diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..64f4b81
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Pothi Kalimuthu
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/allowlist.conf b/allowlist.conf
new file mode 100644
index 0000000..2acf200
--- /dev/null
+++ b/allowlist.conf
@@ -0,0 +1,15 @@
+# please use the following format...
+# allow ip.add.re.ss;
+# both ipv4 and ipv6 addresses can be whitelisted
+# CIDR notation is allowed too
+
+
+# allow ip.add.re.ss1;
+# allow ip.add.re.ss2;
+# allow ip.add.re.ss3;
+
+
+# Please do *not* change the following lines
+allow 127.0.0.1;
+deny all;
+# End of file - No more lines, please!
diff --git a/changelog.txt b/changelog.txt
new file mode 100644
index 0000000..e3d0597
--- /dev/null
+++ b/changelog.txt
@@ -0,0 +1,21 @@
+v3.0
+- Released on May 9, 2018
+- Rename wprocket.conf to wp-rocket.conf
+- Rename wpsupercache.conf to wp-super-cache.conf
+- Added Cloudflare support.
+- IPv6 support added.
+- WebP support.
+- Other minor changes.
+
+v2.0
+- released on Dec 20, 2017
+- changed filename globals/common-locations.conf to globals/assets.conf
+- other minor changes
+
+v1.0
+- released on April 23, 2017
+- uniform naming scheme for domain names
+- uniform naming scheme for default files
+- introduction of blacklist and whitelist for IP addresses
+- fix tab/space conflict; now we use only spaces
+- enable gzip by default
diff --git a/conf.d/common.conf b/conf.d/common.conf
new file mode 100644
index 0000000..9896d8e
--- /dev/null
+++ b/conf.d/common.conf
@@ -0,0 +1,90 @@
+### common directives and settings
+
+index index.html index.php;
+
+# Ref: https://gist.github.com/magnetikonline/11312172
+fastcgi_buffers 32 32k;
+fastcgi_buffer_size 32k;
+
+proxy_buffers 8 32k;
+proxy_buffer_size 64k;
+# -------------------------------------------------------------------
+
+# for time-consuming operations (such as WP import or file upload)
+# https://nginx.org/r/fastcgi_read_timeout
+# default 60 seconds
+fastcgi_read_timeout 5m;
+
+# -------------------------------------------------------------------
+
+### To enable large uploads
+# Please make sure the corresponding PHP values are increased as well
+# post_max_size = 8M (default)
+# upload_max_filesize = 2M (default)
+
+client_max_body_size 2G;
+
+# -------------------------------------------------------------------
+
+### To fix the error - could not build the server_names_hash
+# ref: https://nginx.org/en/docs/hash.html
+server_names_hash_bucket_size 128;
+
+# -------------------------------------------------------------------
+
+# for extended metrics (in Amplify, etc)
+log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for" '
+ '"$host" sn="$server_name" '
+ 'rt=$request_time '
+ 'ua="$upstream_addr" us="$upstream_status" '
+ 'ut="$upstream_response_time" ul="$upstream_response_length" '
+ 'cs=$upstream_cache_status' ;
+
+# -------------------------------------------------------------------
+
+# For SSL Compatibility - WP Super Cache and WP Rocket depend on this
+map $scheme $https_suffix { default ''; https '-https'; }
+
+# -------------------------------------------------------------------
+
+### Fine-tune logging
+# ref: https://nginx.org/r/access_log
+map $status $loggable {
+ ~^[23] 0;
+ default 1;
+}
+
+# -------------------------------------------------------------------
+
+# https://jdh8.github.io/charset-for-text-on-nginx/
+map $sent_http_content_type $charset {
+ ~^text/ utf-8;
+}
+
+charset $charset;
+charset_types *;
+
+# -------------------------------------------------------------------
+
+# if you'd like to hide some header info, uncomment this
+# include globals/hide-headers.conf;
+
+# -------------------------------------------------------------------
+#
+# if you'd like to use cloudflare servers, uncomment this
+# include globals/cloudflare.conf;
+# include globals/sucuri-real-ip.conf;
+
+# -------------------------------------------------------------------
+
+# webp support
+# see: https://docs.ewww.io/article/16-ewww-io-and-webp-images
+
+map $http_accept $webp_suffix {
+ default "";
+ "~*webp" ".webp";
+}
+
+# -------------------------------------------------------------------
diff --git a/conf.d/gzip.conf b/conf.d/gzip.conf
new file mode 100644
index 0000000..29e01bd
--- /dev/null
+++ b/conf.d/gzip.conf
@@ -0,0 +1,29 @@
+##
+# Gzip Settings
+##
+
+# uncomment the following, if your nginx.conf already doesn't have it turned on
+# gzip on;
+
+gzip_disable "msie6";
+
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_buffers 16 8k;
+
+gzip_types
+ text/plain
+ text/css
+ text/xml
+ text/javascript
+ image/svg+xml
+ application/json
+ application/javascript
+ application/x-javascript
+ application/xml
+ application/atom+xml
+ application/xml+rss;
+
+# Uncomment the following, if Amazon CloudFront is used
+# gzip_http_version 1.0;
diff --git a/conf.d/lb.conf b/conf.d/lb.conf
new file mode 100644
index 0000000..3d52540
--- /dev/null
+++ b/conf.d/lb.conf
@@ -0,0 +1,17 @@
+# In most cases, only one upstream server should be present
+
+# Apache backend
+upstream apache { server 127.0.0.1:81; }
+
+# Varnish backend
+upstream varnish { server 127.0.0.1:6081; }
+
+# PHP-FPM backend
+# Only one server should be present in all cases
+upstream fpm {
+ # server unix:/path/to/socket;
+ server unix:/var/lock/php-fpm;
+
+ # server 127.0.0.1:9000;
+ # server ip.ip.ip.ip:port;
+}
diff --git a/conf.d/ssl-common.conf b/conf.d/ssl-common.conf
new file mode 100644
index 0000000..4774762
--- /dev/null
+++ b/conf.d/ssl-common.conf
@@ -0,0 +1,15 @@
+ssl_prefer_server_ciphers on;
+
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+
+# From https://weakdh.org/sysadmin.html
+# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+
+# From https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+# run "openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096" before uncommenting the following option
+# ssl_dhparam /etc/nginx/dhparam.pem;
diff --git a/denylist.conf b/denylist.conf
new file mode 100644
index 0000000..e4b28cf
--- /dev/null
+++ b/denylist.conf
@@ -0,0 +1,9 @@
+# please use the following format...
+# deny ip.add.re.ss;
+# both ipv4 and ipv6 addresses can be blacklisted
+# CIDR notation is allowed too
+
+
+# deny ip.add.re.ss1;
+# deny ip.add.re.ss2;
+# deny ip.add.re.ss3;
diff --git a/errors/403.html b/errors/403.html
new file mode 100644
index 0000000..b431619
--- /dev/null
+++ b/errors/403.html
@@ -0,0 +1,7 @@
+
+403 Forbidden
+
+403 Forbidden
+
+
+
diff --git a/errors/404.html b/errors/404.html
new file mode 100644
index 0000000..c9f1e9f
--- /dev/null
+++ b/errors/404.html
@@ -0,0 +1,7 @@
+
+404 Not Found
+
+404 Not Found
+
+
+
diff --git a/errors/550.html b/errors/550.html
new file mode 100644
index 0000000..f24eac7
--- /dev/null
+++ b/errors/550.html
@@ -0,0 +1,8 @@
+
+550 Domain not hosted here
+
+ 550 - Domain is not hosted here!
Probably, it is a mistake by the server administrator!
+
+
+
+
diff --git a/fastcgi.conf b/fastcgi.conf
new file mode 100644
index 0000000..765b6f0
--- /dev/null
+++ b/fastcgi.conf
@@ -0,0 +1,24 @@
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param REQUEST_SCHEME $scheme;
+fastcgi_param HTTPS $https if_not_empty;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
diff --git a/fastcgi_params b/fastcgi_params
new file mode 100644
index 0000000..765b6f0
--- /dev/null
+++ b/fastcgi_params
@@ -0,0 +1,24 @@
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param REQUEST_SCHEME $scheme;
+fastcgi_param HTTPS $https if_not_empty;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
diff --git a/globals/assets.conf b/globals/assets.conf
new file mode 100644
index 0000000..f79920d
--- /dev/null
+++ b/globals/assets.conf
@@ -0,0 +1,58 @@
+# Set expires for static files
+
+# Note to self (and to anyone forks it)
+# Some sites create robots.txt and sitemap(.xml(.gz)) files on the fly
+# If you are sure that they are indeed static, uncomment the following location blocks for each and adject the expires headers to fit your site's needs
+# location = /robots.txt { expires 1d; log_not_found off; access_log off; }
+# location ~ \.xml(\.gz)?$ { expires 600s; log_not_found off; access_log off; }
+
+# For CSS / JS
+location ~ \.(?:css|js)$ {
+ expires max;
+ log_not_found off;
+ access_log off;
+ add_header X-Content-Type-Options "nosniff";
+}
+
+# Web fonts needs some special care
+# Reference: http://jmoiron.net/blog/serving-fonts-aws-cloudfront/
+location ~ \.(?:ttf|ttc|eot|woff|woff2|otf|svg)$ {
+ # Safe to use the following line
+ add_header Access-Control-Allow-Origin "*";
+
+ # use the following with caution!
