From dd82b3e56c41a10656d78c1d6ce0fc5fa4933742 Mon Sep 17 00:00:00 2001 From: hhftechnologies Date: Sat, 28 Sep 2024 17:48:20 +0530 Subject: [PATCH] update --- LICENSE | 21 + allowlist.conf | 15 + changelog.txt | 21 + conf.d/common.conf | 90 +++ conf.d/gzip.conf | 29 + conf.d/lb.conf | 17 + conf.d/ssl-common.conf | 15 + denylist.conf | 9 + errors/403.html | 7 + errors/404.html | 7 + errors/550.html | 8 + fastcgi.conf | 24 + fastcgi_params | 24 + globals/assets.conf | 58 ++ globals/auto-versioning-support.conf | 5 + globals/brotli.conf | 34 ++ globals/bunnycdn-ip-list.conf | 558 ++++++++++++++++++ globals/bunnycdn.conf | 12 + globals/cache-enabler.conf | 72 +++ globals/cloudflare-ip-list.conf | 21 + globals/cloudflare.conf | 9 + globals/dev.restrictions.conf | 13 + globals/error-pages.conf | 23 + globals/hide-headers.conf | 12 + globals/hsts.conf | 1 + globals/mu-dir.conf | 9 + globals/mu-files.conf | 6 + globals/pagespeed.conf | 9 + globals/php.conf | 9 + globals/restrictions.conf | 33 ++ globals/security-headers.conf | 13 + globals/sucuri-real-ip.conf | 12 + globals/sucuri-waf.conf | 12 + .../varnish-as-front-end-compatibility.conf | 7 + globals/wordpress-seo-plugin-support.conf | 6 + globals/wp-fastest-cache.conf | 93 +++ globals/wp-rocket.conf | 78 +++ globals/wp-super-cache.conf | 80 +++ globals/wpfc.conf | 34 ++ mime.types | 88 +++ nginx.conf | 32 + proxy.conf | 4 + proxy_params | 4 + scripts/update-cloudflare-ip-list.sh | 16 + sites-available/admin-over-ssl.conf | 74 +++ sites-available/catchall.conf | 28 + sites-available/default.conf | 24 + sites-available/dev.example.com.conf | 57 ++ sites-available/example.com.conf | 65 ++ sites-available/ip.conf | 95 +++ sites-available/login-over-ssl.conf | 69 +++ sites-available/mu-dir-dir-example.com.conf | 73 +++ sites-available/mu-dir-example.com.conf | 42 ++ sites-available/mu-dom-example.com.conf | 42 ++ sites-available/multiple-vhosts.conf | 31 + sites-available/nginx-varnish-apache.conf | 38 ++ sites-available/nginx-varnish-nginx.conf | 82 +++ sites-available/pma.example.com.conf | 61 ++ sites-available/ssl-example.com.conf | 104 ++++ sites-available/static-site.conf | 74 +++ sites-available/wpfc.example.com.conf | 33 ++ sites-available/wpsc.example.com.conf | 33 ++ 62 files changed, 2675 insertions(+) create mode 100644 LICENSE create mode 100644 allowlist.conf create mode 100644 changelog.txt create mode 100644 conf.d/common.conf create mode 100644 conf.d/gzip.conf create mode 100644 conf.d/lb.conf create mode 100644 conf.d/ssl-common.conf create mode 100644 denylist.conf create mode 100644 errors/403.html create mode 100644 errors/404.html create mode 100644 errors/550.html create mode 100644 fastcgi.conf create mode 100644 fastcgi_params create mode 100644 globals/assets.conf create mode 100644 globals/auto-versioning-support.conf create mode 100644 globals/brotli.conf create mode 100644 globals/bunnycdn-ip-list.conf create mode 100644 globals/bunnycdn.conf create mode 100644 globals/cache-enabler.conf create mode 100644 globals/cloudflare-ip-list.conf create mode 100644 globals/cloudflare.conf create mode 100644 globals/dev.restrictions.conf create mode 100644 globals/error-pages.conf create mode 100644 globals/hide-headers.conf create mode 100644 globals/hsts.conf create mode 100644 globals/mu-dir.conf create mode 100644 globals/mu-files.conf create mode 100644 globals/pagespeed.conf create mode 100644 globals/php.conf create mode 100644 globals/restrictions.conf create mode 100644 globals/security-headers.conf create mode 100644 globals/sucuri-real-ip.conf create mode 100644 globals/sucuri-waf.conf create mode 100644 globals/varnish-as-front-end-compatibility.conf create mode 100644 globals/wordpress-seo-plugin-support.conf create mode 100644 globals/wp-fastest-cache.conf create mode 100644 globals/wp-rocket.conf create mode 100644 