{"id":6380,"date":"2016-10-13T06:44:12","date_gmt":"2016-10-12T22:44:12","guid":{"rendered":"http:\/\/rmohan.com\/?p=6380"},"modified":"2016-10-13T08:42:23","modified_gmt":"2016-10-13T00:42:23","slug":"under-linux-server-security-configuration-of-nginx","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6380","title":{"rendered":"Linux server security configuration of Nginx"},"content":{"rendered":"

Under Linux server security configuration of Nginx<\/strong><\/p>\n

1, some common sense
\nunder Linux, you want to read a file, you first need to have execute permissions for the folder where the file, and then you need to read permissions on the file.<\/p>\n

Execute permissions php files do not need the file, you only need read permission nginx and php-fpm run accounts.<\/p>\n

After uploading Trojans, you can not list the contents of a folder with php-fpm running account permission to read the relevant folder permissions Trojans execute commands with the account permissions php-fpm related.<\/p>\n

If the Trojan to execute the command, you need php-fpm account the corresponding sh Executive authority.<\/p>\n

Reads a file within the folder, the folder is not necessary to have read access, only for folders have execute permissions.<\/p>\n

1, the top of the configuration
\n1, the top of the configuration<\/p>\n

#define Nginx users and user groups to run
\nuser nginx;<\/p>\n

# processes Files
\npid \/var\/run\/nginx.pid;<\/p>\n

#Error log locations and levels, Debug, the info, Notice, The warn, error, criteres
\nerror_log \/var\/log\/nginx\/error.log warn;<\/p>\n

#Nginx number of worker processes, and can be set for the number of CPU cores available.
\nworker_processes 8;<\/p>\n

# each worker limit the maximum number of open file descriptors. The theoretical value should be opened up to the number (the value of the system ulimit -n) divided by the number of processes and nginx file, but nginx allocation request is not uniform, it is proposed that is consistent with the value of ulimit -n.
\nworker_rlimit_nofile 65535;<\/p>\n

2, Events module<\/p>\n

events {
\n# worker processes simultaneously set a maximum number of connections open
\nworker_connections 2048;<\/p>\n

# tell nginx connection after receiving a new notification to accept as many connections
\nmulti_accept on;<\/p>\n

#set for multiplexing client thread polling method. If you use Linux 2.6+, you should use epoll. If you use * BSD, you should use kqueue.
\nuse epoll;
\n}<\/p>\n

3?HTTP
\nhttp {
\n#hide Nginx version number, to improve security.
\nserver_tokens off;<\/p>\n

# Open and efficient file transfer mode, sendfile sendfile directive specifies Nginx whether to call a function to output files for common applications is set on, if used to download applications such as disk IO heavy duty applications, can be set off, in order to balance the disk and network I \/ O processing speed and reduce the load on the system.
\nsendfile on;<\/p>\n

# whether open access directory listing, turned off by default.
\nautoindex off;<\/p>\n

#?? Nginx
\ntcp_nopush on;<\/p>\n

# tell Nginx to send a data package in all the header files, not one by one to send<\/p>\n

# Nginx told not to cache data, but transmits a section – when the need for timely sending data, it should be when setting this property to the application, which sends a small piece of data can not be obtained immediately return a value. Nginx default tcp nopush always work in the state. However, when the open front sendfile on; when its work is characterized by a final package nopush will automatically switch to turn nopush off. To reduce that delay of 200ms, open nodelay on;
\nit is quickly transmitted. The conclusion is that sendfile on; when open, tcp_nopush and tcp_nodelay are on is possible.
\ntcp_nodelay on;<\/p>\n

# log format set
\nlog_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
\n‘$status $body_bytes_sent “$http_referer” ‘
\n‘”$http_user_agent” “$http_x_forwarded_for”‘;
\n# define access log set to off to turn off logging, improve performance
\naccess_log \/var\/log\/nginx\/access.log main;<\/p>\n