+ # add_header Access-Control-Allow-Origin "http://*.example.com";
+
+ expires max;
+ log_not_found off;
+ access_log off;
+}
+
+# Referers for images
+location ~ \.(?:gif|ico|webp)$ {
+ ### Please change the domainname before uncommenting the following
+ # valid_referers none blocked www.example.com example.com;
+ # if ($invalid_referer) { return 403; }
+
+ expires max;
+ log_not_found off;
+ access_log off;
+}
+
+location ~* ^.+\.(png|jpe?g)$ {
+ ### Please change the domainname before uncommenting the following
+ # valid_referers none blocked www.example.com example.com;
+ # if ($invalid_referer) { return 403; }
+
+ # add_header Vary Accept;
+ # see https://docs.ewww.io/article/16-ewww-io-and-webp-images
+ try_files $uri$webp_suffix $uri =404;
+ expires max;
+ log_not_found off;
+ access_log off;
+}
+
+# Feeds
+location ~ \.(?:rss|atom)$ {
+ expires 600s; # 10 minutes
+}
diff --git a/globals/auto-versioning-support.conf b/globals/auto-versioning-support.conf
new file mode 100644
index 0000000..337d586
--- /dev/null
+++ b/globals/auto-versioning-support.conf
@@ -0,0 +1,5 @@
+
+# Auto-versioning support
+# Ref: http://w-shadow.com/blog/2012/07/30/automatic-versioning-of-css-js/
+rewrite "^(.*)\.[\d]{10}\.(css|js)$" $1.$2 last;
+
diff --git a/globals/brotli.conf b/globals/brotli.conf
new file mode 100644
index 0000000..42229b4
--- /dev/null
+++ b/globals/brotli.conf
@@ -0,0 +1,34 @@
+# turn on brotli compression
+brotli on;
+
+# based on research at Akamai: https://blogs.akamai.com/2016/02/understanding-brotlis-potential.html
+brotli_comp_level 4;
+# as per Google sample config available at https://github.com/google/ngx_brotli#sample-configuration
+# brotli_comp_level 6;
+
+# enable static file serving, if available
+brotli_static on;
+
+brotli_types
+ application/atom+xml
+ application/javascript
+ application/json
+ application/rss+xml
+ application/vnd.ms-fontobject
+ application/x-font-opentype
+ application/x-font-truetype
+ application/x-font-ttf
+ application/x-javascript
+ application/xhtml+xml
+ application/xml
+ font/eotfont/opentype
+ font/otf
+ font/truetype
+ image/svg+xml
+ image/vnd.microsoft.icon
+ image/x-icon
+ image/x-win-bitmap
+ text/css
+ text/javascript
+ text/plain
+ text/xml;
diff --git a/globals/bunnycdn-ip-list.conf b/globals/bunnycdn-ip-list.conf
new file mode 100644
index 0000000..1288fc6
--- /dev/null
+++ b/globals/bunnycdn-ip-list.conf
@@ -0,0 +1,558 @@
+set_real_ip_from 84.17.46.50;
+set_real_ip_from 89.187.188.227;
+set_real_ip_from 89.187.188.228;
+set_real_ip_from 185.180.14.250;
+set_real_ip_from 185.93.1.241;
+set_real_ip_from 195.181.163.193;
+set_real_ip_from 89.187.162.244;
+set_real_ip_from 139.180.134.196;
+set_real_ip_from 51.83.238.53;
+set_real_ip_from 89.38.96.158;
+set_real_ip_from 89.187.162.249;
+set_real_ip_from 89.187.162.242;
+set_real_ip_from 185.102.217.65;
+set_real_ip_from 185.93.1.243;
+set_real_ip_from 156.146.40.49;
+set_real_ip_from 185.59.220.199;
+set_real_ip_from 185.59.220.198;
+set_real_ip_from 195.181.166.158;
+set_real_ip_from 185.180.12.68;
+set_real_ip_from 138.199.24.209;
+set_real_ip_from 138.199.24.211;
+set_real_ip_from 89.187.169.3;
+set_real_ip_from 89.187.169.39;
+set_real_ip_from 89.187.169.47;
+set_real_ip_from 5.188.120.15;
+set_real_ip_from 138.199.24.218;
+set_real_ip_from 138.199.24.219;
+set_real_ip_from 138.199.46.65;
+set_real_ip_from 185.40.106.117;
+set_real_ip_from 200.25.45.4;
+set_real_ip_from 200.25.57.5;
+set_real_ip_from 200.25.11.8;
+set_real_ip_from 200.25.53.5;
+set_real_ip_from 200.25.13.98;
+set_real_ip_from 107.155.21.186;
+set_real_ip_from 107.155.27.226;
+set_real_ip_from 41.242.2.18;
+set_real_ip_from 200.25.62.5;
+set_real_ip_from 200.25.38.69;
+set_real_ip_from 200.25.42.70;
+set_real_ip_from 200.25.36.166;
+set_real_ip_from 195.206.229.106;
+set_real_ip_from 92.223.88.123;
+set_real_ip_from 84.17.46.52;
+set_real_ip_from 194.242.11.186;
+set_real_ip_from 37.19.203.80;
+set_real_ip_from 65.108.101.60;
+set_real_ip_from 185.164.35.8;
+set_real_ip_from 185.173.226.42;
+set_real_ip_from 195.69.143.190;
+set_real_ip_from 94.20.154.22;
+set_real_ip_from 185.93.1.244;
+set_real_ip_from 89.38.224.138;
+set_real_ip_from 213.170.143.68;
+set_real_ip_from 156.59.145.154;
+set_real_ip_from 143.244.49.177;
+set_real_ip_from 138.199.46.66;
+set_real_ip_from 138.199.37.227;
+set_real_ip_from 138.199.37.231;
+set_real_ip_from 138.199.37.230;
+set_real_ip_from 138.199.37.229;
+set_real_ip_from 103.216.222.103;
+set_real_ip_from 138.199.46.69;
+set_real_ip_from 138.199.46.68;
+set_real_ip_from 138.199.46.67;
+set_real_ip_from 185.93.1.246;
+set_real_ip_from 103.216.222.105;
+set_real_ip_from 103.216.222.107;
+set_real_ip_from 138.199.37.232;
+set_real_ip_from 103.216.222.109;
+set_real_ip_from 195.181.163.196;
+set_real_ip_from 107.182.163.162;
+set_real_ip_from 195.181.163.195;
+set_real_ip_from 84.17.46.53;
+set_real_ip_from 212.102.40.114;
+set_real_ip_from 84.17.46.54;
+set_real_ip_from 138.199.40.58;
+set_real_ip_from 143.244.38.134;
+set_real_ip_from 185.152.64.17;
+set_real_ip_from 84.17.59.115;
+set_real_ip_from 89.187.165.194;
+set_real_ip_from 103.216.222.111;
+set_real_ip_from 138.199.15.193;
+set_real_ip_from 89.35.237.170;
+set_real_ip_from 37.19.216.130;
+set_real_ip_from 185.93.1.247;
+set_real_ip_from 185.93.3.244;
+set_real_ip_from 180.149.231.39;
+set_real_ip_from 143.244.49.179;
+set_real_ip_from 143.244.49.180;
+set_real_ip_from 138.199.9.104;
+set_real_ip_from 122.10.251.138;
+set_real_ip_from 185.152.66.243;
+set_real_ip_from 143.244.49.178;
+set_real_ip_from 169.150.221.147;
+set_real_ip_from 146.59.68.188;
+set_real_ip_from 200.25.18.73;
+set_real_ip_from 84.17.63.178;
+set_real_ip_from 200.25.32.131;
+set_real_ip_from 37.19.207.34;
+set_real_ip_from 204.16.244.131;
+set_real_ip_from 208.83.234.216;
+set_real_ip_from 134.195.197.175;
+set_real_ip_from 192.189.65.146;
+set_real_ip_from 143.244.45.177;
+set_real_ip_from 185.93.1.249;
+set_real_ip_from 185.93.1.250;
+set_real_ip_from 169.150.215.115;
+set_real_ip_from 209.177.87.197;
+set_real_ip_from 156.146.56.162;
+set_real_ip_from 156.146.56.161;
+set_real_ip_from 185.93.2.246;
+set_real_ip_from 185.93.2.245;
+set_real_ip_from 212.102.50.58;
+set_real_ip_from 212.102.40.113;
+set_real_ip_from 185.93.2.244;
+set_real_ip_from 158.69.123.215;
+set_real_ip_from 143.244.50.82;
+set_real_ip_from 143.244.50.83;
+set_real_ip_from 156.146.56.163;
+set_real_ip_from 129.227.9.2;
+set_real_ip_from 185.135.85.154;
+set_real_ip_from 185.165.170.74;
+set_real_ip_from 129.227.217.178;
+set_real_ip_from 200.25.69.94;
+set_real_ip_from 128.1.52.179;
+set_real_ip_from 200.25.16.103;
+set_real_ip_from 15.235.54.226;
+set_real_ip_from 102.67.138.155;
+set_real_ip_from 156.59.126.78;
+set_real_ip_from 192.34.87.166;
+set_real_ip_from 102.219.177.93;
+set_real_ip_from 146.70.80.218;
+set_real_ip_from 156.146.43.65;
+set_real_ip_from 195.181.163.203;
+set_real_ip_from 195.181.163.202;
+set_real_ip_from 156.146.56.169;
+set_real_ip_from 156.146.56.170;
+set_real_ip_from 156.146.56.166;
+set_real_ip_from 156.146.56.171;
+set_real_ip_from 169.150.207.210;
+set_real_ip_from 156.146.56.167;
+set_real_ip_from 143.244.50.84;
+set_real_ip_from 143.244.50.85;
+set_real_ip_from 143.244.50.86;
+set_real_ip_from 143.244.50.87;
+set_real_ip_from 156.146.56.168;
+set_real_ip_from 169.150.207.211;
+set_real_ip_from 212.102.50.59;
+set_real_ip_from 146.185.248.15;
+set_real_ip_from 143.244.50.90;
+set_real_ip_from 143.244.50.91;
+set_real_ip_from 143.244.50.88;
+set_real_ip_from 143.244.50.209;
+set_real_ip_from 143.244.50.213;
+set_real_ip_from 143.244.50.214;
+set_real_ip_from 143.244.49.183;
+set_real_ip_from 143.244.50.89;
+set_real_ip_from 143.244.50.210;
+set_real_ip_from 143.244.50.211;
+set_real_ip_from 143.244.50.212;
+set_real_ip_from 138.199.4.137;
+set_real_ip_from 5.42.206.66;
+set_real_ip_from 94.46.175.183;
+set_real_ip_from 38.54.2.20;
+set_real_ip_from 38.54.4.6;
+set_real_ip_from 182.93.93.90;
+set_real_ip_from 169.150.207.57;
+set_real_ip_from 169.150.207.58;
+set_real_ip_from 81.30.157.81;
+set_real_ip_from 128.1.104.170;
+set_real_ip_from 169.150.207.213;
+set_real_ip_from 169.150.207.214;
+set_real_ip_from 169.150.207.215;
+set_real_ip_from 169.150.207.212;
+set_real_ip_from 169.150.219.114;
+set_real_ip_from 62.113.194.3;
+set_real_ip_from 169.150.202.210;
+set_real_ip_from 169.150.242.193;
+set_real_ip_from 185.93.1.251;
+set_real_ip_from 169.150.207.216;
+set_real_ip_from 169.150.207.217;
+set_real_ip_from 169.150.238.19;
+set_real_ip_from 102.219.126.20;
+set_real_ip_from 138.199.36.4;
+set_real_ip_from 138.199.36.5;
+set_real_ip_from 156.59.67.118;
+set_real_ip_from 122.10.251.130;
+set_real_ip_from 185.24.11.18;
+set_real_ip_from 138.199.36.7;
+set_real_ip_from 138.199.36.8;
+set_real_ip_from 138.199.36.9;
+set_real_ip_from 138.199.36.10;
+set_real_ip_from 138.199.36.11;
+set_real_ip_from 138.199.37.225;
+set_real_ip_from 84.17.46.49;
+set_real_ip_from 138.199.4.177;
+set_real_ip_from 84.17.37.217;
+set_real_ip_from 169.150.225.35;
+set_real_ip_from 169.150.225.36;
+set_real_ip_from 169.150.225.37;
+set_real_ip_from 169.150.225.38;
+set_real_ip_from 169.150.225.39;
+set_real_ip_from 169.150.225.34;
+set_real_ip_from 169.150.236.97;
+set_real_ip_from 169.150.236.98;
+set_real_ip_from 169.150.236.99;
+set_real_ip_from 169.150.236.100;
+set_real_ip_from 93.189.63.146;
+set_real_ip_from 143.244.56.49;
+set_real_ip_from 143.244.56.50;
+set_real_ip_from 143.244.56.51;
+set_real_ip_from 169.150.247.40;
+set_real_ip_from 169.150.247.33;
+set_real_ip_from 169.150.247.34;
+set_real_ip_from 169.150.247.35;
+set_real_ip_from 169.150.247.36;
+set_real_ip_from 169.150.247.37;
+set_real_ip_from 169.150.247.38;
+set_real_ip_from 169.150.247.39;
+set_real_ip_from 95.217.227.2;
+set_real_ip_from 38.142.94.218;
+set_real_ip_from 87.249.137.52;
+set_real_ip_from 138.199.46.75;
+set_real_ip_from 38.104.169.186;
+set_real_ip_from 89.187.162.241;
