From 871fbd863526d8f6e2626a2d42a9d227fde4d369 Mon Sep 17 00:00:00 2001
From: Ali Mihandoost <ali.mihandoost@gmail.com>
Date: Sat, 9 Nov 2024 15:56:28 +0330
Subject: [PATCH 1/8] chore(nginx-core): update security rules to deny access
 instead of returning 444

---
 .../etc/nginx/templates/location.d/30-secure.conf.template  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nginx-core/etc/nginx/templates/location.d/30-secure.conf.template b/nginx-core/etc/nginx/templates/location.d/30-secure.conf.template
index 6029a41..667f97b 100644
--- a/nginx-core/etc/nginx/templates/location.d/30-secure.conf.template
+++ b/nginx-core/etc/nginx/templates/location.d/30-secure.conf.template
@@ -7,15 +7,15 @@ location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op]|lock)|~)$ {
 }
 
 location ~* \.(pl|cgi|py|sh|lua)$ {
-  return 444;
+  deny all;
 }
 
 location ~* (w00tw00t) {
-  return 444;
+  deny all;
 }
 
 location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
-  return 444;
+  deny all;
 }
 
 location = /robots.txt {

From 8b2c09e64b2ab6bed0e5c9316847f0f68d88b590 Mon Sep 17 00:00:00 2001
From: Ali Mihandoost <ali.mihandoost@gmail.com>
Date: Sat, 9 Nov 2024 15:56:58 +0330
Subject: [PATCH 2/8] chore(nginx-core): update method restrictions to deny all
 except HEAD, GET, and OPTIONS

---
 .../templates/location.d/31-allow-method.conf.template      | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/nginx-core/etc/nginx/templates/location.d/31-allow-method.conf.template b/nginx-core/etc/nginx/templates/location.d/31-allow-method.conf.template
index bda2f77..c74a593 100644
--- a/nginx-core/etc/nginx/templates/location.d/31-allow-method.conf.template
+++ b/nginx-core/etc/nginx/templates/location.d/31-allow-method.conf.template
@@ -1,3 +1,5 @@
-if ($request_method != GET) {
-  return 405;
+location / {
+  limit_except HEAD GET OPTION {
+    deny all;
+  }
 }

From 21b881776bfd9b82ff9cf1f65b410e6da988edca Mon Sep 17 00:00:00 2001
From: Ali Mihandoost <ali.mihandoost@gmail.com>
Date: Sat, 9 Nov 2024 15:57:09 +0330
Subject: [PATCH 3/8] chore(nginx-core): add break statement to force domain
 redirection logic

---
 .../etc/nginx/templates/location.d/40-force-domain.conf.template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nginx-core/etc/nginx/templates/location.d/40-force-domain.conf.template b/nginx-core/etc/nginx/templates/location.d/40-force-domain.conf.template
index d06516c..81850fc 100644
--- a/nginx-core/etc/nginx/templates/location.d/40-force-domain.conf.template
+++ b/nginx-core/etc/nginx/templates/location.d/40-force-domain.conf.template
@@ -1,3 +1,4 @@
 if ($host != $NGINX_FORCE_DOMAIN) {
   return $NGINX_FORCE_DOMAIN_STATUS $scheme://$NGINX_FORCE_DOMAIN$request_uri;
+  break;
 }

From 23f72ec9ff030218c9cd8c6521836ce1164d98d1 Mon Sep 17 00:00:00 2001
From: Ali Mihandoost <ali.mihandoost@gmail.com>
Date: Sat, 9 Nov 2024 15:57:23 +0330
Subject: [PATCH 4/8] chore(nginx-core): add break statement to redirect URI
 logic

---
 .../nginx/templates/location.d/50-redirect-uri.conf.template   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nginx-core/etc/nginx/templates/location.d/50-redirect-uri.conf.template b/nginx-core/etc/nginx/templates/location.d/50-redirect-uri.conf.template
index 3da9226..48b7feb 100644
--- a/nginx-core/etc/nginx/templates/location.d/50-redirect-uri.conf.template
+++ b/nginx-core/etc/nginx/templates/location.d/50-redirect-uri.conf.template
@@ -1,3 +1,4 @@
 if ($redirect_uri) {
   return $NGINX_FORCE_REDIRECT_STATUS $redirect_uri;
-}
\ No newline at end of file
+  break;
+}