globals/wp-super-cache.conf create mode 100644 globals/wpfc.conf create mode 100644 mime.types create mode 100644 nginx.conf create mode 100644 proxy.conf create mode 100644 proxy_params create mode 100644 scripts/update-cloudflare-ip-list.sh create mode 100644 sites-available/admin-over-ssl.conf create mode 100644 sites-available/catchall.conf create mode 100644 sites-available/default.conf create mode 100644 sites-available/dev.example.com.conf create mode 100644 sites-available/example.com.conf create mode 100644 sites-available/ip.conf create mode 100644 sites-available/login-over-ssl.conf create mode 100644 sites-available/mu-dir-dir-example.com.conf create mode 100644 sites-available/mu-dir-example.com.conf create mode 100644 sites-available/mu-dom-example.com.conf create mode 100644 sites-available/multiple-vhosts.conf create mode 100644 sites-available/nginx-varnish-apache.conf create mode 100644 sites-available/nginx-varnish-nginx.conf create mode 100644 sites-available/pma.example.com.conf create mode 100644 sites-available/ssl-example.com.conf create mode 100644 sites-available/static-site.conf create mode 100644 sites-available/wpfc.example.com.conf create mode 100644 sites-available/wpsc.example.com.conf diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..64f4b81 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2017 Pothi Kalimuthu + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/allowlist.conf b/allowlist.conf new file mode 100644 index 0000000..2acf200 --- /dev/null +++ b/allowlist.conf @@ -0,0 +1,15 @@ +# please use the following format... +# allow ip.add.re.ss; +# both ipv4 and ipv6 addresses can be whitelisted +# CIDR notation is allowed too + + +# allow ip.add.re.ss1; +# allow ip.add.re.ss2; +# allow ip.add.re.ss3; + + +# Please do *not* change the following lines +allow 127.0.0.1; +deny all; +# End of file - No more lines, please! diff --git a/changelog.txt b/changelog.txt new file mode 100644 index 0000000..e3d0597 --- /dev/null +++ b/changelog.txt @@ -0,0 +1,21 @@ +v3.0 +- Released on May 9, 2018 +- Rename wprocket.conf to wp-rocket.conf +- Rename wpsupercache.conf to wp-super-cache.conf +- Added Cloudflare support. +- IPv6 support added. +- WebP support. +- Other minor changes. + +v2.0 +- released on Dec 20, 2017 +- changed filename globals/common-locations.conf to globals/assets.conf +- other minor changes + +v1.0 +- released on April 23, 2017 +- uniform naming scheme for domain names +- uniform naming scheme for default files +- introduction of blacklist and whitelist for IP addresses +- fix tab/space conflict; now we use only spaces +- enable gzip by default diff --git a/conf.d/common.conf b/conf.d/common.conf new file mode 100644 index 0000000..9896d8e --- /dev/null +++ b/conf.d/common.conf @@ -0,0 +1,90 @@ +### common directives and settings + +index index.html index.php; + +# Ref: https://gist.github.com/magnetikonline/11312172 +fastcgi_buffers 32 32k; +fastcgi_buffer_size 32k; + +proxy_buffers 8 32k; +proxy_buffer_size 64k; +# ------------------------------------------------------------------- + +# for time-consuming operations (such as WP import or file upload) +# https://nginx.org/r/fastcgi_read_timeout +# default 60 seconds +fastcgi_read_timeout 5m; + +# ------------------------------------------------------------------- + +### To enable large uploads +# Please make sure the corresponding PHP values are increased as well +# post_max_size = 8M (default) +# upload_max_filesize = 2M (default) + +client_max_body_size 2G; + +# ------------------------------------------------------------------- + +### To fix the error - could not build the server_names_hash +# ref: https://nginx.org/en/docs/hash.html +server_names_hash_bucket_size 128; + +# ------------------------------------------------------------------- + +# for extended metrics (in