hhf/wordpress-nginx-main
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update

Browse source
This commit is contained in:
hhftechnologies 2024-09-28 17:48:20 +05:30
parent 9f6a1304e0
commit dd82b3e56c
62 changed files with 2675 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
LICENSE Normal file
View file

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2017 Pothi Kalimuthu
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

15
allowlist.conf Normal file
View file

@ -0,0 +1,15 @@
# please use the following format...
# allow ip.add.re.ss;
# both ipv4 and ipv6 addresses can be whitelisted
# CIDR notation is allowed too
# allow ip.add.re.ss1;
# allow ip.add.re.ss2;
# allow ip.add.re.ss3;
# Please do *not* change the following lines
allow 127.0.0.1;
deny all;
# End of file - No more lines, please!

21
changelog.txt Normal file
View file

@ -0,0 +1,21 @@
v3.0
- Released on May 9, 2018
- Rename wprocket.conf to wp-rocket.conf
- Rename wpsupercache.conf to wp-super-cache.conf
- Added Cloudflare support.
- IPv6 support added.
- WebP support.
- Other minor changes.
v2.0
- released on Dec 20, 2017
- changed filename globals/common-locations.conf to globals/assets.conf
- other minor changes
v1.0
- released on April 23, 2017
- uniform naming scheme for domain names
- uniform naming scheme for default files
- introduction of blacklist and whitelist for IP addresses
- fix tab/space conflict; now we use only spaces
- enable gzip by default

90
conf.d/common.conf Normal file
View file

@ -0,0 +1,90 @@
### common directives and settings
index index.html index.php;
# Ref: https://gist.github.com/magnetikonline/11312172
fastcgi_buffers 32 32k;
fastcgi_buffer_size 32k;
proxy_buffers 8 32k;
proxy_buffer_size 64k;
# -------------------------------------------------------------------
# for time-consuming operations (such as WP import or file upload)
# https://nginx.org/r/fastcgi_read_timeout
# default 60 seconds
fastcgi_read_timeout 5m;
# -------------------------------------------------------------------
### To enable large uploads
# Please make sure the corresponding PHP values are increased as well
# post_max_size = 8M (default)
# upload_max_filesize = 2M (default)
client_max_body_size 2G;
# -------------------------------------------------------------------
### To fix the error - could not build the server_names_hash
# ref: https://nginx.org/en/docs/hash.html
server_names_hash_bucket_size 128;
# -------------------------------------------------------------------
# for extended metrics (in Amplify, etc)
log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length" '
'cs=$upstream_cache_status' ;
# -------------------------------------------------------------------
# For SSL Compatibility - WP Super Cache and WP Rocket depend on this
map $scheme $https_suffix { default ''; https '-https'; }
# -------------------------------------------------------------------
### Fine-tune logging
# ref: https://nginx.org/r/access_log
map $status $loggable {
~^[23] 0;
default 1;
}
# -------------------------------------------------------------------
# https://jdh8.github.io/charset-for-text-on-nginx/
map $sent_http_content_type $charset {
~^text/ utf-8;
}
charset $charset;
charset_types *;
# -------------------------------------------------------------------
# if you'd like to hide some header info, uncomment this
# include globals/hide-headers.conf;
# -------------------------------------------------------------------
#
# if you'd like to use cloudflare servers, uncomment this
# include globals/cloudflare.conf;
# include globals/sucuri-real-ip.conf;
# -------------------------------------------------------------------
# webp support
# see: https://docs.ewww.io/article/16-ewww-io-and-webp-images
map $http_accept $webp_suffix {
default "";
"~*webp" ".webp";
}
# -------------------------------------------------------------------

29
conf.d/gzip.conf Normal file
View file

@ -0,0 +1,29 @@
##
# Gzip Settings
##
# uncomment the following, if your nginx.conf already doesn't have it turned on
# gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_types
text/plain
text/css
text/xml
text/javascript
image/svg+xml
application/json
application/javascript
application/x-javascript
application/xml
application/atom+xml
application/xml+rss;
# Uncomment the following, if Amazon CloudFront is used
# gzip_http_version 1.0;

17
conf.d/lb.conf Normal file
View file

@ -0,0 +1,17 @@
# In most cases, only one upstream server should be present
# Apache backend
upstream apache { server 127.0.0.1:81; }
# Varnish backend
upstream varnish { server 127.0.0.1:6081; }
# PHP-FPM backend
# Only one server should be present in all cases
upstream fpm {
# server unix:/path/to/socket;
server unix:/var/lock/php-fpm;
# server 127.0.0.1:9000;
# server ip.ip.ip.ip:port;
}

15
conf.d/ssl-common.conf Normal file
View file

@ -0,0 +1,15 @@
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
# From https://weakdh.org/sysadmin.html
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# From https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# run "openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096" before uncommenting the following option
# ssl_dhparam /etc/nginx/dhparam.pem;

9
denylist.conf Normal file
View file

@ -0,0 +1,9 @@
# please use the following format...
# deny ip.add.re.ss;
# both ipv4 and ipv6 addresses can be blacklisted
# CIDR notation is allowed too
# deny ip.add.re.ss1;
# deny ip.add.re.ss2;
# deny ip.add.re.ss3;

7
errors/403.html Normal file
View file

@ -0,0 +1,7 @@
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr>
</body>
</html>

7
errors/404.html Normal file
View file

@ -0,0 +1,7 @@
<html>
<head><title>404 Not Found</title></head>
<body>
<h1 style="text-align: center;">404 Not Found</h1>
<hr>
</body>
</html>

8
errors/550.html Normal file
View file

@ -0,0 +1,8 @@
<html>
<head><title>550 Domain not hosted here</title></head>
<body bgcolor="white">
<center><h1>550 - Domain is not hosted here!</h1><p>Probably, it is a mistake by the server administrator!</p></center>
<hr>
</body>
</html>

24
fastcgi.conf Normal file
View file

@ -0,0 +1,24 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

24
fastcgi_params Normal file
View file

@ -0,0 +1,24 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

58
globals/assets.conf Normal file
View file

@ -0,0 +1,58 @@
# Set expires for static files
# Note to self (and to anyone forks it)
# Some sites create robots.txt and sitemap(.xml(.gz)) files on the fly
# If you are sure that they are indeed static, uncomment the following location blocks for each and adject the expires headers to fit your site's needs
# location = /robots.txt { expires 1d; log_not_found off; access_log off; }
# location ~ \.xml(\.gz)?$ { expires 600s; log_not_found off; access_log off; }
# For CSS / JS
location ~ \.(?:css|js)$ {
expires max;
log_not_found off;
access_log off;
add_header X-Content-Type-Options "nosniff";
}
# Web fonts needs some special care
# Reference: http://jmoiron.net/blog/serving-fonts-aws-cloudfront/
location ~ \.(?:ttf|ttc|eot|woff|woff2|otf|svg)$ {
# Safe to use the following line
add_header Access-Control-Allow-Origin "*";
# use the following with caution!
# add_header Access-Control-Allow-Origin "http://*.example.com";
expires max;
log_not_found off;
access_log off;
}
# Referers for images
location ~ \.(?:gif|ico|webp)$ {
### Please change the domainname before uncommenting the following
# valid_referers none blocked www.example.com example.com;
# if ($invalid_referer) { return 403; }
expires max;
log_not_found off;
access_log off;
}
location ~* ^.+\.(png|jpe?g)$ {
### Please change the domainname before uncommenting the following
# valid_referers none blocked www.example.com example.com;
# if ($invalid_referer) { return 403; }
# add_header Vary Accept;
# see https://docs.ewww.io/article/16-ewww-io-and-webp-images
try_files $uri$webp_suffix $uri =404;
expires max;
log_not_found off;
access_log off;
}
# Feeds
location ~ \.(?:rss|atom)$ {
expires 600s; # 10 minutes
}

5
globals/auto-versioning-support.conf Normal file
View file

@ -0,0 +1,5 @@
# Auto-versioning support
# Ref: http://w-shadow.com/blog/2012/07/30/automatic-versioning-of-css-js/
rewrite "^(.*)\.[\d]{10}\.(css|js)$" $1.$2 last;

34
globals/brotli.conf Normal file
View file

@ -0,0 +1,34 @@
# turn on brotli compression
brotli on;
# based on research at Akamai: https://blogs.akamai.com/2016/02/understanding-brotlis-potential.html
brotli_comp_level 4;
# as per Google sample config available at https://github.com/google/ngx_brotli#sample-configuration
# brotli_comp_level 6;
# enable static file serving, if available
brotli_static on;
brotli_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-opentype
application/x-font-truetype
application/x-font-ttf
application/x-javascript
application/xhtml+xml
application/xml
font/eotfont/opentype
font/otf
font/truetype
image/svg+xml
image/vnd.microsoft.icon
image/x-icon
image/x-win-bitmap
text/css
text/javascript
text/plain
text/xml;