+set_real_ip_from 66.181.163.74;
+set_real_ip_from 84.17.38.227;
+set_real_ip_from 84.17.38.228;
+set_real_ip_from 84.17.38.229;
+set_real_ip_from 84.17.38.230;
+set_real_ip_from 84.17.38.231;
+set_real_ip_from 84.17.38.232;
+set_real_ip_from 169.150.225.41;
+set_real_ip_from 169.150.225.42;
+set_real_ip_from 176.123.9.90;
+set_real_ip_from 169.150.249.162;
+set_real_ip_from 169.150.249.163;
+set_real_ip_from 169.150.249.164;
+set_real_ip_from 169.150.249.165;
+set_real_ip_from 169.150.249.166;
+set_real_ip_from 169.150.249.167;
+set_real_ip_from 169.150.249.168;
+set_real_ip_from 169.150.249.169;
+set_real_ip_from 185.131.64.122;
+set_real_ip_from 156.247.205.114;
+set_real_ip_from 37.236.234.2;
+set_real_ip_from 169.150.252.209;
+set_real_ip_from 212.102.46.118;
+set_real_ip_from 192.169.120.162;
+set_real_ip_from 93.180.217.214;
+set_real_ip_from 37.19.203.178;
+set_real_ip_from 107.155.47.146;
+set_real_ip_from 104.166.144.106;
+set_real_ip_from 154.47.16.177;
+set_real_ip_from 193.201.190.174;
+set_real_ip_from 156.59.95.218;
+set_real_ip_from 213.170.143.139;
+set_real_ip_from 129.227.186.154;
+set_real_ip_from 195.238.127.98;
+set_real_ip_from 5.189.202.62;
+set_real_ip_from 128.1.59.74;
+set_real_ip_from 200.25.22.6;
+set_real_ip_from 204.16.244.92;
+set_real_ip_from 200.25.70.101;
+set_real_ip_from 200.25.66.100;
+set_real_ip_from 139.180.209.182;
+set_real_ip_from 103.108.231.41;
+set_real_ip_from 103.108.229.5;
+set_real_ip_from 103.216.220.9;
+set_real_ip_from 103.75.11.45;
+set_real_ip_from 169.150.225.40;
+set_real_ip_from 116.202.155.146;
+set_real_ip_from 116.202.193.178;
+set_real_ip_from 116.202.224.168;
+set_real_ip_from 188.40.126.227;
+set_real_ip_from 88.99.26.189;
+set_real_ip_from 168.119.39.238;
+set_real_ip_from 88.99.26.97;
+set_real_ip_from 168.119.12.188;
+set_real_ip_from 199.247.1.226;
+set_real_ip_from 169.197.143.195;
+set_real_ip_from 176.9.139.55;
+set_real_ip_from 176.9.139.94;
+set_real_ip_from 5.161.66.71;
+set_real_ip_from 142.132.223.79;
+set_real_ip_from 142.132.223.80;
+set_real_ip_from 142.132.223.81;
+set_real_ip_from 5.161.88.97;
+set_real_ip_from 5.161.90.228;
+set_real_ip_from 5.161.85.161;
+set_real_ip_from 5.161.78.181;
+set_real_ip_from 5.161.84.169;
+set_real_ip_from 5.161.92.86;
+set_real_ip_from 5.161.92.85;
+set_real_ip_from 5.161.92.84;
+set_real_ip_from 5.161.72.83;
+set_real_ip_from 5.161.70.244;
+set_real_ip_from 5.161.71.198;
+set_real_ip_from 5.161.49.93;
+set_real_ip_from 5.161.72.89;
+set_real_ip_from 5.161.72.135;
+set_real_ip_from 5.161.72.194;
+set_real_ip_from 5.161.72.200;
+set_real_ip_from 5.161.70.230;
+set_real_ip_from 5.161.60.80;
+set_real_ip_from 104.237.58.186;
+set_real_ip_from 143.244.50.81;
+set_real_ip_from 143.244.51.75;
+set_real_ip_from 46.4.116.17;
+set_real_ip_from 46.4.119.81;
+set_real_ip_from 167.235.114.167;
+set_real_ip_from 159.69.68.171;
+set_real_ip_from 178.63.21.52;
+set_real_ip_from 46.4.120.152;
+set_real_ip_from 116.202.80.247;
+set_real_ip_from 5.9.71.119;
+set_real_ip_from 195.201.11.156;
+set_real_ip_from 78.46.123.17;
+set_real_ip_from 143.244.50.153;
+set_real_ip_from 143.244.50.154;
+set_real_ip_from 138.199.9.99;
+set_real_ip_from 138.199.9.98;
+set_real_ip_from 143.244.50.155;
+set_real_ip_from 46.4.113.143;
+set_real_ip_from 109.248.43.116;
+set_real_ip_from 109.248.43.117;
+set_real_ip_from 109.248.43.162;
+set_real_ip_from 109.248.43.163;
+set_real_ip_from 109.248.43.164;
+set_real_ip_from 109.248.43.165;
+set_real_ip_from 49.12.71.27;
+set_real_ip_from 49.12.0.158;
+set_real_ip_from 78.47.94.156;
+set_real_ip_from 109.248.43.159;
+set_real_ip_from 109.248.43.160;
+set_real_ip_from 109.248.43.208;
+set_real_ip_from 109.248.43.179;
+set_real_ip_from 109.248.43.232;
+set_real_ip_from 109.248.43.231;
+set_real_ip_from 109.248.43.241;
+set_real_ip_from 109.248.43.236;
+set_real_ip_from 109.248.43.240;
+set_real_ip_from 116.202.118.194;
+set_real_ip_from 116.202.80.29;
+set_real_ip_from 159.69.57.80;
+set_real_ip_from 139.180.129.216;
+set_real_ip_from 139.99.174.7;
+set_real_ip_from 89.187.169.18;
+set_real_ip_from 89.187.162.166;
+set_real_ip_from 89.187.162.245;
+set_real_ip_from 185.180.13.241;
+set_real_ip_from 185.59.220.203;
+set_real_ip_from 185.59.220.200;
+set_real_ip_from 185.59.220.202;
+set_real_ip_from 185.59.220.201;
+set_real_ip_from 143.244.63.120;
+set_real_ip_from 138.199.9.97;
+set_real_ip_from 138.199.40.49;
+set_real_ip_from 138.199.40.50;
+set_real_ip_from 138.199.40.51;
+set_real_ip_from 138.199.9.105;
+set_real_ip_from 143.244.38.133;
+set_real_ip_from 37.19.222.241;
+set_real_ip_from 143.244.49.181;
+set_real_ip_from 37.19.222.242;
+set_real_ip_from 89.187.179.7;
+set_real_ip_from 143.244.51.70;
+set_real_ip_from 143.244.51.71;
+set_real_ip_from 143.244.51.69;
+set_real_ip_from 212.102.43.85;
+set_real_ip_from 212.102.43.86;
+set_real_ip_from 143.244.62.213;
+set_real_ip_from 143.244.51.74;
+set_real_ip_from 185.93.3.246;
+set_real_ip_from 195.181.163.198;
+set_real_ip_from 185.152.64.19;
+set_real_ip_from 84.17.37.211;
+set_real_ip_from 212.102.50.54;
+set_real_ip_from 138.199.4.133;
+set_real_ip_from 138.199.4.132;
+set_real_ip_from 212.102.46.115;
+set_real_ip_from 84.17.35.199;
+set_real_ip_from 143.244.38.135;
+set_real_ip_from 84.17.35.218;
+set_real_ip_from 89.187.185.21;
+set_real_ip_from 169.150.238.21;
+set_real_ip_from 169.150.238.22;
+set_real_ip_from 169.150.207.51;
+set_real_ip_from 169.150.207.49;
+set_real_ip_from 84.17.38.226;
+set_real_ip_from 84.17.38.225;
+set_real_ip_from 169.150.247.139;
+set_real_ip_from 169.150.247.177;
+set_real_ip_from 109.61.89.46;
+set_real_ip_from 109.61.89.47;
+set_real_ip_from 109.61.89.48;
+set_real_ip_from 109.61.89.49;
+set_real_ip_from 109.61.89.51;
+set_real_ip_from 109.61.89.52;
+set_real_ip_from 109.61.89.53;
+set_real_ip_from 109.61.89.54;
+set_real_ip_from 109.61.89.55;
+set_real_ip_from 109.61.89.56;
+set_real_ip_from 185.59.220.194;
+set_real_ip_from 212.102.43.88;
+set_real_ip_from 89.187.169.26;
+set_real_ip_from 2400:52e0:1a02::625:1;
+set_real_ip_from 2400:52e0:1500::641:1;
+set_real_ip_from 2400:52e0:1500::714:1;
+set_real_ip_from 2400:52e0:1500::715:1;
+set_real_ip_from 2400:52e0:1a00::718:1;
+set_real_ip_from 2400:52e0:1e00::722:1;
+set_real_ip_from 2400:52e0:1e00::723:1;
+set_real_ip_from 2400:52e0:1500::747:1;
+set_real_ip_from 2400:52e0:1500::749:1;
+set_real_ip_from 2400:52e0:1500::782:1;
+set_real_ip_from 2400:52e0:1500::783:1;
+set_real_ip_from 2400:52e0:1500::784:1;
+set_real_ip_from 2a01:4f9:6b:2c80::2;
+set_real_ip_from 2400:52e0:1a00::845:1;
+set_real_ip_from 2400:52e0:1a01::852:1;
+set_real_ip_from 2400:52e0:1500::858:1;
+set_real_ip_from 2400:52e0:1e00::860:1;
+set_real_ip_from 2400:52e0:1e00::863:1;
+set_real_ip_from 2400:52e0:1e00::864:1;
+set_real_ip_from 2400:52e0:1e00::865:1;
+set_real_ip_from 2400:52e0:1500::867:1;
+set_real_ip_from 2400:52e0:1500::868:1;
+set_real_ip_from 2400:52e0:1500::869:1;
+set_real_ip_from 2400:52e0:1a00::871:1;
+set_real_ip_from 2400:52e0:1e00::874:1;
+set_real_ip_from 2400:52e0:1a02::876:1;
+set_real_ip_from 2400:52e0:1a02::878:1;
+set_real_ip_from 2400:52e0:1e01::879:1;
+set_real_ip_from 2400:52e0:1e01::883:1;
+set_real_ip_from 2a02:6ea0:c454::1;
+set_real_ip_from 2400:52e0:1a00::894:1;
+set_real_ip_from 2400:52e0:1a01::899:1;
+set_real_ip_from 2400:52e0:1a01::900:1;
+set_real_ip_from 2400:52e0:1a01::907:1;
+set_real_ip_from 2400:52e0:1a01::912:1;
+set_real_ip_from 2800:1e0:2410:1::9;
+set_real_ip_from 2607:fdc0:1:a:bace:f6ff:fe01:e295;
+set_real_ip_from 2400:52e0:1a00::940:1;
+set_real_ip_from 2400:52e0:1a00::941:1;
+set_real_ip_from 2400:52e0:1500::944:1;
+set_real_ip_from 2400:52e0:1500::945:1;
+set_real_ip_from 2400:52e0:1e02::946:1;
+set_real_ip_from 2400:52e0:1e02::947:1;
+set_real_ip_from 2400:52e0:1501::948:1;
+set_real_ip_from 2400:52e0:1e02::951:1;
+set_real_ip_from 2607:5300:60:9ad7::1;
+set_real_ip_from 2400:52e0:1a01::953:1;
+set_real_ip_from 2400:52e0:1a01::954:1;
+set_real_ip_from 2400:52e0:1500::955:1;
+set_real_ip_from 2607:5300:203:a1e2::1;
+set_real_ip_from 2400:52e0:1a02::974:1;
+set_real_ip_from 2400:52e0:1a02::975:1;
+set_real_ip_from 2400:52e0:1a02::976:1;
+set_real_ip_from 2400:52e0:1500::977:1;
+set_real_ip_from 2400:52e0:1500::978:1;
+set_real_ip_from 2400:52e0:1500::979:1;
+set_real_ip_from 2400:52e0:1500::980:1;
+set_real_ip_from 2400:52e0:1500::981:1;
+set_real_ip_from 2400:52e0:1500::982:1;
+set_real_ip_from 2400:52e0:1a01::984:1;
+set_real_ip_from 2400:52e0:1a01::985:1;
+set_real_ip_from 2400:52e0:1a01::986:1;
+set_real_ip_from 2400:52e0:1a01::987:1;
+set_real_ip_from 2400:52e0:1500::988:1;
+set_real_ip_from 2400:52e0:1500::989:1;
+set_real_ip_from 2400:52e0:1501::990:1;
+set_real_ip_from 2400:52e0:1a01::992:1;
+set_real_ip_from 2400:52e0:1a01::993:1;
+set_real_ip_from 2400:52e0:1a01::994:1;
+set_real_ip_from 2400:52e0:1a01::995:1;
+set_real_ip_from 2400:52e0:1a01::996:1;
+set_real_ip_from 2400:52e0:1a01::997:1;
+set_real_ip_from 2400:52e0:1a01::998:1;
+set_real_ip_from 2400:52e0:1a01::999:1;
+set_real_ip_from 2400:52e0:1a01::1000:1;
+set_real_ip_from 2400:52e0:1a01::1001:1;
+set_real_ip_from 2400:52e0:1a01::1002:1;
+set_real_ip_from 2400:52e0:1500::1015:1;
+set_real_ip_from 2400:52e0:1500::1016:1;
+set_real_ip_from 2400:52e0:1500::1020:1;
+set_real_ip_from 2400:52e0:1500::1021:1;
+set_real_ip_from 2400:52e0:1500::1022:1;
+set_real_ip_from 2400:52e0:1500::1024:1;
+set_real_ip_from 2400:52e0:1a00::1029:1;
+set_real_ip_from 2400:52e0:1500::1030:1;
+set_real_ip_from 2400:52e0:1500::1031:1;
+set_real_ip_from 2400:52e0:1e00::1047:1;
+set_real_ip_from 2400:52e0:1e00::1048:1;
+set_real_ip_from 2400:52e0:1e00::1049:1;
+set_real_ip_from 2400:52e0:1e00::1053:1;
+set_real_ip_from 2400:52e0:1e00::1054:1;
+set_real_ip_from 2400:52e0:1e00::1055:1;
+set_real_ip_from 2400:52e0:1e01::1056:1;
+set_real_ip_from 2400:52e0:1502::1059:1;
+set_real_ip_from 2400:52e0:1501::1061:1;
+set_real_ip_from 2400:52e0:1501::1062:1;