#Connection timeout, in seconds
\nkeepalive_timeout 120;<\/p>\n

# read the HTTP header timeout, the default value of 60. Client and server to establish a connection start after receiving HTTP header, in the process, if not read in a time interval (timeout) to the client sent byte is considered overtime, returned to the client 408 ( “Request timed out”) response.
\nclient_header_timeout 60;<\/p>\n

# the default value of 60. Similar client_header_timeout, but this time-out only when valid HTTP packet body read.
\nclient_body_timeout 10;<\/p>\n

# send a response, the default value of 60. That Nginx server to the client to send data packets, but the client does not have to receive the packet. If a connection over send_timeout defined timeout period, then Nginx will close the connection.
\nsend_timeout 60;<\/p>\n

# by sending RST packets to the client after a direct connection timeout to reset the connection. When this option is turned on, Nginx will timeout after a connection, instead of using the normal case under the four-way handshake to close a TCP connection, but sends RST reset packets directly to users without waiting for user’s response, released directly on Nginx server All about the cache (such as TCP sliding window) socket used. Compared to the normal shutdown mode, which allows the server to avoid many in FIN_WAIT_1, FIN_WAIT_2, TCP TIME_WAIT state connection.
\nNote that the use RST reset packets to close the connection will bring some problems, by default will not open.
\nreset_timedout_connection off;<\/p>\n

# To restrict access, you must have a connection to the container counts, “zone =” is to give it a name, you can easily call, agreed to keep the name below limit_conn. $ binary_remote_addr binary to store the client’s address, 1m can store 32,000 concurrent sessions.
\nlimit_conn_zone $binary_remote_addr zone=addr:5m;<\/p>\n

# given the key to set the maximum number of connections. Here is the key addr, we set value is 100, which means that we allow each IP address to open up to 100 simultaneous connections.
\nlimit_conn addr 100;<\/p>\n

# 100k limit for each connection. That if one IP allows two concurrent connections, then the IP is the speed limit 200K.
\nlimit_rate 100k;<\/p>\n

#include directive is another file that contains the contents of the current file. Here we use it to load the file extension and the file type mapping table. nginx according to the mapping relationship set http request response Content-Type header value. When not found in the mapping table, the default value nginx.conf in default-type specified.
\ninclude \/etc\/nginx\/mime.types;<\/p>\n

#default MIME-type # settings files used
\ndefault_type text\/html;<\/p>\n

# default encoding
\ncharset UTF-8;<\/p>\n

# This module can read the pre-compressed gz file, thus reducing each request gzip compression CPU resource consumption. After the module is enabled, nginx first checks whether the file exists gz ending requests for static files, if there is a direct return to the gz file contents.
\ngzip_static off;<\/p>\n

# Turn gzip compression.
\ngzip on;<\/p>\n

# disable client is IE6 when gzip functions.
\ngzip_disable “msie6”;<\/p>\n

##Nginx as a reverse proxy when enabled. Available Values: OFF | expired The | NO-Cache | NO-Sotre | Private | no_last_modified | no_etag | the auth | the any
\ngzip_proxied any;<\/p>\n

# set the minimum number of pages that allow compressed bytes, the number of bytes from the header page header Content- Length of the acquired. Recommendations set larger than the number of bytes 1k, 1k may be less than the greater the pressure.
\ngzip_min_length 1024;<\/p>\n

# Set the data compression level. This level can be any number between 1-9, 9 is the slowest but maximum compression ratio
\ngzip_comp_level 5;<\/p>\n

# Set the system to obtain several cache unit for storing gzip compression result data stream. 4 4k 4k representative example as a unit, according to the original data size in units of 4 times 4k application memory. If not set, the default is the same size as the original application with data memory space to store gzip compressed results.
\ngzip_buffers 4 16k;<\/p>\n

# Set the desired compressed data format. Nginx default only text \/ html compression.
\ngzip_types text\/plain text\/css application\/json application\/x-javascript text\/xml application\/xml application\/xml+rss text\/javascript;<\/p>\n