558
globals/bunnycdn-ip-list.conf Normal file
View file

@ -0,0 +1,558 @@
set_real_ip_from 84.17.46.50;
set_real_ip_from 89.187.188.227;
set_real_ip_from 89.187.188.228;
set_real_ip_from 185.180.14.250;
set_real_ip_from 185.93.1.241;
set_real_ip_from 195.181.163.193;
set_real_ip_from 89.187.162.244;
set_real_ip_from 139.180.134.196;
set_real_ip_from 51.83.238.53;
set_real_ip_from 89.38.96.158;
set_real_ip_from 89.187.162.249;
set_real_ip_from 89.187.162.242;
set_real_ip_from 185.102.217.65;
set_real_ip_from 185.93.1.243;
set_real_ip_from 156.146.40.49;
set_real_ip_from 185.59.220.199;
set_real_ip_from 185.59.220.198;
set_real_ip_from 195.181.166.158;
set_real_ip_from 185.180.12.68;
set_real_ip_from 138.199.24.209;
set_real_ip_from 138.199.24.211;
set_real_ip_from 89.187.169.3;
set_real_ip_from 89.187.169.39;
set_real_ip_from 89.187.169.47;
set_real_ip_from 5.188.120.15;
set_real_ip_from 138.199.24.218;
set_real_ip_from 138.199.24.219;
set_real_ip_from 138.199.46.65;
set_real_ip_from 185.40.106.117;
set_real_ip_from 200.25.45.4;
set_real_ip_from 200.25.57.5;
set_real_ip_from 200.25.11.8;
set_real_ip_from 200.25.53.5;
set_real_ip_from 200.25.13.98;
set_real_ip_from 107.155.21.186;
set_real_ip_from 107.155.27.226;
set_real_ip_from 41.242.2.18;
set_real_ip_from 200.25.62.5;
set_real_ip_from 200.25.38.69;
set_real_ip_from 200.25.42.70;
set_real_ip_from 200.25.36.166;
set_real_ip_from 195.206.229.106;
set_real_ip_from 92.223.88.123;
set_real_ip_from 84.17.46.52;
set_real_ip_from 194.242.11.186;
set_real_ip_from 37.19.203.80;
set_real_ip_from 65.108.101.60;
set_real_ip_from 185.164.35.8;
set_real_ip_from 185.173.226.42;
set_real_ip_from 195.69.143.190;
set_real_ip_from 94.20.154.22;
set_real_ip_from 185.93.1.244;
set_real_ip_from 89.38.224.138;
set_real_ip_from 213.170.143.68;
set_real_ip_from 156.59.145.154;
set_real_ip_from 143.244.49.177;
set_real_ip_from 138.199.46.66;
set_real_ip_from 138.199.37.227;
set_real_ip_from 138.199.37.231;
set_real_ip_from 138.199.37.230;
set_real_ip_from 138.199.37.229;
set_real_ip_from 103.216.222.103;
set_real_ip_from 138.199.46.69;
set_real_ip_from 138.199.46.68;
set_real_ip_from 138.199.46.67;
set_real_ip_from 185.93.1.246;
set_real_ip_from 103.216.222.105;
set_real_ip_from 103.216.222.107;
set_real_ip_from 138.199.37.232;
set_real_ip_from 103.216.222.109;
set_real_ip_from 195.181.163.196;
set_real_ip_from 107.182.163.162;
set_real_ip_from 195.181.163.195;
set_real_ip_from 84.17.46.53;
set_real_ip_from 212.102.40.114;
set_real_ip_from 84.17.46.54;
set_real_ip_from 138.199.40.58;
set_real_ip_from 143.244.38.134;
set_real_ip_from 185.152.64.17;
set_real_ip_from 84.17.59.115;
set_real_ip_from 89.187.165.194;
set_real_ip_from 103.216.222.111;
set_real_ip_from 138.199.15.193;
set_real_ip_from 89.35.237.170;
set_real_ip_from 37.19.216.130;
set_real_ip_from 185.93.1.247;
set_real_ip_from 185.93.3.244;
set_real_ip_from 180.149.231.39;
set_real_ip_from 143.244.49.179;
set_real_ip_from 143.244.49.180;
set_real_ip_from 138.199.9.104;
set_real_ip_from 122.10.251.138;
set_real_ip_from 185.152.66.243;
set_real_ip_from 143.244.49.178;
set_real_ip_from 169.150.221.147;
set_real_ip_from 146.59.68.188;
set_real_ip_from 200.25.18.73;
set_real_ip_from 84.17.63.178;
set_real_ip_from 200.25.32.131;
set_real_ip_from 37.19.207.34;
set_real_ip_from 204.16.244.131;
set_real_ip_from 208.83.234.216;
set_real_ip_from 134.195.197.175;
set_real_ip_from 192.189.65.146;
set_real_ip_from 143.244.45.177;
set_real_ip_from 185.93.1.249;
set_real_ip_from 185.93.1.250;
set_real_ip_from 169.150.215.115;
set_real_ip_from 209.177.87.197;
set_real_ip_from 156.146.56.162;
set_real_ip_from 156.146.56.161;
set_real_ip_from 185.93.2.246;
set_real_ip_from 185.93.2.245;
set_real_ip_from 212.102.50.58;
set_real_ip_from 212.102.40.113;
set_real_ip_from 185.93.2.244;
set_real_ip_from 158.69.123.215;
set_real_ip_from 143.244.50.82;
set_real_ip_from 143.244.50.83;
set_real_ip_from 156.146.56.163;
set_real_ip_from 129.227.9.2;
set_real_ip_from 185.135.85.154;
set_real_ip_from 185.165.170.74;
set_real_ip_from 129.227.217.178;
set_real_ip_from 200.25.69.94;
set_real_ip_from 128.1.52.179;
set_real_ip_from 200.25.16.103;
set_real_ip_from 15.235.54.226;
set_real_ip_from 102.67.138.155;
set_real_ip_from 156.59.126.78;
set_real_ip_from 192.34.87.166;
set_real_ip_from 102.219.177.93;
set_real_ip_from 146.70.80.218;
set_real_ip_from 156.146.43.65;
set_real_ip_from 195.181.163.203;
set_real_ip_from 195.181.163.202;
set_real_ip_from 156.146.56.169;
set_real_ip_from 156.146.56.170;
set_real_ip_from 156.146.56.166;
set_real_ip_from 156.146.56.171;
set_real_ip_from 169.150.207.210;
set_real_ip_from 156.146.56.167;
set_real_ip_from 143.244.50.84;
set_real_ip_from 143.244.50.85;
set_real_ip_from 143.244.50.86;
set_real_ip_from 143.244.50.87;
set_real_ip_from 156.146.56.168;
set_real_ip_from 169.150.207.211;
set_real_ip_from 212.102.50.59;
set_real_ip_from 146.185.248.15;
set_real_ip_from 143.244.50.90;
set_real_ip_from 143.244.50.91;
set_real_ip_from 143.244.50.88;
set_real_ip_from 143.244.50.209;
set_real_ip_from 143.244.50.213;
set_real_ip_from 143.244.50.214;
set_real_ip_from 143.244.49.183;
set_real_ip_from 143.244.50.89;
set_real_ip_from 143.244.50.210;
set_real_ip_from 143.244.50.211;
set_real_ip_from 143.244.50.212;
set_real_ip_from 138.199.4.137;
set_real_ip_from 5.42.206.66;
set_real_ip_from 94.46.175.183;
set_real_ip_from 38.54.2.20;
set_real_ip_from 38.54.4.6;
set_real_ip_from 182.93.93.90;
set_real_ip_from 169.150.207.57;
set_real_ip_from 169.150.207.58;
set_real_ip_from 81.30.157.81;
set_real_ip_from 128.1.104.170;
set_real_ip_from 169.150.207.213;
set_real_ip_from 169.150.207.214;
set_real_ip_from 169.150.207.215;
set_real_ip_from 169.150.207.212;
set_real_ip_from 169.150.219.114;
set_real_ip_from 62.113.194.3;
set_real_ip_from 169.150.202.210;
set_real_ip_from 169.150.242.193;
set_real_ip_from 185.93.1.251;
set_real_ip_from 169.150.207.216;
set_real_ip_from 169.150.207.217;
set_real_ip_from 169.150.238.19;
set_real_ip_from 102.219.126.20;
set_real_ip_from 138.199.36.4;
set_real_ip_from 138.199.36.5;
set_real_ip_from 156.59.67.118;
set_real_ip_from 122.10.251.130;
set_real_ip_from 185.24.11.18;
set_real_ip_from 138.199.36.7;
set_real_ip_from 138.199.36.8;
set_real_ip_from 138.199.36.9;
set_real_ip_from 138.199.36.10;
set_real_ip_from 138.199.36.11;
set_real_ip_from 138.199.37.225;
set_real_ip_from 84.17.46.49;
set_real_ip_from 138.199.4.177;
set_real_ip_from 84.17.37.217;
set_real_ip_from 169.150.225.35;
set_real_ip_from 169.150.225.36;
set_real_ip_from 169.150.225.37;
set_real_ip_from 169.150.225.38;
set_real_ip_from 169.150.225.39;
set_real_ip_from 169.150.225.34;
set_real_ip_from 169.150.236.97;
set_real_ip_from 169.150.236.98;
set_real_ip_from 169.150.236.99;
set_real_ip_from 169.150.236.100;
set_real_ip_from 93.189.63.146;
set_real_ip_from 143.244.56.49;
set_real_ip_from 143.244.56.50;
set_real_ip_from 143.244.56.51;
set_real_ip_from 169.150.247.40;
set_real_ip_from 169.150.247.33;
set_real_ip_from 169.150.247.34;
set_real_ip_from 169.150.247.35;
set_real_ip_from 169.150.247.36;
set_real_ip_from 169.150.247.37;
set_real_ip_from 169.150.247.38;
set_real_ip_from 169.150.247.39;
set_real_ip_from 95.217.227.2;
set_real_ip_from 38.142.94.218;
set_real_ip_from 87.249.137.52;
set_real_ip_from 138.199.46.75;
set_real_ip_from 38.104.169.186;
set_real_ip_from 89.187.162.241;
set_real_ip_from 66.181.163.74;
set_real_ip_from 84.17.38.227;
set_real_ip_from 84.17.38.228;
set_real_ip_from 84.17.38.229;
set_real_ip_from 84.17.38.230;
set_real_ip_from 84.17.38.231;
set_real_ip_from 84.17.38.232;
set_real_ip_from 169.150.225.41;
set_real_ip_from 169.150.225.42;
set_real_ip_from 176.123.9.90;
set_real_ip_from 169.150.249.162;
set_real_ip_from 169.150.249.163;
set_real_ip_from 169.150.249.164;
set_real_ip_from 169.150.249.165;
set_real_ip_from 169.150.249.166;
set_real_ip_from 169.150.249.167;
set_real_ip_from 169.150.249.168;
set_real_ip_from 169.150.249.169;
set_real_ip_from 185.131.64.122;
set_real_ip_from 156.247.205.114;
set_real_ip_from 37.236.234.2;
set_real_ip_from 169.150.252.209;
set_real_ip_from 212.102.46.118;
set_real_ip_from 192.169.120.162;
set_real_ip_from 93.180.217.214;
set_real_ip_from 37.19.203.178;
set_real_ip_from 107.155.47.146;
set_real_ip_from 104.166.144.106;
set_real_ip_from 154.47.16.177;
set_real_ip_from 193.201.190.174;
set_real_ip_from 156.59.95.218;
set_real_ip_from 213.170.143.139;
set_real_ip_from 129.227.186.154;
set_real_ip_from 195.238.127.98;
set_real_ip_from 5.189.202.62;
set_real_ip_from 128.1.59.74;
set_real_ip_from 200.25.22.6;
set_real_ip_from 204.16.244.92;
set_real_ip_from 200.25.70.101;
set_real_ip_from 200.25.66.100;
set_real_ip_from 139.180.209.182;
set_real_ip_from 103.108.231.41;
set_real_ip_from 103.108.229.5;
set_real_ip_from 103.216.220.9;
set_real_ip_from 103.75.11.45;
set_real_ip_from 169.150.225.40;
set_real_ip_from 116.202.155.146;
set_real_ip_from 116.202.193.178;
set_real_ip_from 116.202.224.168;
set_real_ip_from 188.40.126.227;
set_real_ip_from 88.99.26.189;
set_real_ip_from 168.119.39.238;
set_real_ip_from 88.99.26.97;
set_real_ip_from 168.119.12.188;
set_real_ip_from 199.247.1.226;
set_real_ip_from 169.197.143.195;
set_real_ip_from 176.9.139.55;
set_real_ip_from 176.9.139.94;
set_real_ip_from 5.161.66.71;
set_real_ip_from 142.132.223.79;
set_real_ip_from 142.132.223.80;
set_real_ip_from 142.132.223.81;
set_real_ip_from 5.161.88.97;
set_real_ip_from 5.161.90.228;
set_real_ip_from 5.161.85.161;
set_real_ip_from 5.161.78.181;
set_real_ip_from 5.161.84.169;
set_real_ip_from 5.161.92.86;
set_real_ip_from 5.161.92.85;
set_real_ip_from 5.161.92.84;