From 1cc79cee5099ddec47288872c46ea55f4bbe2208 Mon Sep 17 00:00:00 2001
From: Ali Mihandoost <ali.mihandoost@gmail.com>
Date: Sat, 9 Nov 2024 15:57:33 +0330
Subject: [PATCH 5/8] chore(nginx-core): add break statement to CORS location
 block

---
 nginx-core/etc/nginx/templates/location.d/70-cors.conf.template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nginx-core/etc/nginx/templates/location.d/70-cors.conf.template b/nginx-core/etc/nginx/templates/location.d/70-cors.conf.template
index 2016f5b..694fc3c 100644
--- a/nginx-core/etc/nginx/templates/location.d/70-cors.conf.template
+++ b/nginx-core/etc/nginx/templates/location.d/70-cors.conf.template
@@ -14,5 +14,6 @@ location / {
     add_header 'Content-Length' 0;
 
     return 204;
+    break;
   }
 }

From e5523ebb1fb30b3ab13d19be080e694a53e5af95 Mon Sep 17 00:00:00 2001
From: Ali Mihandoost <ali.mihandoost@gmail.com>
Date: Sat, 9 Nov 2024 15:57:40 +0330
Subject: [PATCH 6/8] chore(nginx-json): add break statement to home JSON
 location block

---
 .../etc/nginx/templates/location.d/90-home-json.conf.template    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nginx-json/etc/nginx/templates/location.d/90-home-json.conf.template b/nginx-json/etc/nginx/templates/location.d/90-home-json.conf.template
index 1d2df88..b7b33c7 100644
--- a/nginx-json/etc/nginx/templates/location.d/90-home-json.conf.template
+++ b/nginx-json/etc/nginx/templates/location.d/90-home-json.conf.template
@@ -2,4 +2,5 @@ location = / {
   # return static json for home page
   default_type application/json;
   return 200 '{"ok": true, "data": "..:: Alwatr NGINX ::.."}';
+  break;
 }

From 302276ccf98a0cd8eb9378bf2fffa6f4f5d8796d Mon Sep 17 00:00:00 2001
From: Ali Mihandoost <ali.mihandoost@gmail.com>
Date: Sat, 9 Nov 2024 16:19:20 +0330
Subject: [PATCH 7/8] chore(nginx-core): reorganize configuration files and
 remove deprecated settings

---
 .../etc/nginx/entrypoint.d/91-force-domain.sh |  2 +-
 .../etc/nginx/entrypoint.d/92-auto-webp.sh    |  2 +-
 nginx-core/etc/nginx/entrypoint.d/93-cors.sh  |  2 +-
 .../location.d/31-allow-method.conf.template  |  5 -----
 ...template => 40-redirect-uri.conf.template} |  0
 ...bp.conf.template => 50-webp.conf.template} |  0
 .../location.d/70-cors.conf.template          | 19 -------------------
 .../location.d/90-root.conf.template          |  3 +++
 .../location.d/root.d/10-cors.conf.template   | 17 +++++++++++++++++
 .../root.d/20-allow-method.conf.template      |  3 +++
 .../30-force-domain.conf.template}            |  0
 11 files changed, 26 insertions(+), 27 deletions(-)
 delete mode 100644 nginx-core/etc/nginx/templates/location.d/31-allow-method.conf.template
 rename nginx-core/etc/nginx/templates/location.d/{50-redirect-uri.conf.template => 40-redirect-uri.conf.template} (100%)
 rename nginx-core/etc/nginx/templates/location.d/{60-webp.conf.template => 50-webp.conf.template} (100%)
 delete mode 100644 nginx-core/etc/nginx/templates/location.d/70-cors.conf.template
 create mode 100644 nginx-core/etc/nginx/templates/location.d/90-root.conf.template
 create mode 100644 nginx-core/etc/nginx/templates/location.d/root.d/10-cors.conf.template
 create mode 100644 nginx-core/etc/nginx/templates/location.d/root.d/20-allow-method.conf.template
 rename nginx-core/etc/nginx/templates/location.d/{40-force-domain.conf.template => root.d/30-force-domain.conf.template} (100%)

diff --git a/nginx-core/etc/nginx/entrypoint.d/91-force-domain.sh b/nginx-core/etc/nginx/entrypoint.d/91-force-domain.sh
index 08d4f9e..433a06a 100755
--- a/nginx-core/etc/nginx/entrypoint.d/91-force-domain.sh
+++ b/nginx-core/etc/nginx/entrypoint.d/91-force-domain.sh
@@ -7,6 +7,6 @@ test -n "${NGINX_FORCE_DOMAIN:-}" && exit 0
 