Amplify, etc) +log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + '"$host" sn="$server_name" ' + 'rt=$request_time ' + 'ua="$upstream_addr" us="$upstream_status" ' + 'ut="$upstream_response_time" ul="$upstream_response_length" ' + 'cs=$upstream_cache_status' ; + +# ------------------------------------------------------------------- + +# For SSL Compatibility - WP Super Cache and WP Rocket depend on this +map $scheme $https_suffix { default ''; https '-https'; } + +# ------------------------------------------------------------------- + +### Fine-tune logging +# ref: https://nginx.org/r/access_log +map $status $loggable { + ~^[23] 0; + default 1; +} + +# ------------------------------------------------------------------- + +# https://jdh8.github.io/charset-for-text-on-nginx/ +map $sent_http_content_type $charset { + ~^text/ utf-8; +} + +charset $charset; +charset_types *; + +# ------------------------------------------------------------------- + +# if you'd like to hide some header info, uncomment this +# include globals/hide-headers.conf; + +# ------------------------------------------------------------------- +# +# if you'd like to use cloudflare servers, uncomment this +# include globals/cloudflare.conf; +# include globals/sucuri-real-ip.conf; + +# ------------------------------------------------------------------- + +# webp support +# see: https://docs.ewww.io/article/16-ewww-io-and-webp-images + +map $http_accept $webp_suffix { + default ""; + "~*webp" ".webp"; +} + +# ------------------------------------------------------------------- diff --git a/conf.d/gzip.conf b/conf.d/gzip.conf new file mode 100644 index 0000000..29e01bd --- /dev/null +++ b/conf.d/gzip.conf @@ -0,0 +1,29 @@ +## +# Gzip Settings +## + +# uncomment the following, if your nginx.conf already doesn't have it turned on +# gzip on; + +gzip_disable "msie6"; + +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_buffers 16 8k; + +gzip_types + text/plain + text/css + text/xml + text/javascript + image/svg+xml + application/json + application/javascript + application/x-javascript + application/xml + application/atom+xml + application/xml+rss; + +# Uncomment the following, if Amazon CloudFront is used +# gzip_http_version 1.0; diff --git a/conf.d/lb.conf b/conf.d/lb.conf new file mode 100644 index 0000000..3d52540 --- /dev/null +++ b/conf.d/lb.conf @@ -0,0 +1,17 @@ +# In most cases, only one upstream server should be present + +# Apache backend +upstream apache { server 127.0.0.1:81; } + +# Varnish backend +upstream varnish { server 127.0.0.1:6081; } + +# PHP-FPM backend +# Only one server should be present in all cases +upstream fpm { + # server unix:/path/to/socket; + server unix:/var/lock/php-fpm; + + # server 127.0.0.1:9000; + # server ip.ip.ip.ip:port; +} diff --git a/conf.d/ssl-common.conf b/conf.d/ssl-common.conf new file mode 100644 index 0000000..4774762 --- /dev/null +++ b/conf.d/ssl-common.conf @@ -0,0 +1,15 @@ +ssl_prefer_server_ciphers on; + +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; + +ssl_protocols TLSv1.2 TLSv1.3; + +# From https://weakdh.org/sysadmin.html +# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + +# From https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + +# run "openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096" before uncommenting the following option +# ssl_dhparam /etc/nginx/dhparam.pem; diff --git a/denylist.conf b/denylist.conf new file mode 100644 index 0000000..e4b28cf --- /dev/null +++ b/denylist.conf @@ -0,0 +1,9 @@ +# please use the following format... +# deny ip.add.re.ss; +# both ipv4 and ipv6 addresses can be blacklisted +# CIDR notation is allowed too + + +# deny ip.add.re.ss1; +# deny ip.add.re.ss2; +# deny ip.add.re.ss3; diff --git a/errors/403.html b/errors/403.html new file mode 100644 index 0000000..b431619 --- /dev/null +++ b/errors/403.html @@ -0,0 +1,7 @@ + +403 Forbidden + +