set_real_ip_from 5.161.72.83;
set_real_ip_from 5.161.70.244;
set_real_ip_from 5.161.71.198;
set_real_ip_from 5.161.49.93;
set_real_ip_from 5.161.72.89;
set_real_ip_from 5.161.72.135;
set_real_ip_from 5.161.72.194;
set_real_ip_from 5.161.72.200;
set_real_ip_from 5.161.70.230;
set_real_ip_from 5.161.60.80;
set_real_ip_from 104.237.58.186;
set_real_ip_from 143.244.50.81;
set_real_ip_from 143.244.51.75;
set_real_ip_from 46.4.116.17;
set_real_ip_from 46.4.119.81;
set_real_ip_from 167.235.114.167;
set_real_ip_from 159.69.68.171;
set_real_ip_from 178.63.21.52;
set_real_ip_from 46.4.120.152;
set_real_ip_from 116.202.80.247;
set_real_ip_from 5.9.71.119;
set_real_ip_from 195.201.11.156;
set_real_ip_from 78.46.123.17;
set_real_ip_from 143.244.50.153;
set_real_ip_from 143.244.50.154;
set_real_ip_from 138.199.9.99;
set_real_ip_from 138.199.9.98;
set_real_ip_from 143.244.50.155;
set_real_ip_from 46.4.113.143;
set_real_ip_from 109.248.43.116;
set_real_ip_from 109.248.43.117;
set_real_ip_from 109.248.43.162;
set_real_ip_from 109.248.43.163;
set_real_ip_from 109.248.43.164;
set_real_ip_from 109.248.43.165;
set_real_ip_from 49.12.71.27;
set_real_ip_from 49.12.0.158;
set_real_ip_from 78.47.94.156;
set_real_ip_from 109.248.43.159;
set_real_ip_from 109.248.43.160;
set_real_ip_from 109.248.43.208;
set_real_ip_from 109.248.43.179;
set_real_ip_from 109.248.43.232;
set_real_ip_from 109.248.43.231;
set_real_ip_from 109.248.43.241;
set_real_ip_from 109.248.43.236;
set_real_ip_from 109.248.43.240;
set_real_ip_from 116.202.118.194;
set_real_ip_from 116.202.80.29;
set_real_ip_from 159.69.57.80;
set_real_ip_from 139.180.129.216;
set_real_ip_from 139.99.174.7;
set_real_ip_from 89.187.169.18;
set_real_ip_from 89.187.162.166;
set_real_ip_from 89.187.162.245;
set_real_ip_from 185.180.13.241;
set_real_ip_from 185.59.220.203;
set_real_ip_from 185.59.220.200;
set_real_ip_from 185.59.220.202;
set_real_ip_from 185.59.220.201;
set_real_ip_from 143.244.63.120;
set_real_ip_from 138.199.9.97;
set_real_ip_from 138.199.40.49;
set_real_ip_from 138.199.40.50;
set_real_ip_from 138.199.40.51;
set_real_ip_from 138.199.9.105;
set_real_ip_from 143.244.38.133;
set_real_ip_from 37.19.222.241;
set_real_ip_from 143.244.49.181;
set_real_ip_from 37.19.222.242;
set_real_ip_from 89.187.179.7;
set_real_ip_from 143.244.51.70;
set_real_ip_from 143.244.51.71;
set_real_ip_from 143.244.51.69;
set_real_ip_from 212.102.43.85;
set_real_ip_from 212.102.43.86;
set_real_ip_from 143.244.62.213;
set_real_ip_from 143.244.51.74;
set_real_ip_from 185.93.3.246;
set_real_ip_from 195.181.163.198;
set_real_ip_from 185.152.64.19;
set_real_ip_from 84.17.37.211;
set_real_ip_from 212.102.50.54;
set_real_ip_from 138.199.4.133;
set_real_ip_from 138.199.4.132;
set_real_ip_from 212.102.46.115;
set_real_ip_from 84.17.35.199;
set_real_ip_from 143.244.38.135;
set_real_ip_from 84.17.35.218;
set_real_ip_from 89.187.185.21;
set_real_ip_from 169.150.238.21;
set_real_ip_from 169.150.238.22;
set_real_ip_from 169.150.207.51;
set_real_ip_from 169.150.207.49;
set_real_ip_from 84.17.38.226;
set_real_ip_from 84.17.38.225;
set_real_ip_from 169.150.247.139;
set_real_ip_from 169.150.247.177;
set_real_ip_from 109.61.89.46;
set_real_ip_from 109.61.89.47;
set_real_ip_from 109.61.89.48;
set_real_ip_from 109.61.89.49;
set_real_ip_from 109.61.89.51;
set_real_ip_from 109.61.89.52;
set_real_ip_from 109.61.89.53;
set_real_ip_from 109.61.89.54;
set_real_ip_from 109.61.89.55;
set_real_ip_from 109.61.89.56;
set_real_ip_from 185.59.220.194;
set_real_ip_from 212.102.43.88;
set_real_ip_from 89.187.169.26;
set_real_ip_from 2400:52e0:1a02::625:1;
set_real_ip_from 2400:52e0:1500::641:1;
set_real_ip_from 2400:52e0:1500::714:1;
set_real_ip_from 2400:52e0:1500::715:1;
set_real_ip_from 2400:52e0:1a00::718:1;
set_real_ip_from 2400:52e0:1e00::722:1;
set_real_ip_from 2400:52e0:1e00::723:1;
set_real_ip_from 2400:52e0:1500::747:1;
set_real_ip_from 2400:52e0:1500::749:1;
set_real_ip_from 2400:52e0:1500::782:1;
set_real_ip_from 2400:52e0:1500::783:1;
set_real_ip_from 2400:52e0:1500::784:1;
set_real_ip_from 2a01:4f9:6b:2c80::2;
set_real_ip_from 2400:52e0:1a00::845:1;
set_real_ip_from 2400:52e0:1a01::852:1;
set_real_ip_from 2400:52e0:1500::858:1;
set_real_ip_from 2400:52e0:1e00::860:1;
set_real_ip_from 2400:52e0:1e00::863:1;
set_real_ip_from 2400:52e0:1e00::864:1;
set_real_ip_from 2400:52e0:1e00::865:1;
set_real_ip_from 2400:52e0:1500::867:1;
set_real_ip_from 2400:52e0:1500::868:1;
set_real_ip_from 2400:52e0:1500::869:1;
set_real_ip_from 2400:52e0:1a00::871:1;
set_real_ip_from 2400:52e0:1e00::874:1;
set_real_ip_from 2400:52e0:1a02::876:1;
set_real_ip_from 2400:52e0:1a02::878:1;
set_real_ip_from 2400:52e0:1e01::879:1;
set_real_ip_from 2400:52e0:1e01::883:1;
set_real_ip_from 2a02:6ea0:c454::1;
set_real_ip_from 2400:52e0:1a00::894:1;
set_real_ip_from 2400:52e0:1a01::899:1;
set_real_ip_from 2400:52e0:1a01::900:1;
set_real_ip_from 2400:52e0:1a01::907:1;
set_real_ip_from 2400:52e0:1a01::912:1;
set_real_ip_from 2800:1e0:2410:1::9;
set_real_ip_from 2607:fdc0:1:a:bace:f6ff:fe01:e295;
set_real_ip_from 2400:52e0:1a00::940:1;
set_real_ip_from 2400:52e0:1a00::941:1;
set_real_ip_from 2400:52e0:1500::944:1;
set_real_ip_from 2400:52e0:1500::945:1;
set_real_ip_from 2400:52e0:1e02::946:1;
set_real_ip_from 2400:52e0:1e02::947:1;
set_real_ip_from 2400:52e0:1501::948:1;
set_real_ip_from 2400:52e0:1e02::951:1;
set_real_ip_from 2607:5300:60:9ad7::1;
set_real_ip_from 2400:52e0:1a01::953:1;
set_real_ip_from 2400:52e0:1a01::954:1;
set_real_ip_from 2400:52e0:1500::955:1;
set_real_ip_from 2607:5300:203:a1e2::1;
set_real_ip_from 2400:52e0:1a02::974:1;
set_real_ip_from 2400:52e0:1a02::975:1;
set_real_ip_from 2400:52e0:1a02::976:1;
set_real_ip_from 2400:52e0:1500::977:1;
set_real_ip_from 2400:52e0:1500::978:1;
set_real_ip_from 2400:52e0:1500::979:1;
set_real_ip_from 2400:52e0:1500::980:1;
set_real_ip_from 2400:52e0:1500::981:1;
set_real_ip_from 2400:52e0:1500::982:1;
set_real_ip_from 2400:52e0:1a01::984:1;
set_real_ip_from 2400:52e0:1a01::985:1;
set_real_ip_from 2400:52e0:1a01::986:1;
set_real_ip_from 2400:52e0:1a01::987:1;
set_real_ip_from 2400:52e0:1500::988:1;
set_real_ip_from 2400:52e0:1500::989:1;
set_real_ip_from 2400:52e0:1501::990:1;
set_real_ip_from 2400:52e0:1a01::992:1;
set_real_ip_from 2400:52e0:1a01::993:1;
set_real_ip_from 2400:52e0:1a01::994:1;
set_real_ip_from 2400:52e0:1a01::995:1;
set_real_ip_from 2400:52e0:1a01::996:1;
set_real_ip_from 2400:52e0:1a01::997:1;
set_real_ip_from 2400:52e0:1a01::998:1;
set_real_ip_from 2400:52e0:1a01::999:1;
set_real_ip_from 2400:52e0:1a01::1000:1;
set_real_ip_from 2400:52e0:1a01::1001:1;
set_real_ip_from 2400:52e0:1a01::1002:1;
set_real_ip_from 2400:52e0:1500::1015:1;
set_real_ip_from 2400:52e0:1500::1016:1;
set_real_ip_from 2400:52e0:1500::1020:1;
set_real_ip_from 2400:52e0:1500::1021:1;
set_real_ip_from 2400:52e0:1500::1022:1;
set_real_ip_from 2400:52e0:1500::1024:1;
set_real_ip_from 2400:52e0:1a00::1029:1;
set_real_ip_from 2400:52e0:1500::1030:1;
set_real_ip_from 2400:52e0:1500::1031:1;
set_real_ip_from 2400:52e0:1e00::1047:1;
set_real_ip_from 2400:52e0:1e00::1048:1;
set_real_ip_from 2400:52e0:1e00::1049:1;
set_real_ip_from 2400:52e0:1e00::1053:1;
set_real_ip_from 2400:52e0:1e00::1054:1;
set_real_ip_from 2400:52e0:1e00::1055:1;
set_real_ip_from 2400:52e0:1e01::1056:1;
set_real_ip_from 2400:52e0:1502::1059:1;
set_real_ip_from 2400:52e0:1501::1061:1;
set_real_ip_from 2400:52e0:1501::1062:1;
set_real_ip_from 2400:52e0:1501::1063:1;
set_real_ip_from 2400:52e0:1501::1064:1;
set_real_ip_from 2400:52e0:1501::1065:1;
set_real_ip_from 2400:52e0:1501::1066:1;
set_real_ip_from 2400:52e0:1a00::1067:1;
set_real_ip_from 2400:52e0:1a00::1068:1;
set_real_ip_from 2400:52e0:1a00::1069:1;
set_real_ip_from 2400:52e0:1a00::1070:1;
set_real_ip_from 2400:52e0:1e02::1072:1;
set_real_ip_from 2400:52e0:1e02::1073:1;
set_real_ip_from 2400:52e0:1e02::1074:1;
set_real_ip_from 2400:52e0:1e00::1075:1;
set_real_ip_from 2400:52e0:1e00::1076:1;
set_real_ip_from 2400:52e0:1e00::1077:1;
set_real_ip_from 2400:52e0:1e00::1078:1;
set_real_ip_from 2400:52e0:1e00::1079:1;
set_real_ip_from 2400:52e0:1e00::1080:1;
set_real_ip_from 2400:52e0:1e00::1081:1;
set_real_ip_from 2400:52e0:1e00::1082:1;
set_real_ip_from 2a01:4f9:4b:4b0b::2;
set_real_ip_from 2400:52e0:1500::1087:1;
set_real_ip_from 2400:52e0:1500::1089:1;
set_real_ip_from 2400:52e0:1500::1091:1;
set_real_ip_from 2400:52e0:1500::1092:1;
set_real_ip_from 2400:52e0:1500::1093:1;
set_real_ip_from 2400:52e0:1500::1094:1;
set_real_ip_from 2400:52e0:1500::1095:1;
set_real_ip_from 2400:52e0:1500::1096:1;
set_real_ip_from 2400:52e0:1501::1097:1;
set_real_ip_from 2400:52e0:1501::1098:1;
set_real_ip_from 2400:52e0:1a01::1108:1;
set_real_ip_from 2400:52e0:1a01::1109:1;
set_real_ip_from 2400:52e0:1a01::1110:1;
set_real_ip_from 2400:52e0:1a01::1111:1;
set_real_ip_from 2400:52e0:1a01::1112:1;
set_real_ip_from 2400:52e0:1a01::1113:1;
set_real_ip_from 2400:52e0:1a01::1114:1;
set_real_ip_from 2400:52e0:1a01::1115:1;
set_real_ip_from 2607:fdc0:1:2d:262:bff:fecc:a610;
set_real_ip_from 2404:f780:0:2::d;
set_real_ip_from 2404:f780:0:2::f;
set_real_ip_from 2404:f780:0:2::11;
set_real_ip_from 2404:f780:5:cafe::f;
set_real_ip_from 2400:52e0:1501::1143:1;
set_real_ip_from 2a04:ff07:d9:12::1;
set_real_ip_from 2a04:ff07:d9:13::1;
set_real_ip_from 2a04:ff07:d9:39::1;
set_real_ip_from 2a04:ff07:d9:3::1;
set_real_ip_from 2a04:ff07:d9:3a::1;
set_real_ip_from 2a04:ff07:d9:3b::1;
set_real_ip_from 2a04:ff07:d9:1::1;
set_real_ip_from 2a04:ff07:d9:1b::1;
set_real_ip_from 2a01:4f8:c17:aec0::1;
set_real_ip_from 2a01:4f8:c17:fc7::1;
set_real_ip_from 2a01:4f8:c17:20b2::1;