 ME=$(basename "$0")
 echo "$ME: Remove force domain location config"
-rm -fv /etc/nginx/conf.d/location.d/40-force-domain.conf
+rm -fv /etc/nginx/conf.d/location.d/root.d/30-force-domain.conf
 
 exit 0
diff --git a/nginx-core/etc/nginx/entrypoint.d/92-auto-webp.sh b/nginx-core/etc/nginx/entrypoint.d/92-auto-webp.sh
index 5c852db..c4924a7 100755
--- a/nginx-core/etc/nginx/entrypoint.d/92-auto-webp.sh
+++ b/nginx-core/etc/nginx/entrypoint.d/92-auto-webp.sh
@@ -7,6 +7,6 @@ test -n "${NGINX_AUTO_WEBP:-}" && exit 0
 ME=$(basename "$0")
 echo "$ME: Remove auto webp config"
 rm -fv /etc/nginx/conf.d/http.d/42-map-webp.conf
-rm -fv /etc/nginx/conf.d/location.d/60-webp.conf
+rm -fv /etc/nginx/conf.d/location.d/50-webp.conf
 
 exit 0
diff --git a/nginx-core/etc/nginx/entrypoint.d/93-cors.sh b/nginx-core/etc/nginx/entrypoint.d/93-cors.sh
index 9b193e0..6923bad 100755
--- a/nginx-core/etc/nginx/entrypoint.d/93-cors.sh
+++ b/nginx-core/etc/nginx/entrypoint.d/93-cors.sh
@@ -6,6 +6,6 @@ test -n "${NGINX_CORS_ENABLE:-}" && exit 0
 
 ME=$(basename "$0")
 echo "$ME: Remove CORS config"
-rm -fv /etc/nginx/conf.d/location.d/70-cors.conf
+rm -fv /etc/nginx/conf.d/location.d/root.d/10-cors.conf
 