# designated as open file cache, the default is not enabled, max specify the cache number of recommendations and open the file number is consistent, inactive refers to how long the file has not been deleted cached request.
\nopen_file_cache max=65535 inactive=30s;<\/p>\n

# valid information check how long the cache
\nopen_file_cache_valid 30s;<\/p>\n

# within #open_file_cache instruction inactive time parameter file using the least number of times, if this number is exceeded, the file descriptor has been opened in the cache of. Last-Modified the same situation, because when nginx after a static file cache, if it is still access the 30s, so it’s cache has existed until the 30s you do not visit so far.
\nopen_file_cache_min_uses 2;<\/p>\n

# whether the records cache error
\nopen_file_cache_errors on;<\/p>\n

include \/etc\/nginx\/conf.d\/*.conf;
\ninclude \/etc\/nginx\/sites-enabled\/*;
\n}<\/p>\n

4, SERVER module<\/p>\n

server {
\n# listening port, nginx based HOST request to determine which configuration section to use SERVER. If no matching server_name, use the default configuration file first. Plus default_server you can not specify the default rule to match.
\n#listen 80;
\nlisten 80 default_server;<\/p>\n

# can have multiple domain names, separated by spaces
\nserver_name www.test.com test.com;
\nroot \/user\/share\/nginx\/html\/test;<\/p>\n

# 404 page configuration
\nerror_page 404 \/404.html;<\/p>\n

# configuration ssl, when there is need to open.
\nssl on;
\nssl_certificate \/etc\/nginx\/ssl\/server.crt;
\nssl_certificate_key \/etc\/nginx\/ssl\/server.key;<\/p>\n

location \/ {
\nindex index.html index.php;
\n}<\/p>\n

# picture cache time
\nlocation ~ .*.(gif|jpg|jpeg|png|bmp|swf)$ {
\nexpires 10d;
\n}<\/p>\n

#js and CSS cache time
\nlocation ~ .*.(js|css)?$ {
\nexpires 1h;
\n}<\/p>\n

location ~ [^\/]\\.php(\/|$) {
\nfastcgi_index index.php;
\n# open PATH_INFO support role is in accordance with the parameters given regular expression is divided into a $ fastcgi_script_name and $ fastcgi_path_info.
\n# For example: When requested index.php \/ id \/ 1 without this line configuration, fastcgi_script_name is \/index.php\/id\/1,fastcgi_path_info is empty.
\n# Plus, fastcgi_script_name is index.php, fastcgi_path_info is \/ the above mentioned id \/ 1
\nfastcgi_split_path_info ^(.+\\.php)(.*)$;<\/p>\n

# This value is the PHP in $ _SERVER [ ‘SCRIPT_FILENAME’] value
\nfastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
\nfastcgi_param PATH_INFO $fastcgi_path_info;
\nfastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;<\/p>\n

# specify the FastCGI server listening port and address. PHP-FPM and shall be the same settings.
\n127.0.0.1:9000;#fastcgi_pass;
\nfastcgi_pass unix:\/var\/run\/php5-fpm.sock;
\ninclude fastcgi_params;
\n}
\n}<\/p>\n

2, prohibit access to IP<\/p>\n

2, the common mode
\n1. Let Trojans after uploading can not be performed: Upload directory for added configured in nginx configuration file, so this directory is unable to resolve PHP
\n2. Let Trojans do not see the non-execution site directory files: Cancel php-fpm running account read permissions for other directories
\n3. run can not be performed after the Trojan: cancel php-fpm execute permissions for the account of sh
\n4. after command execution permission is not too high: php-fpm account with root or not root join group<\/p>\n

3, the specific configuration of
\n1 to deny access to files and execute php<\/p>\n

3, the specific configuration of
\n1 to deny access to files and execute php
\nlocation ~ \/(attachments|upload)\/.*\\.(php|php5)?$ {
\ndeny all;
\n}<\/p>\n