+set_real_ip_from 2400:52e0:1501::1063:1;
+set_real_ip_from 2400:52e0:1501::1064:1;
+set_real_ip_from 2400:52e0:1501::1065:1;
+set_real_ip_from 2400:52e0:1501::1066:1;
+set_real_ip_from 2400:52e0:1a00::1067:1;
+set_real_ip_from 2400:52e0:1a00::1068:1;
+set_real_ip_from 2400:52e0:1a00::1069:1;
+set_real_ip_from 2400:52e0:1a00::1070:1;
+set_real_ip_from 2400:52e0:1e02::1072:1;
+set_real_ip_from 2400:52e0:1e02::1073:1;
+set_real_ip_from 2400:52e0:1e02::1074:1;
+set_real_ip_from 2400:52e0:1e00::1075:1;
+set_real_ip_from 2400:52e0:1e00::1076:1;
+set_real_ip_from 2400:52e0:1e00::1077:1;
+set_real_ip_from 2400:52e0:1e00::1078:1;
+set_real_ip_from 2400:52e0:1e00::1079:1;
+set_real_ip_from 2400:52e0:1e00::1080:1;
+set_real_ip_from 2400:52e0:1e00::1081:1;
+set_real_ip_from 2400:52e0:1e00::1082:1;
+set_real_ip_from 2a01:4f9:4b:4b0b::2;
+set_real_ip_from 2400:52e0:1500::1087:1;
+set_real_ip_from 2400:52e0:1500::1089:1;
+set_real_ip_from 2400:52e0:1500::1091:1;
+set_real_ip_from 2400:52e0:1500::1092:1;
+set_real_ip_from 2400:52e0:1500::1093:1;
+set_real_ip_from 2400:52e0:1500::1094:1;
+set_real_ip_from 2400:52e0:1500::1095:1;
+set_real_ip_from 2400:52e0:1500::1096:1;
+set_real_ip_from 2400:52e0:1501::1097:1;
+set_real_ip_from 2400:52e0:1501::1098:1;
+set_real_ip_from 2400:52e0:1a01::1108:1;
+set_real_ip_from 2400:52e0:1a01::1109:1;
+set_real_ip_from 2400:52e0:1a01::1110:1;
+set_real_ip_from 2400:52e0:1a01::1111:1;
+set_real_ip_from 2400:52e0:1a01::1112:1;
+set_real_ip_from 2400:52e0:1a01::1113:1;
+set_real_ip_from 2400:52e0:1a01::1114:1;
+set_real_ip_from 2400:52e0:1a01::1115:1;
+set_real_ip_from 2607:fdc0:1:2d:262:bff:fecc:a610;
+set_real_ip_from 2404:f780:0:2::d;
+set_real_ip_from 2404:f780:0:2::f;
+set_real_ip_from 2404:f780:0:2::11;
+set_real_ip_from 2404:f780:5:cafe::f;
+set_real_ip_from 2400:52e0:1501::1143:1;
+set_real_ip_from 2a04:ff07:d9:12::1;
+set_real_ip_from 2a04:ff07:d9:13::1;
+set_real_ip_from 2a04:ff07:d9:39::1;
+set_real_ip_from 2a04:ff07:d9:3::1;
+set_real_ip_from 2a04:ff07:d9:3a::1;
+set_real_ip_from 2a04:ff07:d9:3b::1;
+set_real_ip_from 2a04:ff07:d9:1::1;
+set_real_ip_from 2a04:ff07:d9:1b::1;
+set_real_ip_from 2a01:4f8:c17:aec0::1;
+set_real_ip_from 2a01:4f8:c17:fc7::1;
+set_real_ip_from 2a01:4f8:c17:20b2::1;
diff --git a/globals/bunnycdn.conf b/globals/bunnycdn.conf
new file mode 100644
index 0000000..07c8924
--- /dev/null
+++ b/globals/bunnycdn.conf
@@ -0,0 +1,12 @@
+# Ref: https://support.bunny.net/hc/en-us/articles/115003578911-How-to-detect-when-BunnyCDN-PoP-servers-are-accessing-your-backend
+# https://bunnycdn.com/api/system/edgeserverlist
+# https://bunnycdn.com/api/system/edgeserverlist/IPv6
+
+# TODO: make sure to update bunnycdn-ip-list.conf regularly via a script
+
+include '/etc/nginx/globals/bunnycdn-ip-list.conf';
+
+# use any of the following two options (but not both)
+real_ip_header X-Forwarded-For;
+
+real_ip_recursive on;
diff --git a/globals/cache-enabler.conf b/globals/cache-enabler.conf
new file mode 100644
index 0000000..17412cc
--- /dev/null
+++ b/globals/cache-enabler.conf
@@ -0,0 +1,72 @@
+# To improve the perf, we may use open_file_cache
+# ref: https://nginx.org/r/open_file_cache
+# open_file_cache max=1000;
+# open_file_cache_valid 60s;
+# open_file_cache_min_uses 2;
+# open_file_cache_errors off;
+
+location / {
+ # requires server support
+ # gzip_static on;
+
+ error_page 418 = @cachemiss;
+ error_page 419 = @mobileaccess;
+ recursive_error_pages on;
+
+ # bypass POST requests
+ if ($request_method = POST) { return 418; }
+
+ # uncommenting the following degrades the performance on certain sites. YMMV
+ # if ($query_string != "") { return 418; }
+
+ # bypass cache for common query strings
+ if ($arg_s != "") { return 418; } # search query
+ if ($arg_p != "") { return 418; } # request a post / page by ID
+ if ($args ~ "amp") { return 418; } # amp test
+ if ($arg_preview = "true") { return 418; } # preview post / page
+ if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin
+
+ if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
+ if ($http_cookie ~* "comment_author_") { return 418; }
+ if ($http_cookie ~* "wp_postpass_") { return 418; }
+
+ # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }
+
+ # uncomment the following if deemed fit
+ # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }
+
+ try_files "/wp-content/cache/cache-enabler/$host${uri}index.html" $uri $uri/ /index.php$is_args$args;
+
+ #--> all the following would apply, only if the request hits the cache
+
+ add_header "X-Cache" "HIT - Cache Enabler";
+ # include "globals/hsts.conf";
+ include 'globals/security-headers.conf';
+
+ # expires modified 30m;
+ expires 30m;
+ add_header "Cache-Control" "must-revalidate";
+
+ # For proxies
+ # add_header "Cache-Control" "s-maxage=3600";
+}
+
+location @mobileaccess {
+ # try_files $uri $uri/ /index.php$is_args$args;
+ try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args;
+
+ add_header "X-Cache" "HIT - Mobile - Cache Enabler";
+ # include "globals/hsts.conf";
+ include 'globals/security-headers.conf';
+
+ # expires modified 30m;
+ expires 30m;
+ add_header "Cache-Control" "must-revalidate";
+
+ # For proxies
+ # add_header "Cache-Control" "s-maxage=3600";
+}
+
+location @cachemiss {
+ try_files $uri $uri/ /index.php$is_args$args;
+}
diff --git a/globals/cloudflare-ip-list.conf b/globals/cloudflare-ip-list.conf
new file mode 100644
index 0000000..0bfb300
--- /dev/null
+++ b/globals/cloudflare-ip-list.conf
@@ -0,0 +1,21 @@
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 104.16.0.0/12;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 131.0.72.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2c0f:f248::/32;
+set_real_ip_from 2a06:98c0::/29;
diff --git a/globals/cloudflare.conf b/globals/cloudflare.conf
new file mode 100644
index 0000000..df2eb26
--- /dev/null
+++ b/globals/cloudflare.conf
@@ -0,0 +1,9 @@
+# make sure you set up a cron to run update-cloudflare-ip-list.sh regularly
+
+include '/etc/nginx/globals/cloudflare-ip-list.conf';
+
+# use any of the following two options (but not both)
+real_ip_header CF-Connecting-IP;
+# real_ip_header X-Forwarded-For;
+
+real_ip_recursive on;
diff --git a/globals/dev.restrictions.conf b/globals/dev.restrictions.conf
new file mode 100644
index 0000000..9fc4b93
--- /dev/null
+++ b/globals/dev.restrictions.conf
@@ -0,0 +1,13 @@
+##### for public facing development sites; also called as staging sites #####
+
+# deny access to robots.txt across the board
+location = /robots.txt { access_log off; deny all; }
+location ~ /sitemap { access_log off; deny all; }
+
+# block sitemaps with .xml and .xml.gz endings such as news-sitemap.xml (Yoast SEO)
+location ~ \.xml$ { access_log off; deny all; }
+location ~ \.xml\.gz$ { access_log off; deny all; }
+
+# deny specific bots
+if ( $http_user_agent ~ "Google" ) { return 403; }
+if ( $http_user_agent ~ "bingbot" ) { return 403; }
diff --git a/globals/error-pages.conf b/globals/error-pages.conf
new file mode 100644
index 0000000..b3bced2
--- /dev/null
+++ b/globals/error-pages.conf
@@ -0,0 +1,23 @@
+# Custom 403 Page
+error_page 403 @fetch403;
+
+location @fetch403 {
+ root /etc/nginx/errors;
+ try_files /403.html =404;
+}
+
+# Custom 404 Page
+error_page 404 @fetch404;
+
+location @fetch404 {
+ root /etc/nginx/errors;
+ try_files /404.html =404;
+}
+
+# Custom 550 Page
+error_page 550 @fetch550;
+
+location @fetch550 {
+ root /etc/nginx/errors;
+ try_files /550.html =404;
+}
diff --git a/globals/hide-headers.conf b/globals/hide-headers.conf
new file mode 100644
index 0000000..4941fe0
--- /dev/null
+++ b/globals/hide-headers.conf
@@ -0,0 +1,12 @@
+### Security (through obscurity) - https://en.wikipedia.org/wiki/Security_through_obscurity
+# To hide nginx version
+server_tokens off;
+
+# To hide PHP version and other related fastcgi headers
+fastcgi_hide_header X-Powered-By;
+fastcgi_hide_header X-Pingback;
+fastcgi_hide_header Link;
+
+proxy_hide_header X-Powered-By;
+proxy_hide_header X-Pingback;
+proxy_hide_header X-Link;
diff --git a/globals/hsts.conf b/globals/hsts.conf
new file mode 100644
index 0000000..c3b0734
--- /dev/null
+++ b/globals/hsts.conf
@@ -0,0 +1 @@
+add_header Strict-Transport-Security "max-age=31536000";
diff --git a/globals/mu-dir.conf b/globals/mu-dir.conf
new file mode 100644
index 0000000..24a1cc8
--- /dev/null
+++ b/globals/mu-dir.conf
@@ -0,0 +1,9 @@
+# Rules for Multisite Sub-directory install
+
+# For sub-directory redirects
+# Only one would apply
+# If two needed to be applied, it'd throw a 404
+if (!-e $request_filename) {
+ rewrite ^/[_0-9a-zA-Z-]+(/wp-(content|admin|includes).*) $1 break;
+ rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 break;
+}
diff --git a/globals/mu-files.conf b/globals/mu-files.conf
new file mode 100644
index 0000000..7c95cda
--- /dev/null
+++ b/globals/mu-files.conf
@@ -0,0 +1,6 @@
+# Rules for any Multisite install
+
+# For uploads
+if ( $uri ~ "files" ) {
+ rewrite ^/(?:.*/)?files/(.+) /wp-includes/ms-files.php?file=$1;
+}
diff --git a/globals/pagespeed.conf b/globals/pagespeed.conf
new file mode 100644
index 0000000..e933b04
--- /dev/null
+++ b/globals/pagespeed.conf
@@ -0,0 +1,9 @@
+pagespeed off;
+pagespeed FileCachePath /var/cache/ngx_pagespeed_cache;
+pagespeed MemcachedServers "127.0.0.1:11211";
+pagespeed XHeaderValue "Powered By ngx_pagespeed";
+pagespeed BlockingRewriteKey "fullyoptimized";
+
+pagespeed Disallow "*/wp-admin/*";
+pagespeed Disallow "*/wp-login.php*";
+
diff --git a/globals/php.conf b/globals/php.conf
new file mode 100644
index 0000000..0fed870
--- /dev/null
+++ b/globals/php.conf
@@ -0,0 +1,9 @@
+location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ include "fastcgi.conf";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+}
diff --git a/globals/restrictions.conf b/globals/restrictions.conf
new file mode 100644
index 0000000..4a50360
--- /dev/null
+++ b/globals/restrictions.conf
@@ -0,0 +1,33 @@
+# Global restrictions configuration file.