12
globals/bunnycdn.conf Normal file
View file

@ -0,0 +1,12 @@
# Ref: https://support.bunny.net/hc/en-us/articles/115003578911-How-to-detect-when-BunnyCDN-PoP-servers-are-accessing-your-backend
# https://bunnycdn.com/api/system/edgeserverlist
# https://bunnycdn.com/api/system/edgeserverlist/IPv6
# TODO: make sure to update bunnycdn-ip-list.conf regularly via a script
include '/etc/nginx/globals/bunnycdn-ip-list.conf';
# use any of the following two options (but not both)
real_ip_header X-Forwarded-For;
real_ip_recursive on;

72
globals/cache-enabler.conf Normal file
View file

@ -0,0 +1,72 @@
# To improve the perf, we may use open_file_cache
# ref: https://nginx.org/r/open_file_cache
# open_file_cache max=1000;
# open_file_cache_valid 60s;
# open_file_cache_min_uses 2;
# open_file_cache_errors off;
location / {
# requires server support
# gzip_static on;
error_page 418 = @cachemiss;
error_page 419 = @mobileaccess;
recursive_error_pages on;
# bypass POST requests
if ($request_method = POST) { return 418; }
# uncommenting the following degrades the performance on certain sites. YMMV
# if ($query_string != "") { return 418; }
# bypass cache for common query strings
if ($arg_s != "") { return 418; } # search query
if ($arg_p != "") { return 418; } # request a post / page by ID
if ($args ~ "amp") { return 418; } # amp test
if ($arg_preview = "true") { return 418; } # preview post / page
if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin
if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
if ($http_cookie ~* "comment_author_") { return 418; }
if ($http_cookie ~* "wp_postpass_") { return 418; }
# if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }
# uncomment the following if deemed fit
# if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }
try_files "/wp-content/cache/cache-enabler/$host${uri}index.html" $uri $uri/ /index.php$is_args$args;
#--> all the following would apply, only if the request hits the cache
add_header "X-Cache" "HIT - Cache Enabler";
# include "globals/hsts.conf";
include 'globals/security-headers.conf';
# expires modified 30m;
expires 30m;
add_header "Cache-Control" "must-revalidate";
# For proxies
# add_header "Cache-Control" "s-maxage=3600";
}
location @mobileaccess {
# try_files $uri $uri/ /index.php$is_args$args;
try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args;
add_header "X-Cache" "HIT - Mobile - Cache Enabler";
# include "globals/hsts.conf";
include 'globals/security-headers.conf';
# expires modified 30m;
expires 30m;
add_header "Cache-Control" "must-revalidate";
# For proxies
# add_header "Cache-Control" "s-maxage=3600";
}
location @cachemiss {
try_files $uri $uri/ /index.php$is_args$args;
}