2, prohibit access to IP<\/p>\n

\/\/ Disable the wording of
\nthe deny 10.0.0.0\/24;<\/p>\n

\/\/ wording allowed
\nthe allow 10.0.0.0\/24;
\nthe deny All;<\/p>\n

3, according to the user’s real IP connection limits do<\/p>\n

## Here for the original user’s IP address
\nmap $http_x_forwarded_for $clientRealIp {
\n“” $remote_addr;
\n~^(?P<firstAddr>[0-9\\.]+),?.*$ $firstAddr;
\n}<\/p>\n

## For the original user IP address restrictions do
\nlimit_conn_zone $clientRealIp zone=TotalConnLimitZone:20m ;
\nlimit_conn TotalConnLimitZone 50;
\nlimit_conn_log_level notice;<\/p>\n

## for the original user’s IP address restrictions do
\nlimit_req_zone $clientRealIp zone=ConnLimitZone:20m rate=10r\/s;
\n#limit_req zone=ConnLimitZone burst=10 nodelay;
\nlimit_req_log_level notice;<\/p>\n

## specific server configuration
\nserver {
\nthe listen 80;
\nLOCATION ~ \\ .php $ {
\n## queuing up to 5, since the processing 10 requests per second + 5 line, one second you send up to 15 request over more direct return 503 error to you
\nlimit_req Zone = ConnLimitZone Burst = 5 NoDelay \u2122;<\/p>\n

fastcgi_pass 127.0.0.1:9000;
\nfastcgi_index the index.php;
\nthe include fastcgi_params;
\n}<\/p>\n

}<\/p>\n

4, after a multi-CDN obtain the original user’s IP address, nginx configuration<\/p>\n

$ HTTP_X_FORWARDED_FOR $ clientRealIp {Map
\n## not through a proxy, the direct use of REMOTE_ADDR
\n“” $ REMOTE_ADDR;
\n## with a regular match, made from the user’s original x_forwarded_for the IP
\n##, for example X-Forwarded-For: 202.123.123.11, 208.22.22.234 , 192.168.2.100, …
\n## where the first 202.123.123.11 is the user’s real IP, behind other is through the CDN server
\n~ ^ (? P <firstAddr> [0-9 \\.] +) ,? . * $ $ firstAddr;
\n}<\/p>\n

## through the map command, we created a variable nginx $ clientRealIp, this is the real IP address of the original user,
\n## whether the user is a direct access, or access through a bunch of CDN after we You can obtain the correct IP address of the original<\/p>\n

5?hide version<\/p>\n

server_tokens off;
\nproxy_hide_header X-Powered-By;
\n\/\/ compile time or modify the source code<\/p>\n

6?disable non-essential method<\/p>\n

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
\nreturn 444;
\n}<\/p>\n

7 Disable extension<\/p>\n

location ~* .(txt|doc|sql|gz|svn|git)$ {
\ndeny all;
\n}<\/p>\n

8, the rational allocation response header
\nadd_header Strict-Transport-Security “max-age=31536000”;
\nadd_header X-Frame-Options deny;
\nadd_header X-Content-Type-Options nosniff;
\nadd_header Content-Security-Policy “default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https:\/\/a.disquscdn.com; img-src ‘self’ data: https:\/\/www.google-analytics.com; style-src ‘self’ ‘unsafe-inline’; frame-src https:\/\/disqus.com”;<\/p>\n

Strict-Transport-Security (abbreviated as HSTS) you can tell the browser within the specified max-age, always through HTTPS access<\/p>\n

X-Frame-Options page to specify whether to allow this to be nested iframe, deny that allowed any nested occur<\/p>\n

9, refused several User-Agents<\/p>\n

if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
\nreturn 403;
\n}<\/p>\n

10, to prevent image hotlinking<\/p>\n

valid_referers blocked www.example.com example.com;
\nif ($invalid_referer) {
\nrewrite ^\/images\/uploads.*\\.(gif|jpg|jpeg|png)$ http:\/\/www.examples.com\/banned.jpg last
\n}<\/p>\n