+# Designed to be included in any server {} block.
+
+# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac), .git.
+location /.git { deny all; }
+location /.htaccess { deny all; }
+location /.htpasswd { deny all; }
+location /.user.ini { deny all; }
+# this actually covers every dot file, except what follows below it (ex: CertBot)
+location ~ ^/\. { deny all; }
+
+# but allow CertBot - see http://stackoverflow.com/a/34262192
+location ^~ /.well-known/acme-challenge {
+ auth_basic off;
+ try_files $uri =404;
+ expires -1;
+}
+
+# Deny access to any files with a .php extension in the uploads directory
+location ~* /uploads/.*\.php$ { deny all; }
+
+# Deny access to any files with a .php extension in the uploads directory for multisite
+location ~* /files/.*\.php$ { deny all; }
+
+# Since version 2.5.7, Akismet introduced a new .htaccess file to block direct access to php files
+# Ref: http://wordpress.org/extend/plugins/akismet/changelog/
+location ~* /akismet/.*\.php$ { deny all; }
+
+# Restrict direct access to cached content
+location /wp-content/cache/ { deny all; }
+
+# Deny access to backup files!
+location ~ ~$ { deny all; }
diff --git a/globals/security-headers.conf b/globals/security-headers.conf
new file mode 100644
index 0000000..c728608
--- /dev/null
+++ b/globals/security-headers.conf
@@ -0,0 +1,13 @@
+add_header X-Content-Type-Options nosniff;
+
+# please see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+# add_header X-Frame-Options deny;
+add_header X-Frame-Options SAMEORIGIN;
+
+add_header X-XSS-Protection "1; mode=block";
+
+add_header Referrer-Policy "no-referrer-when-downgrade";
+
+# optional header - use it with care - you are warned!
+# add_header Access-Control-Allow-Origin "*";
+
diff --git a/globals/sucuri-real-ip.conf b/globals/sucuri-real-ip.conf
new file mode 100644
index 0000000..c45da07
--- /dev/null
+++ b/globals/sucuri-real-ip.conf
@@ -0,0 +1,12 @@
+# https://docs.sucuri.net/website-firewall/troubleshooting/same-ip-for-all-users/#nginx
+
+# ref: https://docs.sucuri.net/website-firewall/troubleshooting/same-ip-for-all-users/#nginx
+# Define header with original client IP
+real_ip_header X-Forwarded-For;
+# Define trusted Firewall IPs
+set_real_ip_from 192.88.134.0/23;
+set_real_ip_from 185.93.228.0/22;
+set_real_ip_from 66.248.200.0/22;
+set_real_ip_from 208.109.0.0/22;
+set_real_ip_from 2a02:fe80::/29; # this line can be removed if IPv6 is disabled
+
diff --git a/globals/sucuri-waf.conf b/globals/sucuri-waf.conf
new file mode 100644
index 0000000..cd72955
--- /dev/null
+++ b/globals/sucuri-waf.conf
@@ -0,0 +1,12 @@
+# allow local requests
+allow 127.0.0.1;
+
+# Sucuri WAF
+allow 192.88.134.0/23;
+allow 185.93.228.0/22;
+allow 2a02:fe80::/29;
+allow 66.248.200.0/22;
+allow 208.109.0.0/22;
+
+# deny all requests that bypass Sucuri
+deny all;
diff --git a/globals/varnish-as-front-end-compatibility.conf b/globals/varnish-as-front-end-compatibility.conf
new file mode 100644
index 0000000..8a25d70
--- /dev/null
+++ b/globals/varnish-as-front-end-compatibility.conf
@@ -0,0 +1,7 @@
+### If Varnish is used as front end
+set_real_ip_from 127.0.0.1;
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+
+# Default value: on
+port_in_redirect off;
diff --git a/globals/wordpress-seo-plugin-support.conf b/globals/wordpress-seo-plugin-support.conf
new file mode 100644
index 0000000..d1bb870
--- /dev/null
+++ b/globals/wordpress-seo-plugin-support.conf
@@ -0,0 +1,6 @@
+
+# Yoast's WordPress SEO plugin requires this...
+# Ref: http://wordpress.org/extend/plugins/wordpress-seo/faq/
+rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
+rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
+
diff --git a/globals/wp-fastest-cache.conf b/globals/wp-fastest-cache.conf
new file mode 100644
index 0000000..c010b83
--- /dev/null
+++ b/globals/wp-fastest-cache.conf
@@ -0,0 +1,93 @@
+# configuration directives to support WP Fastest Cache plugin.
+# note not all features are supported.
+
+# default location block
+# - directs mobile visitors to @mobileaccess, if configured.
+# - directs cache misses to PHP (via @cachemiss).
+# - directs requests "that shouldn't be cached" to PHP (via @cachemiss): example - requests from a logged-in user.
+
+location / {
+ error_page 418 = @cachemiss; # to handle cache misses
+ error_page 419 = @mobileaccess; # to handle mobile visits
+ recursive_error_pages on;
+
+ set $pathDomain "/wp-content/cache/${host}/all${uri}"; # path domain for multisite
+ set $path "/wp-content/cache/all${uri}";
+
+ # bypass POST requests
+ if ($request_method = POST) { return 418; }
+
+ # uncommenting the following degrades the performance on certain sites. YMMV
+ # if ($query_string != "") { return 418; }
+
+ # bypass cache for common query strings
+ if ($arg_s != "") { return 418; } # search query
+ if ($arg_p != "") { return 418; } # request a post / page by ID
+ if ($args ~ "amp") { return 418; } # amp test
+ if ($arg_preview = "true") { return 418; } # preview post / page
+ if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin
+
+ # if WP related cookies are found, skip cache
+ if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
+ if ($http_cookie ~* "comment_author_") { return 418; }
+ if ($http_cookie ~* "wp_postpass_") { return 418; }
+
+ # avoid duplicate content on Amazon CloudFront and KeyCDN.
+ if ( $http_user_agent = "Amazon CloudFront" ) { return 403; access_log off; }
+ if ($http_x_pull = "KeyCDN") { return 403; access_log off; }
+
+ # uncomment the following, if WP Fastest Cache plugin is set to create a separate cache for mobile visitors
+ # if ( $http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad" ) { return 419; }
+ # add_header "Vary" "User-Agent";
+
+ # uncomment the following if deemed fit, in addition to the above line to enable @mobileaccess
+ # if ( $http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad" ) { return 419; }
+
+ # look for cached version; if-not-found, then send the request to PHP
+ try_files "${path}index.html" "${path}/index.html" "${pathDomain}index.html" "${pathDomain}/index.html" $uri $uri/ /index.php$is_args$args;
+
+ #--> all the following would apply, only if the request hits the cache
+
+ # add some useful headers
+ add_header "X-Cache" "HIT - WP Fastest Cache";
+ add_header "X-CF-Powered-By" "WP Fastest Cache";
+ add_header "Vary" "Cookie";
+ # include "globals/hsts.conf";
+ include 'globals/security-headers.conf';
+
+ expires 30m;
+ # expires modified 30m;
+ add_header "Cache-Control" "must-revalidate";
+
+ # For proxies
+ # add_header "Cache-Control" "s-maxage=600";
+}
+
+# location to handle requests come from mobile devices
+location @mobileaccess {
+ set $pathDomain "/wp-content/cache/${host}/wpfc-mobile-cache${uri}"; # path domain for multisite
+ set $path "/wp-content/cache/wpfc-mobile-cache${uri}";
+
+ # look for cached version for mobiles; if-not-found, then send the request to PHP
+ try_files "${path}index.html" "${path}/index.html" "${pathDomain}index.html" "${pathDomain}/index.html" $uri $uri/ /index.php$is_args$args;
+
+ #--> all the following would apply, only if the request hits the cache
+
+ # add some useful headers
+ add_header "X-Cache" "HIT - Mobile - WP Fastest Cache";
+ add_header "Vary" "User-Agent, Cookie";
+ # include "globals/hsts.conf";
+ include 'globals/security-headers.conf';
+
+ expires 30m;
+ # expires modified 30m;
+ add_header "Cache-Control" "must-revalidate";
+
+ # For proxies
+ # add_header "Cache-Control" "s-maxage=600";
+}
+
+location @cachemiss {
+ # on cache miss, send the request to PHP
+ try_files $uri $uri/ /index.php$is_args$args;
+}
diff --git a/globals/wp-rocket.conf b/globals/wp-rocket.conf
new file mode 100644
index 0000000..acbe41c
--- /dev/null
+++ b/globals/wp-rocket.conf
@@ -0,0 +1,78 @@
+# To improve the perf, let's use open_file_cache
+# ref: nginx.org/r/open_file_cache
+# open_file_cache max=1000;
+# open_file_cache_valid 60s;
+# open_file_cache_min_uses 2;
+# open_file_cache_errors off;
+
+location / {
+ # disable WP Rocket preload bot; had numerous trouble with in on high-traffic sites
+ if ($http_user_agent ~ wprocketbot) { return 403; access_log off; }
+
+ error_page 418 = @cachemiss;
+ error_page 419 = @mobileaccess;
+ recursive_error_pages on;
+
+ # bypass POST requests
+ if ($request_method = POST) { return 418; }
+
+ # uncommenting the following degrades the performance on certain sites. YMMV
+ # if ($query_string != "") { return 418; }
+
+ # bypass cache for common query strings
+ if ($arg_s != "") { return 418; } # search query
+ if ($arg_p != "") { return 418; } # request a post / page by ID
+ if ($args ~ "amp") { return 418; } # amp test
+ if ($arg_preview = "true") { return 418; } # preview post / page
+ if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin
+
+ if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
+ if ($http_cookie ~* "comment_author_") { return 418; }
+ if ($http_cookie ~* "wp_postpass_") { return 418; }
+
+ # avoid duplicate content on Amazon CloudFront and KeyCDN.
+ if ( $http_user_agent = "Amazon CloudFront" ) { return 403; access_log off; }
+ if ($http_x_pull = "KeyCDN") { return 403; access_log off; }
+
+ # uncomment the following, if WP Rocket plugin is set to create a separate cache for mobile visitors
+ # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }
+ # add_header "Vary" "User-Agent";
+
+ # uncomment the following if deemed fit, in addition to the above line to enable @mobileaccess
+ # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }
+
+ try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index$https_suffix.html" $uri $uri/ /index.php$is_args$args;
+
+ #--> all the following would apply, only if the request hits the cache
+
+ add_header "X-Cache" "HIT - WP Rocket";
+ add_header "Vary" "Cookie";
+ # include "globals/hsts.conf";
+ include 'globals/security-headers.conf';
+
+ expires modified 30m;
+ add_header "Cache-Control" "must-revalidate";
+
+ # For proxies
+ # add_header "Cache-Control" "s-maxage=600";
+}
+
+location @mobileaccess {
+ # try_files $uri $uri/ /index.php$is_args$args;
+ try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index-mobile$https_suffix.html" $uri $uri/ /index.php$is_args$args;
+
+ add_header "X-Cache" "HIT - Mobile - WP Rocket";
+ add_header "Vary" "User-Agent, Cookie";
+ # include "globals/hsts.conf";
+ include 'globals/security-headers.conf';
+
+ expires modified 30m;
+ add_header "Cache-Control" "must-revalidate";
+
+ # For proxies
+ # add_header "Cache-Control" "s-maxage=600";
+}
+
+location @cachemiss {
+ try_files $uri $uri/ /index.php$is_args$args;
+}
diff --git a/globals/wp-super-cache.conf b/globals/wp-super-cache.conf
new file mode 100644
index 0000000..01742b5
--- /dev/null
+++ b/globals/wp-super-cache.conf
@@ -0,0 +1,80 @@
+# To improve the perf, we may use open_file_cache
+# ref: https://nginx.org/r/open_file_cache
+# open_file_cache max=1000;
+# open_file_cache_valid 60s;
+# open_file_cache_min_uses 2;
+# open_file_cache_errors off;
+
+location / {
+ # requires server support
+ # gzip_static on;
+
+ error_page 418 = @cachemiss;
+ error_page 419 = @mobileaccess;
+ recursive_error_pages on;
+
+ # bypass POST requests
+ if ($request_method = POST) { return 418; }
+
+ # uncommenting the following degrades the performance on certain sites. YMMV
+ # if ($query_string != "") { return 418; }
+
+ # bypass cache for common query strings
+ if ($arg_s != "") { return 418; } # search query
+ if ($arg_p != "") { return 418; } # request a post / page by ID
+ if ($args ~ "amp") { return 418; } # amp test
+ if ($arg_preview = "true") { return 418; } # preview post / page
+ if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin
+
+ if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
+ if ($http_cookie ~* "comment_author_") { return 418; }
+ if ($http_cookie ~* "wp_postpass_") { return 418; }
+
+ # avoid duplicate content on Amazon CloudFront and KeyCDN.