21
globals/cloudflare-ip-list.conf Normal file
View file

@ -0,0 +1,21 @@
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

9
globals/cloudflare.conf Normal file
View file

@ -0,0 +1,9 @@
# make sure you set up a cron to run update-cloudflare-ip-list.sh regularly
include '/etc/nginx/globals/cloudflare-ip-list.conf';
# use any of the following two options (but not both)
real_ip_header CF-Connecting-IP;
# real_ip_header X-Forwarded-For;
real_ip_recursive on;

13
globals/dev.restrictions.conf Normal file
View file

@ -0,0 +1,13 @@
##### for public facing development sites; also called as staging sites #####
# deny access to robots.txt across the board
location = /robots.txt { access_log off; deny all; }
location ~ /sitemap { access_log off; deny all; }
# block sitemaps with .xml and .xml.gz endings such as news-sitemap.xml (Yoast SEO)
location ~ \.xml$ { access_log off; deny all; }
location ~ \.xml\.gz$ { access_log off; deny all; }
# deny specific bots
if ( $http_user_agent ~ "Google" ) { return 403; }
if ( $http_user_agent ~ "bingbot" ) { return 403; }

23
globals/error-pages.conf Normal file
View file

@ -0,0 +1,23 @@
# Custom 403 Page
error_page 403 @fetch403;
location @fetch403 {
root /etc/nginx/errors;
try_files /403.html =404;
}
# Custom 404 Page
error_page 404 @fetch404;
location @fetch404 {
root /etc/nginx/errors;
try_files /404.html =404;
}
# Custom 550 Page
error_page 550 @fetch550;
location @fetch550 {
root /etc/nginx/errors;
try_files /550.html =404;
}

12
globals/hide-headers.conf Normal file
View file

@ -0,0 +1,12 @@
### Security (through obscurity) - https://en.wikipedia.org/wiki/Security_through_obscurity
# To hide nginx version
server_tokens off;
# To hide PHP version and other related fastcgi headers
fastcgi_hide_header X-Powered-By;
fastcgi_hide_header X-Pingback;
fastcgi_hide_header Link;
proxy_hide_header X-Powered-By;
proxy_hide_header X-Pingback;
proxy_hide_header X-Link;

1
globals/hsts.conf Normal file
View file

@ -0,0 +1 @@
add_header Strict-Transport-Security "max-age=31536000";

9
globals/mu-dir.conf Normal file
View file

@ -0,0 +1,9 @@
# Rules for Multisite Sub-directory install
# For sub-directory redirects
# Only one would apply
# If two needed to be applied, it'd throw a 404
if (!-e $request_filename) {
rewrite ^/[_0-9a-zA-Z-]+(/wp-(content|admin|includes).*) $1 break;
rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 break;
}

6
globals/mu-files.conf Normal file
View file

@ -0,0 +1,6 @@
# Rules for any Multisite install
# For uploads
if ( $uri ~ "files" ) {
rewrite ^/(?:.*/)?files/(.+) /wp-includes/ms-files.php?file=$1;
}

9
globals/pagespeed.conf Normal file
View file

@ -0,0 +1,9 @@
pagespeed off;
pagespeed FileCachePath /var/cache/ngx_pagespeed_cache;
pagespeed MemcachedServers "127.0.0.1:11211";
pagespeed XHeaderValue "Powered By ngx_pagespeed";
pagespeed BlockingRewriteKey "fullyoptimized";
pagespeed Disallow "*/wp-admin/*";
pagespeed Disallow "*/wp-login.php*";

9
globals/php.conf Normal file
View file

@ -0,0 +1,9 @@
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include "fastcgi.conf";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
}

33
globals/restrictions.conf Normal file
View file

@ -0,0 +1,33 @@
# Global restrictions configuration file.
# Designed to be included in any server {} block.
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac), .git.
location /.git { deny all; }
location /.htaccess { deny all; }
location /.htpasswd { deny all; }
location /.user.ini { deny all; }
# this actually covers every dot file, except what follows below it (ex: CertBot)
location ~ ^/\. { deny all; }
# but allow CertBot - see http://stackoverflow.com/a/34262192
location ^~ /.well-known/acme-challenge {
auth_basic off;
try_files $uri =404;
expires -1;
}
# Deny access to any files with a .php extension in the uploads directory
location ~* /uploads/.*\.php$ { deny all; }
# Deny access to any files with a .php extension in the uploads directory for multisite
location ~* /files/.*\.php$ { deny all; }
# Since version 2.5.7, Akismet introduced a new .htaccess file to block direct access to php files
# Ref: http://wordpress.org/extend/plugins/akismet/changelog/
location ~* /akismet/.*\.php$ { deny all; }
# Restrict direct access to cached content
location /wp-content/cache/ { deny all; }
# Deny access to backup files!
location ~ ~$ { deny all; }

13
globals/security-headers.conf Normal file
View file

@ -0,0 +1,13 @@
add_header X-Content-Type-Options nosniff;
# please see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# add_header X-Frame-Options deny;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";
# optional header - use it with care - you are warned!
# add_header Access-Control-Allow-Origin "*";

12
globals/sucuri-real-ip.conf Normal file
View file

@ -0,0 +1,12 @@
# https://docs.sucuri.net/website-firewall/troubleshooting/same-ip-for-all-users/#nginx
# ref: https://docs.sucuri.net/website-firewall/troubleshooting/same-ip-for-all-users/#nginx
# Define header with original client IP
real_ip_header X-Forwarded-For;
# Define trusted Firewall IPs
set_real_ip_from 192.88.134.0/23;
set_real_ip_from 185.93.228.0/22;
set_real_ip_from 66.248.200.0/22;
set_real_ip_from 208.109.0.0/22;
set_real_ip_from 2a02:fe80::/29; # this line can be removed if IPv6 is disabled

12
globals/sucuri-waf.conf Normal file
View file

@ -0,0 +1,12 @@
# allow local requests
allow 127.0.0.1;
# Sucuri WAF
allow 192.88.134.0/23;
allow 185.93.228.0/22;
allow 2a02:fe80::/29;
allow 66.248.200.0/22;
allow 208.109.0.0/22;
# deny all requests that bypass Sucuri
deny all;

7
globals/varnish-as-front-end-compatibility.conf Normal file
View file

@ -0,0 +1,7 @@
### If Varnish is used as front end
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
# Default value: on
port_in_redirect off;

6
globals/wordpress-seo-plugin-support.conf Normal file
View file

@ -0,0 +1,6 @@
# Yoast's WordPress SEO plugin requires this...
# Ref: http://wordpress.org/extend/plugins/wordpress-seo/faq/
rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;

93
globals/wp-fastest-cache.conf Normal file
View file

@ -0,0 +1,93 @@
# configuration directives to support WP Fastest Cache plugin.
# note not all features are supported.
# default location block
# - directs mobile visitors to @mobileaccess, if configured.
# - directs cache misses to PHP (via @cachemiss).
# - directs requests "that shouldn't be cached" to PHP (via @cachemiss): example - requests from a logged-in user.
location / {
error_page 418 = @cachemiss; # to handle cache misses
error_page 419 = @mobileaccess; # to handle mobile visits
recursive_error_pages on;
set $pathDomain "/wp-content/cache/${host}/all${uri}"; # path domain for multisite
set $path "/wp-content/cache/all${uri}";
# bypass POST requests
if ($request_method = POST) { return 418; }
# uncommenting the following degrades the performance on certain sites. YMMV
# if ($query_string != "") { return 418; }
# bypass cache for common query strings
if ($arg_s != "") { return 418; } # search query
if ($arg_p != "") { return 418; } # request a post / page by ID
if ($args ~ "amp") { return 418; } # amp test
if ($arg_preview = "true") { return 418; } # preview post / page
if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin
# if WP related cookies are found, skip cache
if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
if ($http_cookie ~* "comment_author_") { return 418; }
if ($http_cookie ~* "wp_postpass_") { return 418; }
# avoid duplicate content on Amazon CloudFront and KeyCDN.
if ( $http_user_agent = "Amazon CloudFront" ) { return 403; access_log off; }
if ($http_x_pull = "KeyCDN") { return 403; access_log off; }
# uncomment the following, if WP Fastest Cache plugin is set to create a separate cache for mobile visitors
# if ( $http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad" ) { return 419; }
# add_header "Vary" "User-Agent";
# uncomment the following if deemed fit, in addition to the above line to enable @mobileaccess
# if ( $http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad" ) { return 419; }
# look for cached version; if-not-found, then send the request to PHP
try_files "${path}index.html" "${path}/index.html" "${pathDomain}index.html" "${pathDomain}/index.html" $uri $uri/ /index.php$is_args$args;
#--> all the following would apply, only if the request hits the cache
# add some useful headers
add_header "X-Cache" "HIT - WP Fastest Cache";
add_header "X-CF-Powered-By" "WP Fastest Cache";
add_header "Vary" "Cookie";
# include "globals/hsts.conf";
include 'globals/security-headers.conf';
expires 30m;
# expires modified 30m;
add_header "Cache-Control" "must-revalidate";
# For proxies
# add_header "Cache-Control" "s-maxage=600";
}
# location to handle requests come from mobile devices
location @mobileaccess {
set $pathDomain "/wp-content/cache/${host}/wpfc-mobile-cache${uri}"; # path domain for multisite
set $path "/wp-content/cache/wpfc-mobile-cache${uri}";
# look for cached version for mobiles; if-not-found, then send the request to PHP
try_files "${path}index.html" "${path}/index.html" "${pathDomain}index.html" "${pathDomain}/index.html" $uri $uri/ /index.php$is_args$args;
#--> all the following would apply, only if the request hits the cache
# add some useful headers
add_header "X-Cache" "HIT - Mobile - WP Fastest Cache";
add_header "Vary" "User-Agent, Cookie";
# include "globals/hsts.conf";
include 'globals/security-headers.conf';
expires 30m;
# expires modified 30m;
add_header "Cache-Control" "must-revalidate";
# For proxies
# add_header "Cache-Control" "s-maxage=600";
}
location @cachemiss {
# on cache miss, send the request to PHP
try_files $uri $uri/ /index.php$is_args$args;
}