11, a control buffer overflow attacks<\/p>\n

client_body_buffer_size 1K;
\nclient_header_buffer_size 1k;
\nclient_max_body_size 1k;
\nlarge_client_header_buffers 2 1k;<\/p>\n

explain<\/p>\n

1, client_body_buffer_size 1k- (default 8k or 16k) This instruction can specify a connection request buffer size entities. If the value exceeds the specified buffer connection request, then the whole or part of the requesting entity will attempt to write to a temporary file.
\n2, client_header_buffer_size 1k- directive specifies the client request buffer size of the head. In most cases a request header is not greater than 1k, but if there is a large cookie wap from clients it may be greater than 1k, Nginx will be assigned to it a larger buffer, this value can be set inside the large_client_header_buffers .
\n3, client_max_body_size 1k- directive specifies the maximum allowable size of the client requesting entity connected, it appears in the Content-Length header field of the request. If the request is greater than the specified value, the client will receive a “Request Entity Too Large” (413 ) error. Remember, the browser does not know how to show this error.
\n4, large_client_header_buffers- specify the client number and size of some of the larger buffer request header use. Request a field can not be greater than the buffer size, if the client sends a relatively large head, nginx returns “Request URI too large” (414 )
\nclient_body_timeout 10;
\nclient_header_timeout 10;
\nkeepalive_timeout 5 5;
\nsend_timeout 10;<\/p>\n

1, client_body_timeout 10; – read instruction specified timeout request entity. Here timeout refers to a requesting entity did not enter the reading step, if the connection after this time the client does not have any response, Nginx will return a “Request time out” (408) error.
\n2, client_header_timeout 10; – directive specifies the client request header headline read timeout. Here timeout refers to a request header did not enter the reading step, if the connection after this time the client does not have any response, Nginx will return a “Request time out” (408) error.
\n3, keepalive_timeout 5 5; – the first parameter specifies the timeout length of the client and server connections, over this time, the server closes the connection. The second value of the parameter (optional) specifies the response header Keep-Alive: timeout = time value of the time, this value can make some browsers know when to close the connection to the server without having to repeatedly shut down, if you do not specify this parameter , nginx does not send Keep-Alive header information in the response. (This does not refer to how to connect a “Keep-Alive”) values of these two parameters can be different.
\n4, send_timeout 10; directive specifies the timeout is sent to the client after the response, Timeout refers not enter the state established a complete, finished only two handshakes, if more than this time the client send nothing, nginx will close the connection.
\n12, a control concurrent connections<\/p>\n

limit_zone slimits $binary_remote_addr 5m;
\nlimit_conn slimits 5;<\/p>\n

13?sysctl.conf<\/p>\n

# Avoid a smurf attack
\nnet.ipv4.icmp_echo_ignore_broadcasts = 1<\/p>\n

# Turn on protection for bad icmp error messages
\nnet.ipv4.icmp_ignore_bogus_error_responses = 1<\/p>\n

# Turn on syncookies for SYN flood attack protection
\nnet.ipv4.tcp_syncookies = 1<\/p>\n

# Turn on and log spoofed, source routed, and redirect packets
\nnet.ipv4.conf.all.log_martians = 1
\nnet.ipv4.conf.default.log_martians = 1<\/p>\n

# No source routed packets here
\nnet.ipv4.conf.all.accept_source_route = 0
\nnet.ipv4.conf.default.accept_source_route = 0<\/p>\n

# Turn on reverse path filtering
\nnet.ipv4.conf.all.rp_filter = 1
\nnet.ipv4.conf.default.rp_filter = 1<\/p>\n

# Make sure no one can alter the routing tables
\nnet.ipv4.conf.all.accept_redirects = 0
\nnet.ipv4.conf.default.accept_redirects = 0
\nnet.ipv4.conf.all.secure_redirects = 0
\nnet.ipv4.conf.default.secure_redirects = 0<\/p>\n