+ if ( $http_user_agent = "Amazon CloudFront" ) { return 403; access_log off; }
+ if ($http_x_pull = "KeyCDN") { return 403; access_log off; }
+
+ # uncomment the following, if WP Super Cache plugin is set to create a separate cache for mobile visitors
+ # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }
+ # add_header "Vary" "User-Agent";
+
+ # uncomment the following if deemed fit, in addition to the above line to enable @mobileaccess
+ # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }
+
+ try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix.html" $uri $uri/ /index.php$is_args$args;
+
+ #--> all the following would apply, only if the request hits the cache
+
+ add_header "X-Cache" "HIT - WP Super Cache";
+ # include "globals/hsts.conf";
+ include 'globals/security-headers.conf';
+
+ # expires modified 30m;
+ expires 30m;
+ add_header "Cache-Control" "must-revalidate";
+
+ # For proxies
+ # add_header "Cache-Control" "s-maxage=3600";
+}
+
+location @mobileaccess {
+ # try_files $uri $uri/ /index.php$is_args$args;
+ try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args;
+
+ add_header "X-Cache" "HIT - Mobile - WP Super Cache";
+ # include "globals/hsts.conf";
+ include 'globals/security-headers.conf';
+
+ # expires modified 30m;
+ expires 30m;
+ add_header "Cache-Control" "must-revalidate";
+
+ # For proxies
+ # add_header "Cache-Control" "s-maxage=3600";
+}
+
+location @cachemiss {
+ try_files $uri $uri/ /index.php$is_args$args;
+}
+
+
diff --git a/globals/wpfc.conf b/globals/wpfc.conf
new file mode 100644
index 0000000..dd87344
--- /dev/null
+++ b/globals/wpfc.conf
@@ -0,0 +1,34 @@
+# The rewrite magic
+location / {
+ gzip_static on;
+
+ # set these globally, if not done already
+ # gzip_http_version 1.1;
+ # gzip_proxied expired no-cache no-store private auth;
+ # gzip_disable "MSIE [1-6]\.";
+ # gzip_vary on;
+
+ error_page 418 = @cachemiss;
+
+ if ($request_method = POST) { return 418; }
+
+ if ($query_string != "") { return 418; }
+
+ if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
+ if ($http_cookie ~* "comment_author_") { return 418; }
+ if ($http_cookie ~* "wp_postpass_") { return 418; }
+
+ try_files "/wp-content/cache/all${uri}index.html" =418;
+
+ add_header "X-WPFC-Cache" "HIT";
+
+ # choose or modify any of the following cache-control headers
+ expires 30m;
+ # add_header "Cache-Control" "max-age=10, must-revalidate";
+ # add_header "Vary" "Cookie";
+}
+
+location @cachemiss {
+ try_files $uri $uri/ /index.php$is_args$args;
+}
+
diff --git a/mime.types b/mime.types
new file mode 100644
index 0000000..cd3d700
--- /dev/null
+++ b/mime.types
@@ -0,0 +1,88 @@
+types {
+ text/html html htm shtml;
+ text/css css;
+ text/xml xml;
+ image/gif gif;
+ image/jpeg jpeg jpg;
+ application/javascript js;
+ application/atom+xml atom;
+ application/rss+xml rss;
+
+ text/mathml mml;
+ text/plain txt;
+ text/vnd.sun.j2me.app-descriptor jad;
+ text/vnd.wap.wml wml;
+ text/x-component htc;
+
+ image/png png;
+ image/tiff tif tiff;
+ image/vnd.wap.wbmp wbmp;
+ image/x-icon ico;
+ image/x-jng jng;
+ image/x-ms-bmp bmp;
+ image/svg+xml svg svgz;
+ image/webp webp;
+
+ application/font-woff woff;
+ application/java-archive jar war ear;
+ application/json json;
+ application/mac-binhex40 hqx;
+ application/msword doc;
+ application/pdf pdf;
+ application/postscript ps eps ai;
+ application/rtf rtf;
+ application/vnd.apple.mpegurl m3u8;
+ application/vnd.ms-excel xls;
+ application/vnd.ms-fontobject eot;
+ application/vnd.ms-powerpoint ppt;
+ application/vnd.wap.wmlc wmlc;
+ application/vnd.google-earth.kml+xml kml;
+ application/vnd.google-earth.kmz kmz;
+ application/x-7z-compressed 7z;
+ application/x-cocoa cco;
+ application/x-java-archive-diff jardiff;
+ application/x-java-jnlp-file jnlp;
+ application/x-makeself run;
+ application/x-perl pl pm;
+ application/x-pilot prc pdb;
+ application/x-rar-compressed rar;
+ application/x-redhat-package-manager rpm;
+ application/x-sea sea;
+ application/x-shockwave-flash swf;
+ application/x-stuffit sit;
+ application/x-tcl tcl tk;
+ application/x-x509-ca-cert der pem crt;
+ application/x-xpinstall xpi;
+ application/xhtml+xml xhtml;
+ application/xspf+xml xspf;
+ application/zip zip;
+
+ application/octet-stream bin exe dll;
+ application/octet-stream deb;
+ application/octet-stream dmg;
+ application/octet-stream iso img;
+ application/octet-stream msi msp msm;
+
+ application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
+ application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
+ application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
+
+ audio/midi mid midi kar;
+ audio/mpeg mp3;
+ audio/ogg ogg;
+ audio/x-m4a m4a;
+ audio/x-realaudio ra;
+
+ video/3gpp 3gpp 3gp;
+ video/mp2t ts;
+ video/mp4 mp4;
+ video/mpeg mpeg mpg;
+ video/quicktime mov;
+ video/webm webm;
+ video/x-flv flv;
+ video/x-m4v m4v;
+ video/x-mng mng;
+ video/x-ms-asf asx asf;
+ video/x-ms-wmv wmv;
+ video/x-msvideo avi;
+}
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..88accd6
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,32 @@
+# user nginx;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+
+events {
+ worker_connections 1024;
+}
+
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ gzip on;
+
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*.conf;
+}
diff --git a/proxy.conf b/proxy.conf
new file mode 100644
index 0000000..df75bc5
--- /dev/null
+++ b/proxy.conf
@@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
diff --git a/proxy_params b/proxy_params
new file mode 100644
index 0000000..df75bc5
--- /dev/null
+++ b/proxy_params
@@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
diff --git a/scripts/update-cloudflare-ip-list.sh b/scripts/update-cloudflare-ip-list.sh
new file mode 100644
index 0000000..4fc2f8b
--- /dev/null
+++ b/scripts/update-cloudflare-ip-list.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# script to set Cloudflare IPs (ipv4 and ipv6)
+
+# empty the list
+echo -n > /etc/nginx/globals/cloudflare-ip-list.conf;
+
+# fetch and update ipv4
+for i in `curl -s https://www.cloudflare.com/ips-v4`; do
+ echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf;
+done
+
+# fetch and update ipv6
+for i in `curl -s https://www.cloudflare.com/ips-v6`; do
+ echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf;
+done
diff --git a/sites-available/admin-over-ssl.conf b/sites-available/admin-over-ssl.conf
new file mode 100644
index 0000000..0166cbd
--- /dev/null
+++ b/sites-available/admin-over-ssl.conf
@@ -0,0 +1,74 @@
+### No need to enable the following in wp-config.php
+# define('FORCE_SSL_ADMIN', true);
+# define('FORCE_SSL_LOGIN', true);
+
+### Process non-SSL requests
+server {
+ listen 80;
+ server_name example.com;
+ index index.php;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ # Process PHP requests
+ location ~ \.php$ {
+ # Request to wp-login to go through HTTPS protocol
+ location ~ /wp-(admin|login) {
+ return 301 https://$host$request_uri;
+ }
+
+ # Process non-admin requests
+ try_files $uri =404;
+ include "fastcgi.conf";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+ }
+
+ # Nginx way of mod_write
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+}
+server {
+ listen 443 ssl;
+ server_name example.com;
+ index index.php;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ # Generate Certificates
+ # http://wiki.nginx.org/HttpSslModule#Generate_Certificates
+ ssl_certificate /path/to/combined.crt;
+ ssl_certificate_key /path/to/server.key;
+
+ # Logs
+ access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
+ error_log /var/log/nginx/example.com-error.log;
+
+ # Process requests to wp-admin/* and wp-login.php
+ location ~ /wp-(admin|login) {
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ fastcgi_index index.php;
+ fastcgi_intercept_errors on;
+ fastcgi_pass fpm;
+ include "fastcgi.conf";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ }
+ }
+
+ # Process non-admin requests
+ include globals/assets.conf;
+
+ # To avoid displaying posts and post previews in HTTPS
+ location / {
+ return 301 http://example.com$request_uri;
+ }
+
+}
diff --git a/sites-available/catchall.conf b/sites-available/catchall.conf
new file mode 100644
index 0000000..f9ade70
--- /dev/null
+++ b/sites-available/catchall.conf
@@ -0,0 +1,28 @@
+# Ref - http://wiki.nginx.org/ServerBlockExample#A_Default_.22Catch_All.22_Server_Block
+server {
+ listen 80 default_server;
+ server_name _;
+
+ access_log off;
+ error_log off;
+
+ # return nothing
+ # a Nginx specific error code
+ # return 444;
+
+ # deny all
+ # include globals/error-pages.conf;
+ location / {
+ return 403;
+ }
+
+ # Let Varnish or others ping to know the status of PHP-FPM
+ location /ping {
+ allow 127.0.0.1;
+ deny all;
+
+ fastcgi_pass fpm;
+ keepalive_timeout 0;
+ expires -1;
+ }
+}
diff --git a/sites-available/default.conf b/sites-available/default.conf
new file mode 100644
index 0000000..6c06559
--- /dev/null
+++ b/sites-available/default.conf
@@ -0,0 +1,24 @@
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ # create dummy certificates, if you'd like to enable the following...
+ # listen 443 ssl http2 default_server;
+ # listen [::]:443 ssl http2 default_server;
+
+ # ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
+ # ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
+
+ # to catch all domains not hosted here!
+ server_name _;
+
+ include globals/error-pages.conf;
+ location / {
+ # return nothing
+ # a Nginx specific error code
+ # return 444;
+
+ # or send error code 550 - not hosted here!