 exit 0
diff --git a/nginx-core/etc/nginx/templates/location.d/31-allow-method.conf.template b/nginx-core/etc/nginx/templates/location.d/31-allow-method.conf.template
deleted file mode 100644
index c74a593..0000000
--- a/nginx-core/etc/nginx/templates/location.d/31-allow-method.conf.template
+++ /dev/null
@@ -1,5 +0,0 @@
-location / {
-  limit_except HEAD GET OPTION {
-    deny all;
-  }
-}
diff --git a/nginx-core/etc/nginx/templates/location.d/50-redirect-uri.conf.template b/nginx-core/etc/nginx/templates/location.d/40-redirect-uri.conf.template
similarity index 100%
rename from nginx-core/etc/nginx/templates/location.d/50-redirect-uri.conf.template
rename to nginx-core/etc/nginx/templates/location.d/40-redirect-uri.conf.template
diff --git a/nginx-core/etc/nginx/templates/location.d/60-webp.conf.template b/nginx-core/etc/nginx/templates/location.d/50-webp.conf.template
similarity index 100%
rename from nginx-core/etc/nginx/templates/location.d/60-webp.conf.template
rename to nginx-core/etc/nginx/templates/location.d/50-webp.conf.template
diff --git a/nginx-core/etc/nginx/templates/location.d/70-cors.conf.template b/nginx-core/etc/nginx/templates/location.d/70-cors.conf.template
deleted file mode 100644
index 694fc3c..0000000
--- a/nginx-core/etc/nginx/templates/location.d/70-cors.conf.template
+++ /dev/null
@@ -1,19 +0,0 @@
-add_header 'Access-Control-Allow-Origin' $NGINX_CORS_ORIGIN;
-add_header 'Access-Control-Allow-Methods' $NGINX_CORS_METHODS;
-add_header 'Access-Control-Allow-Headers' $NGINX_CORS_HEADERS;
-add_header 'Access-Control-Max-Age' $NGINX_CORS_MAXAGE;
-
-location / {
-  # Handle OPTIONS requests (preflight requests for complex requests)
-  if ($request_method = 'OPTIONS') {
-    add_header 'Access-Control-Allow-Origin' $NGINX_CORS_ORIGIN;
-    add_header 'Access-Control-Allow-Methods'  $NGINX_CORS_METHODS;
-    add_header 'Access-Control-Allow-Headers' $NGINX_CORS_HEADERS;
-    add_header 'Access-Control-Max-Age' $NGINX_CORS_MAXAGE;
-    add_header 'Content-Type' 'text/plain charset=UTF-8';
-    add_header 'Content-Length' 0;
-
-    return 204;
-    break;
-  }
-}
diff --git a/nginx-core/etc/nginx/templates/location.d/90-root.conf.template b/nginx-core/etc/nginx/templates/location.d/90-root.conf.template
new file mode 100644
index 0000000..f70bfcd
--- /dev/null
+++ b/nginx-core/etc/nginx/templates/location.d/90-root.conf.template
@@ -0,0 +1,3 @@
+location / {
+  include /etc/nginx/conf.d/location.d/root.d/*.conf;
+}
diff --git a/nginx-core/etc/nginx/templates/location.d/root.d/10-cors.conf.template b/nginx-core/etc/nginx/templates/location.d/root.d/10-cors.conf.template
new file mode 100644
index 0000000..d7d7997
--- /dev/null
+++ b/nginx-core/etc/nginx/templates/location.d/root.d/10-cors.conf.template
@@ -0,0 +1,17 @@
+add_header 'Access-Control-Allow-Origin' $NGINX_CORS_ORIGIN;
+add_header 'Access-Control-Allow-Methods' $NGINX_CORS_METHODS;
+add_header 'Access-Control-Allow-Headers' $NGINX_CORS_HEADERS;
+add_header 'Access-Control-Max-Age' $NGINX_CORS_MAXAGE;
+
+# Handle OPTIONS requests (preflight requests for complex requests)
+if ($request_method = 'OPTIONS') {
+  add_header 'Access-Control-Allow-Origin' $NGINX_CORS_ORIGIN;
+  add_header 'Access-Control-Allow-Methods'  $NGINX_CORS_METHODS;
+  add_header 'Access-Control-Allow-Headers' $NGINX_CORS_HEADERS;
+  add_header 'Access-Control-Max-Age' $NGINX_CORS_MAXAGE;
+  add_header 'Content-Type' 'text/plain charset=UTF-8';
+  add_header 'Content-Length' 0;
+
+  return 204;
+  break;
+}
diff --git a/nginx-core/etc/nginx/templates/location.d/root.d/20-allow-method.conf.template b/nginx-core/etc/nginx/templates/location.d/root.d/20-allow-method.conf.template
new file mode 100644
index 0000000..8542faf
--- /dev/null
+++ b/nginx-core/etc/nginx/templates/location.d/root.d/20-allow-method.conf.template
@@ -0,0 +1,3 @@
+limit_except HEAD GET OPTION {
+  deny all;
+}
diff --git a/nginx-core/etc/nginx/templates/location.d/40-force-domain.conf.template b/nginx-core/etc/nginx/templates/location.d/root.d/30-force-domain.conf.template
similarity index 100%
rename from nginx-core/etc/nginx/templates/location.d/40-force-domain.conf.template
rename to nginx-core/etc/nginx/templates/location.d/root.d/30-force-domain.conf.template

From ca26449cf02f13950a4d788bb371623bf3f8c98a Mon Sep 17 00:00:00 2001
From: Ali Mihandoost <ali.mihandoost@gmail.com>
Date: Sat, 9 Nov 2024 16:23:13 +0330
Subject: [PATCH 8/8] fix(nginx-core): correct OPTIONS spelling in limit_except
 directive

---
 .../templates/location.d/root.d/20-allow-method.conf.template   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx-core/etc/nginx/templates/location.d/root.d/20-allow-method.conf.template b/nginx-core/etc/nginx/templates/location.d/root.d/20-allow-method.conf.template
index 8542faf..4bc17b3 100644
--- a/nginx-core/etc/nginx/templates/location.d/root.d/20-allow-method.conf.template
+++ b/nginx-core/etc/nginx/templates/location.d/root.d/20-allow-method.conf.template
@@ -1,3 +1,3 @@
-limit_except HEAD GET OPTION {
+limit_except HEAD GET OPTIONS {
   deny all;
 }