*(request|insert|union|declare|drop)$ {deny all;}#location ~* .(globals|encode|localhost|loopback|xmlrpc) {# deny all;#}location ~* /xmlrpc.php$ {allow 172.0.1.1;deny all;}location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {deny all;access_log off;log_not_found off;}location ~ /\.(svn|git)/* {deny all;access_log off;log_not_found off;}location ~ /\.ht {deny all;access_log off;log_not_found off;}location ~ /\.user.ini {deny all;access_log off;log_not_found off;}location ~* wp-admin/includes { deny all; }location ~* wp-includes/theme-compat/ { deny all; }location ~* wp-includes/js/tinymce/langs/.*.php { deny all; }location ~* “(eval\()” { deny all; }location ~* “(127\.0\.0\.1)” { deny all; }location ~* “([a-z0-9]{2000})” { deny all; }location ~* “(javascript\:)(.*)(\;)” { deny all; }location ~* “(base64_encode)(.*)(\()” { deny all; }location ~* “(GLOBALS|REQUEST)(=|\[|%)” { deny all; }location ~* “(<|%3C).*script.*(>|%3)” { deny all; }##not testlocation ~ “(\\|\.\.\.|\.\./|~|`|<|>|\|)” { deny all; }location ~* “(boot\.ini|etc/passwd|self/environ)” { deny all; }location ~* “(thumbs?(_editor|open)?|tim(thumb)?)\.php” { deny all; }location ~* “(\’|\”)(.*)(drop|insert|md5|select|union)” { deny all; }location ~* “(https?|ftp|php):/” { deny all; }location ~* “(=\\\’|=\\%27|/\\\’/?)\.” { deny all; }#location ~* “/(\$(\&)?|\*|\”|\.|,|&|&?)/?$” { deny all; }location ~ “(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\”\\\”)” { deny all; }location ~ “(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)” { deny all; }location ~* “/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)” { deny all; }location ~* “(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)” { deny all; }location ~* “\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$” { deny all; }location ~* “/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php” { deny all; }# secrules.conf, a snippet containing security rules for Nginx hosts# Block request methods that are unnecessary for serving your contentif ($request_method !~ ^(GET|POST|HEAD)$ ) {return 444;}# Block scripts from being executed from your uploads folder. They will be served as text.# If you don’t serve scripts at all, you could block them altogether instead.location ~* ^/wp-content/uploads/.*.(php|pl|py|jsp|asp|htm|html|shtml|sh|cgi)$ {types { }default_type text/plain;}#Block attempts to access PHPMyAdmin. If you actually use it, don’t include this rule!#location ~* .(administrator|[pP]hp[mM]y[aA]dmin) {# deny all;# }#location ~* .(globals|encode|localhost|loopback|xmlrpc) {# deny all;# }# Disallow scriptslocation ~* \.(pl|cgi|py|sh|lua)$ { return 444; }# Help guard against SQL injectionlocation ~* .(\;|’|\”|%22).*(request|insert|union|declare|drop)$ {deny all;}# Disallow access to parts of wp-includes# Many sites recommend blocking wp-includes altogether but in my experience this breaks WordPresslocation ~* wp-admin/includes { deny all; }location ~* wp-includes/theme-compat/ { deny all; }location ~* wp-includes/js/tinymce/langs/.*.php { deny all; }