78
globals/wp-rocket.conf Normal file
View file

@ -0,0 +1,78 @@
# To improve the perf, let's use open_file_cache
# ref: nginx.org/r/open_file_cache
# open_file_cache max=1000;
# open_file_cache_valid 60s;
# open_file_cache_min_uses 2;
# open_file_cache_errors off;
location / {
# disable WP Rocket preload bot; had numerous trouble with in on high-traffic sites
if ($http_user_agent ~ wprocketbot) { return 403; access_log off; }
error_page 418 = @cachemiss;
error_page 419 = @mobileaccess;
recursive_error_pages on;
# bypass POST requests
if ($request_method = POST) { return 418; }
# uncommenting the following degrades the performance on certain sites. YMMV
# if ($query_string != "") { return 418; }
# bypass cache for common query strings
if ($arg_s != "") { return 418; } # search query
if ($arg_p != "") { return 418; } # request a post / page by ID
if ($args ~ "amp") { return 418; } # amp test
if ($arg_preview = "true") { return 418; } # preview post / page
if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin
if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
if ($http_cookie ~* "comment_author_") { return 418; }
if ($http_cookie ~* "wp_postpass_") { return 418; }
# avoid duplicate content on Amazon CloudFront and KeyCDN.
if ( $http_user_agent = "Amazon CloudFront" ) { return 403; access_log off; }
if ($http_x_pull = "KeyCDN") { return 403; access_log off; }
# uncomment the following, if WP Rocket plugin is set to create a separate cache for mobile visitors
# if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }
# add_header "Vary" "User-Agent";
# uncomment the following if deemed fit, in addition to the above line to enable @mobileaccess
# if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }
try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index$https_suffix.html" $uri $uri/ /index.php$is_args$args;
#--> all the following would apply, only if the request hits the cache
add_header "X-Cache" "HIT - WP Rocket";
add_header "Vary" "Cookie";
# include "globals/hsts.conf";
include 'globals/security-headers.conf';
expires modified 30m;
add_header "Cache-Control" "must-revalidate";
# For proxies
# add_header "Cache-Control" "s-maxage=600";
}
location @mobileaccess {
# try_files $uri $uri/ /index.php$is_args$args;
try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index-mobile$https_suffix.html" $uri $uri/ /index.php$is_args$args;
add_header "X-Cache" "HIT - Mobile - WP Rocket";
add_header "Vary" "User-Agent, Cookie";
# include "globals/hsts.conf";
include 'globals/security-headers.conf';
expires modified 30m;
add_header "Cache-Control" "must-revalidate";
# For proxies
# add_header "Cache-Control" "s-maxage=600";
}
location @cachemiss {
try_files $uri $uri/ /index.php$is_args$args;
}

80
globals/wp-super-cache.conf Normal file
View file

@ -0,0 +1,80 @@
# To improve the perf, we may use open_file_cache
# ref: https://nginx.org/r/open_file_cache
# open_file_cache max=1000;
# open_file_cache_valid 60s;
# open_file_cache_min_uses 2;
# open_file_cache_errors off;
location / {
# requires server support
# gzip_static on;
error_page 418 = @cachemiss;
error_page 419 = @mobileaccess;
recursive_error_pages on;
# bypass POST requests
if ($request_method = POST) { return 418; }
# uncommenting the following degrades the performance on certain sites. YMMV
# if ($query_string != "") { return 418; }
# bypass cache for common query strings
if ($arg_s != "") { return 418; } # search query
if ($arg_p != "") { return 418; } # request a post / page by ID
if ($args ~ "amp") { return 418; } # amp test
if ($arg_preview = "true") { return 418; } # preview post / page
if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin
if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
if ($http_cookie ~* "comment_author_") { return 418; }
if ($http_cookie ~* "wp_postpass_") { return 418; }
# avoid duplicate content on Amazon CloudFront and KeyCDN.
if ( $http_user_agent = "Amazon CloudFront" ) { return 403; access_log off; }
if ($http_x_pull = "KeyCDN") { return 403; access_log off; }
# uncomment the following, if WP Super Cache plugin is set to create a separate cache for mobile visitors
# if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }
# add_header "Vary" "User-Agent";
# uncomment the following if deemed fit, in addition to the above line to enable @mobileaccess
# if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }
try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix.html" $uri $uri/ /index.php$is_args$args;
#--> all the following would apply, only if the request hits the cache
add_header "X-Cache" "HIT - WP Super Cache";
# include "globals/hsts.conf";
include 'globals/security-headers.conf';
# expires modified 30m;
expires 30m;
add_header "Cache-Control" "must-revalidate";
# For proxies
# add_header "Cache-Control" "s-maxage=3600";
}
location @mobileaccess {
# try_files $uri $uri/ /index.php$is_args$args;
try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args;
add_header "X-Cache" "HIT - Mobile - WP Super Cache";
# include "globals/hsts.conf";
include 'globals/security-headers.conf';
# expires modified 30m;
expires 30m;
add_header "Cache-Control" "must-revalidate";
# For proxies
# add_header "Cache-Control" "s-maxage=3600";
}
location @cachemiss {
try_files $uri $uri/ /index.php$is_args$args;
}

34
globals/wpfc.conf Normal file
View file

@ -0,0 +1,34 @@
# The rewrite magic
location / {
gzip_static on;
# set these globally, if not done already
# gzip_http_version 1.1;
# gzip_proxied expired no-cache no-store private auth;
# gzip_disable "MSIE [1-6]\.";
# gzip_vary on;
error_page 418 = @cachemiss;
if ($request_method = POST) { return 418; }
if ($query_string != "") { return 418; }
if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
if ($http_cookie ~* "comment_author_") { return 418; }
if ($http_cookie ~* "wp_postpass_") { return 418; }
try_files "/wp-content/cache/all${uri}index.html" =418;
add_header "X-WPFC-Cache" "HIT";
# choose or modify any of the following cache-control headers
expires 30m;
# add_header "Cache-Control" "max-age=10, must-revalidate";
# add_header "Vary" "Cookie";
}
location @cachemiss {
try_files $uri $uri/ /index.php$is_args$args;
}

88
mime.types Normal file
View file

@ -0,0 +1,88 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}

32
nginx.conf Normal file
View file

@ -0,0 +1,32 @@
# user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}

4
proxy.conf Normal file
View file

@ -0,0 +1,4 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

4
proxy_params Normal file
View file

@ -0,0 +1,4 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

16
scripts/update-cloudflare-ip-list.sh Normal file
View file

@ -0,0 +1,16 @@
#!/bin/bash
# script to set Cloudflare IPs (ipv4 and ipv6)
# empty the list
echo -n > /etc/nginx/globals/cloudflare-ip-list.conf;
# fetch and update ipv4
for i in `curl -s https://www.cloudflare.com/ips-v4`; do
echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf;
done
# fetch and update ipv6
for i in `curl -s https://www.cloudflare.com/ips-v6`; do
echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf;
done

74
sites-available/admin-over-ssl.conf Normal file
View file

@ -0,0 +1,74 @@
### No need to enable the following in wp-config.php
# define('FORCE_SSL_ADMIN', true);
# define('FORCE_SSL_LOGIN', true);
### Process non-SSL requests
server {
listen 80;
server_name example.com;
index index.php;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
# Process PHP requests
location ~ \.php$ {
# Request to wp-login to go through HTTPS protocol
location ~ /wp-(admin|login) {
return 301 https://$host$request_uri;
}
# Process non-admin requests
try_files $uri =404;
include "fastcgi.conf";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
}
# Nginx way of mod_write
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
}
server {
listen 443 ssl;
server_name example.com;
index index.php;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
# Generate Certificates
# http://wiki.nginx.org/HttpSslModule#Generate_Certificates
ssl_certificate /path/to/combined.crt;
ssl_certificate_key /path/to/server.key;
# Logs
access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
error_log /var/log/nginx/example.com-error.log;
# Process requests to wp-admin/* and wp-login.php
location ~ /wp-(admin|login) {
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_pass fpm;
include "fastcgi.conf";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
# Process non-admin requests
include globals/assets.conf;
# To avoid displaying posts and post previews in HTTPS
location / {
return 301 http://example.com$request_uri;
}
}