+ return 550;
+ }
+}
diff --git a/sites-available/dev.example.com.conf b/sites-available/dev.example.com.conf
new file mode 100644
index 0000000..7c1d5b9
--- /dev/null
+++ b/sites-available/dev.example.com.conf
@@ -0,0 +1,57 @@
+server {
+ listen 80;
+ listen [::]:80; # IPv6 support
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2; # IPv6 support
+
+ server_name dev.example.com;
+
+ index index.php;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/dev/sites/dev.example.com/public;
+
+ # ssl_certificate "/etc/letsencrypt/live/dev.example.com/fullchain.pem";
+ # ssl_certificate_key "/etc/letsencrypt/live/dev.example.com/privkey.pem";
+
+ # access_log off;
+ access_log /var/log/nginx/dev-example.com-access.log;
+ error_log /var/log/nginx/dev-example.com-error.log;
+ # error_log /var/log/nginx/dev-example.com-error.log debug;
+
+ include "globals/restrictions.conf";
+
+ location ~* \.(?:css|js|jpg|jpeg|png|gif|ico|svg|ttf|eot|woff|otf)$ { expires max; try_files $uri @prod; }
+
+ location @prod {
+ proxy_pass https://0.0.0.0;
+
+ proxy_set_header Host "www.example.com";
+
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ # Mitigate https://httpoxy.org/ vulnerabilities
+ fastcgi_param HTTP_PROXY "";
+
+ include fastcgi.conf;
+ fastcgi_index index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_intercept_errors on;
+ fastcgi_pass fpm-dev;
+
+ add_header "X-Cache" "MISS";
+ }
+
+ # The rewrite magic
+ location / { try_files $uri $uri/ /index.php$is_args$args; }
+ # include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
+ # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support
+ # include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support
+}
diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf
new file mode 100644
index 0000000..63011ba
--- /dev/null
+++ b/sites-available/example.com.conf
@@ -0,0 +1,65 @@
+# The primary template file for WordPress sites
+# Feel free to follow the same pattern for other files in the /sites-available/ directory
+# Remember to create a symlink to /sites-enabled/ to enable a site or configuration file
+
+### server-level 301 redirect
+# you are a fan of micro-optimization, please use the following to redirect www.example.com => example.com (301)
+# server {
+ # listen 80;
+ # listen [::]:80; # IPv6 support
+ # server_name www.example.com;
+ # return 301 $scheme://example.com$request_uri;
+# }
+
+server {
+ listen 80;
+ listen [::]:80; # IPv6 support
+ server_name example.com;
+
+ server_name www.example.com; # hide this line, if you enable the server-level 301 redirect above
+
+ index index.php; # default file to serve
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ ### Logs
+ access_log /var/log/nginx/example.com-access.log;
+ # if the log files become too large, you may use the following format. $loggable is defined in conf.d/common.conf
+ # access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
+
+ # ideally use it along with fail2ban
+ error_log /var/log/nginx/example.com-error.log;
+ # use the following pattern only for debugging - server support needed
+ # error_log /var/log/nginx/example.com-error.log debug;
+
+ # Optional configurations
+ # include "globals/auto-versioning-support.conf";
+ # include "globals/wordpress-seo-plugin-support.conf";
+
+ include "globals/restrictions.conf";
+ include "globals/assets.conf";
+
+ location ~* \.php$ {
+ fastcgi_split_path_info ^(.+\.php)(/.*)$;
+ if (!-f $document_root$fastcgi_script_name) { return 404; }
+
+ # Mitigate https://httpoxy.org/ vulnerabilities
+ fastcgi_param HTTP_PROXY "";
+
+ include "fastcgi_params";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+
+ add_header "X-Cache" "MISS";
+ }
+
+ ### Enaable only one of the following lines
+ include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
+ # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support
+ # include "globals/wp-fastest-cache.conf"; # WP Fastest Cache plugin support
+ # include "globals/cache-enabler.conf"; # Cache Enabler plugin support
+ # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache
+
+}
diff --git a/sites-available/ip.conf b/sites-available/ip.conf
new file mode 100644
index 0000000..7d14617
--- /dev/null
+++ b/sites-available/ip.conf
@@ -0,0 +1,95 @@
+# safe to ignore, if you don't understand what it is doing!
+
+server {
+ listen 80;
+
+ # please replace 127.0.0.1 with the actual IP of the server
+ server_name 127.0.0.1;
+
+ root /var/www/html;
+
+ ### logs
+ # enable only one of the following
+ access_log off;
+ # access_log /var/log/nginx/ip-access.log; # simple log
+ # access_log /var/log/nginx/ip-access.log combined buffer=64k flush=5m if=$loggable; # log only non-2xx and non-3xx requests; $loggable is defined in conf.d/common.conf
+
+ # enable only one of the following
+ error_log off;
+ # error_log /var/log/nginx/ip-error.log;
+ # error_log /var/log/nginx/ip-error.log debug; # depends on server support
+
+ ### PhpMyAdmin
+ # note: it's a bad idea to serve PhpMyAdmin via the server's IP as it is the known target by bad bots
+ # keeping it here for historical reasons
+ # location /phpmyadmin {
+ # include whitelist.conf;
+ # try_files $uri $uri/ /phpmyadmin/index.php$is_args$args;
+
+ # location ~* \.php$ {
+ # try_files $uri = 404;
+ # fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ # include fastcgi.conf;
+ # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ # fastcgi_index index.php;
+ # fastcgi_pass fpm;
+ # }
+ # }
+
+ # Nginx status
+ location = /nginxstatus {
+ stub_status on;
+ access_log off;
+
+ include whitelist.conf;
+
+ expires -1;
+ }
+
+ # PHP-FPM ping
+ location = /ping {
+ fastcgi_pass fpm;
+ include fastcgi_params;
+
+ include whitelist.conf;
+
+ expires -1;
+ }
+
+ # PHP-FPM status
+ location = /status {
+ fastcgi_pass fpm;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+
+ include whitelist.conf;
+
+ expires -1;
+ }
+
+ location /munin {
+ alias "/var/cache/munin/www";
+ try_files $uri $uri/ /index.html;
+
+ include whitelist.conf;
+
+ expires -1;
+ }
+
+ location /monit/ {
+ rewrite ^/monit/(.*) /$1 break;
+ proxy_pass http://127.0.0.1:2812;
+ # replace 127.0.0.2 with the IP of the server
+ # proxy_redirect http://127.0.0.1:2812/monit/ http://127.0.0.2/monit/;
+
+ include whitelist.conf;
+
+ expires -1;
+ }
+
+ # Redirect to the main site domainname.com
+ location / {
+ return $scheme://example.com$request_uri;
+ }
+}
diff --git a/sites-available/login-over-ssl.conf b/sites-available/login-over-ssl.conf
new file mode 100644
index 0000000..8de592e
--- /dev/null
+++ b/sites-available/login-over-ssl.conf
@@ -0,0 +1,69 @@
+### No need to enable the following in wp-config.php
+# define('FORCE_SSL_ADMIN', true);
+# define('FORCE_SSL_LOGIN', true);
+
+server {
+ listen 80;
+ server_name example.com;
+ index index.php;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ include globals/assets.conf;
+ include globals/restrictions.conf;
+
+ location ~ \.php$ {
+ # Request to wp-login to go through HTTPS protocol
+ location ~ /wp-login\.php {
+ return 301 https://$host$request_uri;
+ }
+
+ # Process other requests
+ include "fastcgi.conf";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ try_files $uri =404;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+ }
+
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+}
+server {
+ listen 443 ssl;
+ server_name example.com;
+ index index.php;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ # Generate Certificates
+ # http://wiki.nginx.org/HttpSslModule#Generate_Certificates
+ ssl_certificate /path/to/combined.crt;
+ ssl_certificate_key /path/to/server.key;
+
+ access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
+ error_log /var/log/nginx/example.com-error.log;
+
+ include globals/assets.conf;
+ include globals/restrictions.conf;
+
+ location ~ /wp-login\.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ include "fastcgi.conf";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+ }
+
+ # The rewrite magic
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+}
diff --git a/sites-available/mu-dir-dir-example.com.conf b/sites-available/mu-dir-dir-example.com.conf
new file mode 100644
index 0000000..c4fcc2a
--- /dev/null
+++ b/sites-available/mu-dir-dir-example.com.conf
@@ -0,0 +1,73 @@
+### Use case
+# example.com has a non-WordPress installation at its root
+# example.com/blogs is a WordPress multisite sub-directory installation
+# example.com/blogs/blog1 is a site in WP multisite
+# example.com/blogs/blog2 is another site in WP multisite
+# The site would be accessed primarily as example.com (instead of www.example.com)
+# Please replace blogs with the actual name of the sub-directory inwhich WP is (would be) installed
+
+### Remember that IfIsEvil, if used inappropriately.
+# Ref: http://wiki.nginx.org/IfIsEvil
+
+# Redirect www.example.com/anything to example.com/anything
+server {
+ listen 80;
+ server_name www.example.com;
+ return 301 $scheme://example.com$request_uri;
+}
+
+# Process requests to example.com
+server {
+ listen 80;
+ server_name example.com;
+ index index.php;
+
+ # Change this to the actual location of non-WordPress files
+ root /home/username/sites/example.com/public;
+
+ # Logs
+ access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
+ error_log /var/log/nginx/example.com-error.log;
+
+ ### modified version of globals/mu-files.conf;
+ # For uploads
+ if ( $uri ~ "files" ) {
+ rewrite ^/blogs/(?:.*/)?files/(.+) /blogs/wp-includes/ms-files.php?file=$1;
+ }
+
+ ### modified version of globals/mu-dir.conf;
+ # For sub-directory redirects
+ # Only one would apply
+ # If two needed to be applied, it'd throw a 404
+ if (!-e $request_filename) {
+ rewrite ^/blogs/[_0-9a-zA-Z-]+(/wp-(content|admin|includes).*) /blogs$1 break;
+ rewrite ^/blogs/[_0-9a-zA-Z-]+(/.*\.php)$ /blogs$1 break;
+ }
+
+ # Process PHP requests
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ include "fastcgi.conf";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+ }
+
+ # To process WordPress site/s
+ location /blogs {
+ try_files $uri $uri/ /blogs/index.php$is_args$args;
+ }
+
+ # Let's include usual location directives, including 'location / { try files ; }' directive
+ # To process the non-WordPress PHP site
+ include globals/assets.conf;
+ include globals/restrictions.conf;
+
+ # The rewrite magic
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+}
diff --git a/sites-available/mu-dir-example.com.conf b/sites-available/mu-dir-example.com.conf
new file mode 100644
index 0000000..138b0e7
--- /dev/null
+++ b/sites-available/mu-dir-example.com.conf
@@ -0,0 +1,42 @@
+# Configuration for multisite - subdirectory
+
+server {
+ listen 80;
+ server_name www.example.com;
+ return 301 $scheme://example.com$request_uri;
+}
+
+server {
+ listen 80;
+
+ server_name example.com;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ index index.php;
+
+ # logs
+ access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
+ error_log /var/log/nginx/example.com-error.log;
+
+ include "globals/mu-files.conf";
+ include "globals/mu-dir.conf";
+ include "globals/assets.conf";
+
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ include "fastcgi.conf";
+ fastcgi_index index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_pass fpm;
+ }
+
+ # The rewrite magic
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+}
diff --git a/sites-available/mu-dom-example.com.conf b/sites-available/mu-dom-example.com.conf
new file mode 100644
index 0000000..fe7a760
--- /dev/null
+++ b/sites-available/mu-dom-example.com.conf
@@ -0,0 +1,42 @@
+# Configuration for multisite - subdomain
+
+server {
+ listen 80;
+ server_name www.example.com;
+ return 301 $scheme://example.com$request_uri;
+}
+
+server {
+ listen 80;
+
+ server_name .example.com;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ index index.php;
+
+ # logs
+ access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
+ error_log /var/log/nginx/example.com-error.log;
+
+ include "globals/mu-files.conf";
+ include "globals/assets.conf";
+ include "globals/restrictions.conf";
+
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ include "fastcgi.conf";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+ }
+
+ # The rewrite magic
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+}
diff --git a/sites-available/multiple-vhosts.conf b/sites-available/multiple-vhosts.conf
new file mode 100644
index 0000000..5377a17
--- /dev/null
+++ b/sites-available/multiple-vhosts.conf
@@ -0,0 +1,31 @@
+# TODO:
+# blog post explaining how it could be incorporated and useful, pros and cons of this setup
+
+server {
+ listen 80;
+ server_name *.example.com example.net example.org;
+
+ # keep the files in the following way...
