I need to know what request methods moodle uses so I can block other non essential request methods and I also need the content security policy. Also, can someone explain how the slash rule work my moodle site is on a subdirectory.
I installed moodle using apache but I migrated to nginx.
Here is my configuration, please pay attention to the TODO
moodle.conf in sites-enabled
server {
#################################################
# Stock useful config options, but ignore them :)
#################################################
include /etc/nginx/mime.types;
# mozilla server config https://mozilla.github.io/server-side-tls/ssl-config-generator/
listen 443 ssl http2;
ssl on;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/xxxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxxx.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/xxxxxxcom/chain.pem;
#OWASP SERVER HARDENING
add_header X-XSS-Protection "1; mode=block";
#TODO WHAT REQUEST METHODS MOODLE USES?
if ($request_method !~ ^(GET|HEAD|POST)$ )
{
return 405;
}
#OWASP SERVER HARDENING
#TODO WHAT CONTENT SECURITY POLICY MOODLE NEEDS?
add_header Content-Security-Policy "default-src 'self';";
add_header X-Frame-Options "sameorigin";
add_header Referrer-Policy "strict-origin";
# prevent attacks (someone uploading a .txt file that the browser
# interprets as an HTML file, etc.)
add_header X-Content-Type-Options nosniff;
server_name zxxxx.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
#CUSTOM ERROR PAGE
error_page 500 502 503 504 404 403 501 401 400 /301.html;
root /var/USB/www;
index index.php;
# DENY RULES
## Disable .htaccess and other hidden files
location ~ /\. {
return 404;
}
location ~ /(robots.txt) {
allow all;
}
location ~ \.(log|ini|md|MD|sql|lock|json|txt|TXT|dist|yml)$ {
return 404;
}
#TODO IS THIS RIGHT?
#MY MOODLE INSTALL IS ON THE SUBDIRECTORY: http://mysite.com/moodle/ not http://mysite.com
#EVEN IF I REMOVE THE BELOW CONFIG IT WORKS
location ~ /moodle/[^/]\.php(/|$) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
include fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location /dataroot/ {
internal;
alias /var/USB/moodledata/; # ensure the path ends with /
}
#PHP
location ~ \.php {
include snippets/fastcgi-php.conf;
# This should be the same value as in your (optional) /etc/php5/fpm/pool.d/$server.conf
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
#end
}