28
sites-available/catchall.conf Normal file
View file

@ -0,0 +1,28 @@
# Ref - http://wiki.nginx.org/ServerBlockExample#A_Default_.22Catch_All.22_Server_Block
server {
listen 80 default_server;
server_name _;
access_log off;
error_log off;
# return nothing
# a Nginx specific error code
# return 444;
# deny all
# include globals/error-pages.conf;
location / {
return 403;
}
# Let Varnish or others ping to know the status of PHP-FPM
location /ping {
allow 127.0.0.1;
deny all;
fastcgi_pass fpm;
keepalive_timeout 0;
expires -1;
}
}

24
sites-available/default.conf Normal file
View file

@ -0,0 +1,24 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
# create dummy certificates, if you'd like to enable the following...
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
# ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
# to catch all domains not hosted here!
server_name _;
include globals/error-pages.conf;
location / {
# return nothing
# a Nginx specific error code
# return 444;
# or send error code 550 - not hosted here!
return 550;
}
}

57
sites-available/dev.example.com.conf Normal file
View file

@ -0,0 +1,57 @@
server {
listen 80;
listen [::]:80; # IPv6 support
listen 443 ssl http2;
listen [::]:443 ssl http2; # IPv6 support
server_name dev.example.com;
index index.php;
# Replace the path with the actual path to WordPress core files
root /home/dev/sites/dev.example.com/public;
# ssl_certificate "/etc/letsencrypt/live/dev.example.com/fullchain.pem";
# ssl_certificate_key "/etc/letsencrypt/live/dev.example.com/privkey.pem";
# access_log off;
access_log /var/log/nginx/dev-example.com-access.log;
error_log /var/log/nginx/dev-example.com-error.log;
# error_log /var/log/nginx/dev-example.com-error.log debug;
include "globals/restrictions.conf";
location ~* \.(?:css|js|jpg|jpeg|png|gif|ico|svg|ttf|eot|woff|otf)$ { expires max; try_files $uri @prod; }
location @prod {
proxy_pass https://0.0.0.0;
proxy_set_header Host "www.example.com";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
include fastcgi.conf;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass fpm-dev;
add_header "X-Cache" "MISS";
}
# The rewrite magic
location / { try_files $uri $uri/ /index.php$is_args$args; }
# include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
# include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support
# include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support
}

65
sites-available/example.com.conf Normal file
View file

@ -0,0 +1,65 @@
# The primary template file for WordPress sites
# Feel free to follow the same pattern for other files in the /sites-available/ directory
# Remember to create a symlink to /sites-enabled/ to enable a site or configuration file
### server-level 301 redirect
# you are a fan of micro-optimization, please use the following to redirect www.example.com => example.com (301)
# server {
# listen 80;
# listen [::]:80; # IPv6 support
# server_name www.example.com;
# return 301 $scheme://example.com$request_uri;
# }
server {
listen 80;
listen [::]:80; # IPv6 support
server_name example.com;
server_name www.example.com; # hide this line, if you enable the server-level 301 redirect above
index index.php; # default file to serve
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
### Logs
access_log /var/log/nginx/example.com-access.log;
# if the log files become too large, you may use the following format. $loggable is defined in conf.d/common.conf
# access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
# ideally use it along with fail2ban
error_log /var/log/nginx/example.com-error.log;
# use the following pattern only for debugging - server support needed
# error_log /var/log/nginx/example.com-error.log debug;
# Optional configurations
# include "globals/auto-versioning-support.conf";
# include "globals/wordpress-seo-plugin-support.conf";
include "globals/restrictions.conf";
include "globals/assets.conf";
location ~* \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
include "fastcgi_params";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
add_header "X-Cache" "MISS";
}
### Enaable only one of the following lines
include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
# include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support
# include "globals/wp-fastest-cache.conf"; # WP Fastest Cache plugin support
# include "globals/cache-enabler.conf"; # Cache Enabler plugin support
# location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache
}

95
sites-available/ip.conf Normal file
View file

@ -0,0 +1,95 @@
# safe to ignore, if you don't understand what it is doing!
server {
listen 80;
# please replace 127.0.0.1 with the actual IP of the server
server_name 127.0.0.1;
root /var/www/html;
### logs
# enable only one of the following
access_log off;
# access_log /var/log/nginx/ip-access.log; # simple log
# access_log /var/log/nginx/ip-access.log combined buffer=64k flush=5m if=$loggable; # log only non-2xx and non-3xx requests; $loggable is defined in conf.d/common.conf
# enable only one of the following
error_log off;
# error_log /var/log/nginx/ip-error.log;
# error_log /var/log/nginx/ip-error.log debug; # depends on server support
### PhpMyAdmin
# note: it's a bad idea to serve PhpMyAdmin via the server's IP as it is the known target by bad bots
# keeping it here for historical reasons
# location /phpmyadmin {
# include whitelist.conf;
# try_files $uri $uri/ /phpmyadmin/index.php$is_args$args;
# location ~* \.php$ {
# try_files $uri = 404;
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# include fastcgi.conf;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_index index.php;
# fastcgi_pass fpm;
# }
# }
# Nginx status
location = /nginxstatus {
stub_status on;
access_log off;
include whitelist.conf;
expires -1;
}
# PHP-FPM ping
location = /ping {
fastcgi_pass fpm;
include fastcgi_params;
include whitelist.conf;
expires -1;
}
# PHP-FPM status
location = /status {
fastcgi_pass fpm;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include whitelist.conf;
expires -1;
}
location /munin {
alias "/var/cache/munin/www";
try_files $uri $uri/ /index.html;
include whitelist.conf;
expires -1;
}
location /monit/ {
rewrite ^/monit/(.*) /$1 break;
proxy_pass http://127.0.0.1:2812;
# replace 127.0.0.2 with the IP of the server
# proxy_redirect http://127.0.0.1:2812/monit/ http://127.0.0.2/monit/;
include whitelist.conf;
expires -1;
}
# Redirect to the main site domainname.com
location / {
return $scheme://example.com$request_uri;
}
}

69
sites-available/login-over-ssl.conf Normal file
View file

@ -0,0 +1,69 @@
### No need to enable the following in wp-config.php
# define('FORCE_SSL_ADMIN', true);
# define('FORCE_SSL_LOGIN', true);
server {
listen 80;
server_name example.com;
index index.php;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
include globals/assets.conf;
include globals/restrictions.conf;
location ~ \.php$ {
# Request to wp-login to go through HTTPS protocol
location ~ /wp-login\.php {
return 301 https://$host$request_uri;
}
# Process other requests
include "fastcgi.conf";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
fastcgi_index index.php;
fastcgi_pass fpm;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
}
server {
listen 443 ssl;
server_name example.com;
index index.php;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
# Generate Certificates
# http://wiki.nginx.org/HttpSslModule#Generate_Certificates
ssl_certificate /path/to/combined.crt;
ssl_certificate_key /path/to/server.key;
access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
error_log /var/log/nginx/example.com-error.log;
include globals/assets.conf;
include globals/restrictions.conf;
location ~ /wp-login\.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include "fastcgi.conf";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
}
# The rewrite magic
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
}

73
sites-available/mu-dir-dir-example.com.conf Normal file
View file

@ -0,0 +1,73 @@
### Use case
# example.com has a non-WordPress installation at its root
# example.com/blogs is a WordPress multisite sub-directory installation
# example.com/blogs/blog1 is a site in WP multisite
# example.com/blogs/blog2 is another site in WP multisite
# The site would be accessed primarily as example.com (instead of www.example.com)
# Please replace blogs with the actual name of the sub-directory inwhich WP is (would be) installed
### Remember that IfIsEvil, if used inappropriately.
# Ref: http://wiki.nginx.org/IfIsEvil
# Redirect www.example.com/anything to example.com/anything
server {
listen 80;
server_name www.example.com;
return 301 $scheme://example.com$request_uri;
}
# Process requests to example.com
server {
listen 80;
server_name example.com;
index index.php;
# Change this to the actual location of non-WordPress files
root /home/username/sites/example.com/public;
# Logs
access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
error_log /var/log/nginx/example.com-error.log;
### modified version of globals/mu-files.conf;
# For uploads
if ( $uri ~ "files" ) {
rewrite ^/blogs/(?:.*/)?files/(.+) /blogs/wp-includes/ms-files.php?file=$1;
}
### modified version of globals/mu-dir.conf;
# For sub-directory redirects
# Only one would apply
# If two needed to be applied, it'd throw a 404
if (!-e $request_filename) {
rewrite ^/blogs/[_0-9a-zA-Z-]+(/wp-(content|admin|includes).*) /blogs$1 break;
rewrite ^/blogs/[_0-9a-zA-Z-]+(/.*\.php)$ /blogs$1 break;
}
# Process PHP requests
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include "fastcgi.conf";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
}
# To process WordPress site/s
location /blogs {
try_files $uri $uri/ /blogs/index.php$is_args$args;
}
# Let's include usual location directives, including 'location / { try files ; }' directive
# To process the non-WordPress PHP site
include globals/assets.conf;
include globals/restrictions.conf;
# The rewrite magic
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
}

42
sites-available/mu-dir-example.com.conf Normal file
View file

@ -0,0 +1,42 @@
# Configuration for multisite - subdirectory
server {
listen 80;
server_name www.example.com;
return 301 $scheme://example.com$request_uri;
}
server {
listen 80;
server_name example.com;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
index index.php;
# logs
access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
error_log /var/log/nginx/example.com-error.log;
include "globals/mu-files.conf";
include "globals/mu-dir.conf";
include "globals/assets.conf";
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include "fastcgi.conf";
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass fpm;
}
# The rewrite magic
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
}