# Don’t act as a router
\nnet.ipv4.ip_forward = 0
\nnet.ipv4.conf.all.send_redirects = 0
\nnet.ipv4.conf.default.send_redirects = 0<\/p>\n

# Turn on execshild
\nkernel.exec-shield = 1
\nkernel.randomize_va_space = 1<\/p>\n

# Tuen IPv6
\nnet.ipv6.conf.default.router_solicitations = 0
\nnet.ipv6.conf.default.accept_ra_rtr_pref = 0
\nnet.ipv6.conf.default.accept_ra_pinfo = 0
\nnet.ipv6.conf.default.accept_ra_defrtr = 0
\nnet.ipv6.conf.default.autoconf = 0
\nnet.ipv6.conf.default.dad_transmits = 0
\nnet.ipv6.conf.default.max_addresses = 1<\/p>\n

# Optimization for port usefor LBs
\n# Increase system file descriptor limit
\nfs.file-max = 65535<\/p>\n

# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
\nkernel.pid_max = 65536<\/p>\n

# Increase system IP port limits
\nnet.ipv4.ip_local_port_range = 2000 65000<\/p>\n

# Increase TCP max buffer size setable using setsockopt()
\nnet.ipv4.tcp_rmem = 4096 87380 8388608
\nnet.ipv4.tcp_wmem = 4096 87380 8388608<\/p>\n

# Increase Linux auto tuning TCP buffer limits
\n# min, default, and max number of bytes to use
\n# set max to at least 4MB, or higher if you use very high BDP paths
\n# Tcp Windows etc
\nnet.core.rmem_max = 8388608
\nnet.core.wmem_max = 8388608
\nnet.core.netdev_max_backlog = 5000
\nnet.ipv4.tcp_window_scaling = 1<\/p>\n

14 Firewall Rules
\n\/sbin\/iptables -A INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –set
\n\/sbin\/iptables -A INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 15 -j DROP<\/p>\n

15?Nginx<\/p>\n

\/sbin\/iptables -A OUTPUT -o eth0 -m owner –uid-owner vivek -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT<\/p>\n

 <\/p>\n

 <\/p>\n

www.rmohan.com
\nwww.rmohan.net<\/p>\n

nginx<\/p>\n

nginx.conf<\/p>\n

www.rmohan.com\u00a0 http:\/\/192.168.1.18:8080
\nwww.rmohan.net\u00a0 http:\/\/192.168.1.18:8181<\/p>\n

server1?<\/p>\n

server {
\nlisten\u00a0\u00a0\u00a0\u00a0\u00a0 80;
\nserver_name\u00a0 www.rmohan.com;<\/p>\n

location \/ {<\/p>\n

proxy_set_header\u00a0 Host rmohan.com;
\nproxy_redirect off;
\nproxy_set_header\u00a0 X-Real-IP $remote_addr;
\nproxy_set_header X-Forwarded-For $remote_addr;
\nproxy_pass http:\/\/192.168.95.180:8080;<\/p>\n

}
\n}<\/p>\n

server2?<\/p>\n

server {
\nlisten\u00a0\u00a0\u00a0\u00a0\u00a0 80;
\nserver_name\u00a0 www.rmohan.net;<\/p>\n

location \/ {<\/p>\n

proxy_set_header\u00a0 Host rmohan.net;
\nproxy_redirect off;
\nproxy_set_header\u00a0 X-Real-IP $remote_addr;
\nproxy_set_header X-Forwarded-For $remote_addr;
\nproxy_pass http:\/\/192.168.95.181:8181;<\/p>\n

}
\n}<\/p>\n","protected":false},"excerpt":{"rendered":"

Under Linux server security configuration of Nginx<\/p>\n

1, some common sense under Linux, you want to read a file, you first need to have execute permissions for the folder where the file, and then you need to read permissions on the file.<\/p>\n

Execute permissions php files do not need the file, you only need read […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[70],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6380"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6380"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6380\/revisions"}],"predecessor-version":[{"id":6385,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6380\/revisions\/6385"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}