+ # site1.example.com at /path/to/sites/site1.example.com/public
+ # site2.example.com at /path/to/sites/site2.example.com/public
+ # site3.example.com at /path/to/sites/site3.example.com/public
+ # example.net at /path/to/sites/example.net/public
+ # example.org at /path/to/sites/example.org/public
+
+ root /path/to/sites/$host/public;
+
+ index index.php index.html;
+
+ # Let's have a common log for all the sites
+ # individual logs are not possible to create for each site
+ access_log /var/log/nginx/common-vhost-access.log combined buffer=64k flush=5m if=$loggable;
+ error_log /var/log/nginx/common-vhost-error.log error;
+
+ include "globals/restrictions.conf";
+ include "globals/assets.conf";
+ include "globals/php.conf";
+
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+}
diff --git a/sites-available/nginx-varnish-apache.conf b/sites-available/nginx-varnish-apache.conf
new file mode 100644
index 0000000..b58f244
--- /dev/null
+++ b/sites-available/nginx-varnish-apache.conf
@@ -0,0 +1,38 @@
+iserver {
+ listen 80;
+ server_name www.example.com;
+ return 301 $scheme://example.com$request_uri;
+}
+
+server {
+ listen 80;
+ server_name example.com;
+ index index.php;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
+ error_log /var/log/nginx/example.com-error.log;
+
+ include "globals/assets.conf";
+ include "globals/restrictions.conf";
+
+ # Add trailing slash to */wp-admin requests.
+ rewrite /wp-admin$ $scheme://$host$uri/ permanent;
+
+ location ~ \.php$ {
+ proxy_pass http://apache;
+ include proxy_params;
+ }
+
+ location @backend {
+ proxy_pass http://varnish;
+ include proxy_params;
+ }
+
+ location / {
+ try_files $uri @backend;
+ }
+
+}
diff --git a/sites-available/nginx-varnish-nginx.conf b/sites-available/nginx-varnish-nginx.conf
new file mode 100644
index 0000000..f7447ef
--- /dev/null
+++ b/sites-available/nginx-varnish-nginx.conf
@@ -0,0 +1,82 @@
+server {
+ listen 80;
+ server_name example.com;
+
+ # Replace the path with the actual path to WordPress core files
+ root "/home/username/sites/example.com/public";
+
+ index index.php;
+
+ # Logs - do check these, if sth goes wrong
+ access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
+ error_log /var/log/nginx/example.com-error.log;
+
+ include globals/restrictions.conf;
+ include globals/assets.conf;
+
+ location / {
+ error_page 418 = @phpfpm;
+ if ($request_method = POST) { return 418; }
+ if ($http_cookie ~* "wordpress_logged_in") { return 418; }
+ if ($http_cookie ~* "comment_") { return 418; }
+ if ($http_cookie ~* "wp_postpass_") { return 418; }
+
+ proxy_pass http://varnish;
+ include proxy.conf;
+ }
+
+ location @phpfpm {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ include "fastcgi.conf";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+ }
+
+ location ~ /wp-admin {
+ try_files $uri $uri/ /index.php$is_args$args;
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ include "fastcgi.conf";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+ }
+ }
+
+}
+
+# To serve requests from Varnish
+# Setup Varnish to use 127.0.0.1:82 as backend for this domain
+server {
+ listen 127.0.0.1:82;
+ server_name example.com;
+
+ # Replace the path with the actual path to WordPress core files
+ root "/home/username/sites/example.com/public";
+
+ index index.php;
+
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ include "fastcgi.conf";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+ }
+}
+
diff --git a/sites-available/pma.example.com.conf b/sites-available/pma.example.com.conf
new file mode 100644
index 0000000..c948164
--- /dev/null
+++ b/sites-available/pma.example.com.conf
@@ -0,0 +1,61 @@
+### IMPORTANT
+### If phpMyAdmin is accessed via a different port
+### as in the case of a Varnish -> Nginx setup, please do the following
+
+### SET $cfg['PmaAbsoluteUri'] = 'http://your.domain.com/path/to/phpmyadmin/'; in config.inc.php
+### Ref: http://serverfault.com/questions/246300/running-phpmyadmin-on-nginx-port-8080-passed-to-varnish-not-working-well
+### Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1340187&group_id=23067&atid=377409
+
+# http => https
+server {
+ listen 80;
+ listen [::]:80; # IPv6 support
+ server_name pma.example.com;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/pma.example.com/public;
+
+ # for LetsEncrypt
+ location ^~ /.well-known/acme-challenge {
+ auth_basic off;
+ try_files $uri =404;
+ expires -1;
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ server_name pma.example.com;
+ index index.php;
+
+ # Replace the path with the actual path to Phpmyadmin core files
+ root /home/username/sites/pma.example.com/public;
+
+ access_log /var/log/nginx/pma.example.com-access.log combined buffer=64k flush=5m if=$loggable; # $loggable is defined in conf.d/common.conf
+ error_log /var/log/nginx/pma.example.com-error.log;
+
+ ssl_certificate "/etc/letsencrypt/live/pma.example.com/fullchain.pem";
+ ssl_certificate_key "/etc/letsencrypt/live/pma.example.com/privkey.pem";
+
+ include globals/restrictions.conf;
+ include globals/assets.conf;
+
+ location ~ \.php$ {
+ fastcgi_split_path_info ^(.+\.php)(/.*)$;
+ if (!-f $document_root$fastcgi_script_name) { return 404; }
+
+ # Mitigate https://httpoxy.org/ vulnerabilities
+ fastcgi_param HTTP_PROXY "";
+
+ include "fastcgi_params";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+ }
+
+ location / { try_files $uri $uri/ /index.php$is_args$args; }
+}
diff --git a/sites-available/ssl-example.com.conf b/sites-available/ssl-example.com.conf
new file mode 100644
index 0000000..2bd7482
--- /dev/null
+++ b/sites-available/ssl-example.com.conf
@@ -0,0 +1,104 @@
+# http => https
+server {
+ listen 80;
+ listen [::]:80; # IPv6 support
+ server_name example.com www.example.com;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ # for LetsEncrypt
+ location ^~ /.well-known/acme-challenge {
+ auth_basic off;
+ try_files $uri =404;
+ expires -1;
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ include 'globals/hsts.conf';
+ include 'globals/security-headers.conf';
+ }
+}
+
+# www.example.com => example.com (server-level)
+# Or example.com => www.example.com (server-level)
+# use it only if you are a fan of micro-optimization
+# server {
+ # listen 443 ssl http2;
+ # listen [::]:443 ssl http2; # IPv6 support
+ # uncomment only one depending on the main URL
+ # server_name example.com;
+ # server_name www.example.com;
+ # ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
+ # ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
+ # location / {
+ # uncomment only one depending on the main URL
+ # return 301 $scheme://www.example.com$request_uri;
+ # return 301 $scheme://example.com$request_uri;
+ # include 'globals/hsts.conf';
+ # include 'globals/security-headers.conf';
+ # }
+# }
+
+server {
+ # "http2" parameter of the "listen" directive is deprecated as of version 1.25.1 released on June 13, 2023
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2; # IPv6 support
+
+ # since Nginx version 1.25.1
+ # https on;
+
+ # the main URL where the site is served. It could be www.example.com
+ server_name example.com;
+
+ # comment out the following line, if you enable the server-level 301 redirect above
+ server_name www.example.com;
+
+ # default file to serve
+ index index.php;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ # if you use an ACME client that stores the SSL certs in a different path, please update the following
+ ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
+ ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
+
+ # Logs
+ access_log /var/log/nginx/example.com-access.log;
+ # if the log files become too large, you may use the following format. $loggable is defined in conf.d/common.conf
+ # access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable;
+
+ # ideally use it along with fail2ban
+ error_log /var/log/nginx/example.com-error.log;
+ # use the following pattern only for debugging - server support needed
+ # error_log /var/log/nginx/example.com-error.log debug;
+
+ include globals/restrictions.conf;
+ include globals/assets.conf;
+ include globals/auto-versioning-support.conf;
+
+ location ~ \.php$ {
+ fastcgi_split_path_info ^(.+\.php)(/.*)$;
+ if (!-f $document_root$fastcgi_script_name) { return 404; }
+
+ # Mitigate https://httpoxy.org/ vulnerabilities
+ fastcgi_param HTTP_PROXY "";
+
+ include "fastcgi_params";
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+
+ include 'globals/hsts.conf';
+ include 'globals/security-headers.conf';
+ }
+
+ ### Enaable only one of the following lines
+ include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
+ # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support
+ # include "globals/wp-fastest-cache.conf"; # WP Fastest Cache plugin support
+ # include "globals/cache-enabler.conf"; # Cache Enabler plugin support
+ # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache
+}
diff --git a/sites-available/static-site.conf b/sites-available/static-site.conf
new file mode 100644
index 0000000..a25262a
--- /dev/null
+++ b/sites-available/static-site.conf
@@ -0,0 +1,74 @@
+# http => https
+server {
+ listen 80;
+ listen [::]:80; # IPv6 support
+ server_name example.com www.example.com;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ # for LetsEncrypt
+ location ^~ /.well-known/acme-challenge {
+ auth_basic off;
+ try_files $uri =404;
+ expires -1;
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ include 'globals/hsts.conf';
+ include 'globals/security-headers.conf';
+ }
+}
+
+# www.example.com => example.com (server-level)
+# use it only if you are a fan of micro-optimization
+# server {
+ # listen 443 ssl http2;
+ # listen [::]:443 ssl http2; # IPv6 support
+ # server_name www.example.com;
+ # ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
+ # ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
+ # location / {
+ # return 301 $scheme://example.com$request_uri;
+ # include 'globals/hsts.conf';
+ # include 'globals/security-headers.conf';
+ # }
+# }
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2; # IPv6 support
+ server_name example.com;
+
+ # hide the following line, if you enable the server-level 301 redirect above
+ server_name www.example.com;
+
+ # default file to serve
+ index index.html;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/example.com/public;
+
+ ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
+ ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
+
+ # Logs
+ access_log /var/log/nginx/example.com-access.log;
+ error_log /var/log/nginx/example.com-error.log;
+
+ include globals/restrictions.conf;
+ include globals/assets.conf;
+ include globals/auto-versioning-support.conf;
+
+ location / {
+ try_files $uri $uri/ =404;
+
+ # you may adjust the expiry information here!
+ # expires 30m; # since static content rarely changes, it is safe to keep it to 30 minutes. YMMV.
+
+ include 'globals/hsts.conf';
+ include 'globals/security-headers.conf';
+ }
+}
+
diff --git a/sites-available/wpfc.example.com.conf b/sites-available/wpfc.example.com.conf
new file mode 100644
index 0000000..8d75410
--- /dev/null
+++ b/sites-available/wpfc.example.com.conf
@@ -0,0 +1,33 @@
+server {
+ listen 80;
+ listen [::]:80; # IPv6 support
+
+ server_name wpfc.example.com;
+ index index.php;
+
+ # Replace the path with the actual path to WordPress core files
+ root /home/username/sites/wpsc.example.com/public;
+
+ access_log /var/log/nginx/wp-fastest-cache.example.com-access.log combined buffer=64k flush=5m if=$loggable;
+ error_log /var/log/nginx/wp-fastest-cache.example.com-error.log;
+
+ include "globals/assets.conf";
+ include "globals/restrictions.conf";
+
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ # Mitigate https://httpoxy.org/ vulnerabilities
+ fastcgi_param HTTP_PROXY "";
+
+ include fastcgi.conf;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+
+ add_header "X-Cache" "MISS";
+ }
+
+ include "globals/wp-fastest-cache.conf";
+}
diff --git a/sites-available/wpsc.example.com.conf b/sites-available/wpsc.example.com.conf
new file mode 100644
index 0000000..608edd4
--- /dev/null
+++ b/sites-available/wpsc.example.com.conf
@@ -0,0 +1,33 @@
+server {
+ listen 80;
+ listen [::]:80; # IPv6 support
+
+ server_name wpsc.example.com;
+ index index.php;
+
+ # Replace the path with the actual path to WordPress core files
+ root "/home/username/sites/wpsc.example.com/public";
+
+ access_log /var/log/nginx/wpsc.example.com-access.log combined buffer=64k flush=5m if=$loggable;
+ error_log /var/log/nginx/wpsc.example.com-error.log;
+
+ include "globals/assets.conf";
+ include "globals/restrictions.conf";
+
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ # Mitigate https://httpoxy.org/ vulnerabilities
+ fastcgi_param HTTP_PROXY "";
+
+ include fastcgi.conf;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass fpm;
+
+ add_header "X-Cache" "MISS";
+ }
+
+ include "globals/wp-super-cache.conf";
+}