42
sites-available/mu-dom-example.com.conf Normal file
View file

@ -0,0 +1,42 @@
# Configuration for multisite - subdomain
server {
listen 80;
server_name www.example.com;
return 301 $scheme://example.com$request_uri;
}
server {
listen 80;
server_name .example.com;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
index index.php;
# logs
access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
error_log /var/log/nginx/example.com-error.log;
include "globals/mu-files.conf";
include "globals/assets.conf";
include "globals/restrictions.conf";
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include "fastcgi.conf";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
}
# The rewrite magic
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
}

31
sites-available/multiple-vhosts.conf Normal file
View file

@ -0,0 +1,31 @@
# TODO:
# blog post explaining how it could be incorporated and useful, pros and cons of this setup
server {
listen 80;
server_name *.example.com example.net example.org;
# keep the files in the following way...
# site1.example.com at /path/to/sites/site1.example.com/public
# site2.example.com at /path/to/sites/site2.example.com/public
# site3.example.com at /path/to/sites/site3.example.com/public
# example.net at /path/to/sites/example.net/public
# example.org at /path/to/sites/example.org/public
root /path/to/sites/$host/public;
index index.php index.html;
# Let's have a common log for all the sites
# individual logs are not possible to create for each site
access_log /var/log/nginx/common-vhost-access.log combined buffer=64k flush=5m if=$loggable;
error_log /var/log/nginx/common-vhost-error.log error;
include "globals/restrictions.conf";
include "globals/assets.conf";
include "globals/php.conf";
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
}

38
sites-available/nginx-varnish-apache.conf Normal file
View file

@ -0,0 +1,38 @@
iserver {
listen 80;
server_name www.example.com;
return 301 $scheme://example.com$request_uri;
}
server {
listen 80;
server_name example.com;
index index.php;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
error_log /var/log/nginx/example.com-error.log;
include "globals/assets.conf";
include "globals/restrictions.conf";
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
location ~ \.php$ {
proxy_pass http://apache;
include proxy_params;
}
location @backend {
proxy_pass http://varnish;
include proxy_params;
}
location / {
try_files $uri @backend;
}
}

82
sites-available/nginx-varnish-nginx.conf Normal file
View file

@ -0,0 +1,82 @@
server {
listen 80;
server_name example.com;
# Replace the path with the actual path to WordPress core files
root "/home/username/sites/example.com/public";
index index.php;
# Logs - do check these, if sth goes wrong
access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
error_log /var/log/nginx/example.com-error.log;
include globals/restrictions.conf;
include globals/assets.conf;
location / {
error_page 418 = @phpfpm;
if ($request_method = POST) { return 418; }
if ($http_cookie ~* "wordpress_logged_in") { return 418; }
if ($http_cookie ~* "comment_") { return 418; }
if ($http_cookie ~* "wp_postpass_") { return 418; }
proxy_pass http://varnish;
include proxy.conf;
}
location @phpfpm {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include "fastcgi.conf";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
}
location ~ /wp-admin {
try_files $uri $uri/ /index.php$is_args$args;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include "fastcgi.conf";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
}
}
}
# To serve requests from Varnish
# Setup Varnish to use 127.0.0.1:82 as backend for this domain
server {
listen 127.0.0.1:82;
server_name example.com;
# Replace the path with the actual path to WordPress core files
root "/home/username/sites/example.com/public";
index index.php;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include "fastcgi.conf";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
}
}

61
sites-available/pma.example.com.conf Normal file
View file

@ -0,0 +1,61 @@
### IMPORTANT
### If phpMyAdmin is accessed via a different port
### as in the case of a Varnish -> Nginx setup, please do the following
### SET $cfg['PmaAbsoluteUri'] = 'http://your.domain.com/path/to/phpmyadmin/'; in config.inc.php
### Ref: http://serverfault.com/questions/246300/running-phpmyadmin-on-nginx-port-8080-passed-to-varnish-not-working-well
### Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1340187&group_id=23067&atid=377409
# http => https
server {
listen 80;
listen [::]:80; # IPv6 support
server_name pma.example.com;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/pma.example.com/public;
# for LetsEncrypt
location ^~ /.well-known/acme-challenge {
auth_basic off;
try_files $uri =404;
expires -1;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
server_name pma.example.com;
index index.php;
# Replace the path with the actual path to Phpmyadmin core files
root /home/username/sites/pma.example.com/public;
access_log /var/log/nginx/pma.example.com-access.log combined buffer=64k flush=5m if=$loggable; # $loggable is defined in conf.d/common.conf
error_log /var/log/nginx/pma.example.com-error.log;
ssl_certificate "/etc/letsencrypt/live/pma.example.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/pma.example.com/privkey.pem";
include globals/restrictions.conf;
include globals/assets.conf;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
include "fastcgi_params";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
}
location / { try_files $uri $uri/ /index.php$is_args$args; }
}

104
sites-available/ssl-example.com.conf Normal file
View file

@ -0,0 +1,104 @@
# http => https
server {
listen 80;
listen [::]:80; # IPv6 support
server_name example.com www.example.com;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
# for LetsEncrypt
location ^~ /.well-known/acme-challenge {
auth_basic off;
try_files $uri =404;
expires -1;
}
location / {
return 301 https://$host$request_uri;
include 'globals/hsts.conf';
include 'globals/security-headers.conf';
}
}
# www.example.com => example.com (server-level)
# Or example.com => www.example.com (server-level)
# use it only if you are a fan of micro-optimization
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2; # IPv6 support
# uncomment only one depending on the main URL
# server_name example.com;
# server_name www.example.com;
# ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
# ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
# location / {
# uncomment only one depending on the main URL
# return 301 $scheme://www.example.com$request_uri;
# return 301 $scheme://example.com$request_uri;
# include 'globals/hsts.conf';
# include 'globals/security-headers.conf';
# }
# }
server {
# "http2" parameter of the "listen" directive is deprecated as of version 1.25.1 released on June 13, 2023
listen 443 ssl http2;
listen [::]:443 ssl http2; # IPv6 support
# since Nginx version 1.25.1
# https on;
# the main URL where the site is served. It could be www.example.com
server_name example.com;
# comment out the following line, if you enable the server-level 301 redirect above
server_name www.example.com;
# default file to serve
index index.php;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
# if you use an ACME client that stores the SSL certs in a different path, please update the following
ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
# Logs
access_log /var/log/nginx/example.com-access.log;
# if the log files become too large, you may use the following format. $loggable is defined in conf.d/common.conf
# access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
# ideally use it along with fail2ban
error_log /var/log/nginx/example.com-error.log;
# use the following pattern only for debugging - server support needed
# error_log /var/log/nginx/example.com-error.log debug;
include globals/restrictions.conf;
include globals/assets.conf;
include globals/auto-versioning-support.conf;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
include "fastcgi_params";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
include 'globals/hsts.conf';
include 'globals/security-headers.conf';
}
### Enaable only one of the following lines
include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
# include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support
# include "globals/wp-fastest-cache.conf"; # WP Fastest Cache plugin support
# include "globals/cache-enabler.conf"; # Cache Enabler plugin support
# location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache
}

74
sites-available/static-site.conf Normal file
View file

@ -0,0 +1,74 @@
# http => https
server {
listen 80;
listen [::]:80; # IPv6 support
server_name example.com www.example.com;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
# for LetsEncrypt
location ^~ /.well-known/acme-challenge {
auth_basic off;
try_files $uri =404;
expires -1;
}
location / {
return 301 https://$host$request_uri;
include 'globals/hsts.conf';
include 'globals/security-headers.conf';
}
}
# www.example.com => example.com (server-level)
# use it only if you are a fan of micro-optimization
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2; # IPv6 support
# server_name www.example.com;
# ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
# ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
# location / {
# return 301 $scheme://example.com$request_uri;
# include 'globals/hsts.conf';
# include 'globals/security-headers.conf';
# }
# }
server {
listen 443 ssl http2;
listen [::]:443 ssl http2; # IPv6 support
server_name example.com;
# hide the following line, if you enable the server-level 301 redirect above
server_name www.example.com;
# default file to serve
index index.html;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;
ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
# Logs
access_log /var/log/nginx/example.com-access.log;
error_log /var/log/nginx/example.com-error.log;
include globals/restrictions.conf;
include globals/assets.conf;
include globals/auto-versioning-support.conf;
location / {
try_files $uri $uri/ =404;
# you may adjust the expiry information here!
# expires 30m; # since static content rarely changes, it is safe to keep it to 30 minutes. YMMV.
include 'globals/hsts.conf';
include 'globals/security-headers.conf';
}
}

33
sites-available/wpfc.example.com.conf Normal file
View file

@ -0,0 +1,33 @@
server {
listen 80;
listen [::]:80; # IPv6 support
server_name wpfc.example.com;
index index.php;
# Replace the path with the actual path to WordPress core files
root /home/username/sites/wpsc.example.com/public;
access_log /var/log/nginx/wp-fastest-cache.example.com-access.log combined buffer=64k flush=5m if=$loggable;
error_log /var/log/nginx/wp-fastest-cache.example.com-error.log;
include "globals/assets.conf";
include "globals/restrictions.conf";
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
include fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
add_header "X-Cache" "MISS";
}
include "globals/wp-fastest-cache.conf";
}

33
sites-available/wpsc.example.com.conf Normal file
View file

@ -0,0 +1,33 @@
server {
listen 80;
listen [::]:80; # IPv6 support
server_name wpsc.example.com;
index index.php;
# Replace the path with the actual path to WordPress core files
root "/home/username/sites/wpsc.example.com/public";
access_log /var/log/nginx/wpsc.example.com-access.log combined buffer=64k flush=5m if=$loggable;
error_log /var/log/nginx/wpsc.example.com-error.log;
include "globals/assets.conf";
include "globals/restrictions.conf";
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
include fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;
add_header "X-Cache" "MISS";
}
include "globals/wp-super-cache.conf";
}