403 Forbidden

+
+ + diff --git a/errors/404.html b/errors/404.html new file mode 100644 index 0000000..c9f1e9f --- /dev/null +++ b/errors/404.html @@ -0,0 +1,7 @@ + +404 Not Found + +

404 Not Found

+
+ + diff --git a/errors/550.html b/errors/550.html new file mode 100644 index 0000000..f24eac7 --- /dev/null +++ b/errors/550.html @@ -0,0 +1,8 @@ + +550 Domain not hosted here + +

550 - Domain is not hosted here!

Probably, it is a mistake by the server administrator!

+
+ + + diff --git a/fastcgi.conf b/fastcgi.conf new file mode 100644 index 0000000..765b6f0 --- /dev/null +++ b/fastcgi.conf @@ -0,0 +1,24 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/fastcgi_params b/fastcgi_params new file mode 100644 index 0000000..765b6f0 --- /dev/null +++ b/fastcgi_params @@ -0,0 +1,24 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/globals/assets.conf b/globals/assets.conf new file mode 100644 index 0000000..f79920d --- /dev/null +++ b/globals/assets.conf @@ -0,0 +1,58 @@ +# Set expires for static files + +# Note to self (and to anyone forks it) +# Some sites create robots.txt and sitemap(.xml(.gz)) files on the fly +# If you are sure that they are indeed static, uncomment the following location blocks for each and adject the expires headers to fit your site's needs +# location = /robots.txt { expires 1d; log_not_found off; access_log off; } +# location ~ \.xml(\.gz)?$ { expires 600s; log_not_found off; access_log off; } + +# For CSS / JS +location ~ \.(?:css|js)$ { + expires max; + log_not_found off; + access_log off; + add_header X-Content-Type-Options "nosniff"; +} + +# Web fonts needs some special care +# Reference: http://jmoiron.net/blog/serving-fonts-aws-cloudfront/ +location ~ \.(?:ttf|ttc|eot|woff|woff2|otf|svg)$ { + # Safe to use the following line + add_header Access-Control-Allow-Origin "*"; + + # use the following with caution! + # add_header Access-Control-Allow-Origin "http://*.example.com"; + + expires max; + log_not_found off; + access_log off; +} + +# Referers for images +location ~ \.(?:gif|ico|webp)$ { + ### Please change the domainname before uncommenting the following + # valid_referers none blocked www.example.com example.com; + # if ($invalid_referer) { return 403; } + + expires max; + log_not_found off; + access_log off; +} + +location ~* ^.+\.(png|jpe?g)$ { + ### Please change the domainname before uncommenting the following + # valid_referers none blocked www.example.com example.com; + # if ($invalid_referer) { return 403; } + + # add_header Vary Accept; + # see https://docs.ewww.io/article/16-ewww-io-and-webp-images + try_files $uri$webp_suffix $uri =404; + expires max; + log_not_found off; + access_log off; +} + +# Feeds +location ~ \.(?:rss|atom)$ { + expires 600s; # 10 minutes +} diff --git a/globals/auto-versioning-support.conf b/globals/auto-versioning-support.conf new file mode 100644 index 0000000..337d586 --- /dev/null +++ b/globals/auto-versioning-support.conf @@ -0,0 +1,5 @@ + +# Auto-versioning support +# Ref: http://w-shadow.com/blog/2012/07/30/automatic-versioning-of-css-js/ +rewrite "^(.*)\.[\d]{10}\.(css|js)$" $1.$2 last; + diff --git a/globals/brotli.conf b/globals/brotli.conf new file mode 100644 index 0000000..42229b4 --- /dev/null +++ b/globals/brotli.conf @@ -0,0 +1,34 @@ +# turn on brotli compression +brotli on; + +# based on research at Akamai: https://blogs.akamai.com/2016/02/understanding-brotlis-potential.html +brotli_comp_level 4; +# as per Google sample config available at https://github.com/google/ngx_brotli#sample-configuration +# brotli_comp_level 6; + +# enable static file serving, if available +brotli_static on; + +brotli_types + application/atom+xml + application/javascript + application/json + application/rss+xml + application/vnd.ms-fontobject + application/x-font-opentype + application/x-font-truetype + application/x-font-ttf + application/x-javascript + application/xhtml+xml + application/xml + font/eotfont/opentype + font/otf + font/truetype + image/svg+xml + image/vnd.microsoft.icon + image/x-icon + image/x-win-bitmap + text/css + text/javascript + text/plain + text/xml; diff --git a/globals/bunnycdn-ip-list.conf b/globals/bunnycdn-ip-list.conf new file mode 100644 index 0000000..1288fc6 --- /dev/null +++ b/globals/bunnycdn-ip-list.conf @@ -0,0 +1,558 @@ +set_real_ip_from 84.17.46.50; +set_real_ip_from 89.187.188.227; +set_real_ip_from 89.187.188.228; +set_real_ip_from 185.180.14.250; +set_real_ip_from 185.93.1.241; +set_real_ip_from 195.181.163.193; +set_real_ip_from 89.187.162.244; +set_real_ip_from 139.180.134.196; +set_real_ip_from 51.83.238.53; +set_real_ip_from 89.38.96.158; +set_real_ip_from 89.187.162.249; +set_real_ip_from 89.187.162.242; +set_real_ip_from 185.102.217.65; +set_real_ip_from 185.93.1.243; +set_real_ip_from 156.146.40.49; +set_real_ip_from 185.59.220.199; +set_real_ip_from 185.59.220.198; +set_real_ip_from 195.181.166.158; +set_real_ip_from 185.180.12.68; +set_real_ip_from 138.199.24.209; +set_real_ip_from 138.199.24.211; +set_real_ip_from 89.187.169.3; +set_real_ip_from 89.187.169.39; +set_real_ip_from 89.187.169.47; +set_real_ip_from 5.188.120.15; +set_real_ip_from 138.199.24.218; +set_real_ip_from 138.199.24.219; +set_real_ip_from 138.199.46.65; +set_real_ip_from 185.40.106.117; +set_real_ip_from 200.25.45.4; +set_real_ip_from 200.25.57.5; +set_real_ip_from 200.25.11.8; +set_real_ip_from 200.25.53.5; +set_real_ip_from 200.25.13.98; +set_real_ip_from 107.155.21.186; +set_real_ip_from 107.155.27.226; +set_real_ip_from 41.242.2.18; +set_real_ip_from 200.25.62.5; +set_real_ip_from 200.25.38.69; +set_real_ip_from 200.25.42.70; +set_real_ip_from 200.25.36.166; +set_real_ip_from 195.206.229.106; +set_real_ip_from 92.223.88.123; +set_real_ip_from 84.17.46.52; +set_real_ip_from 194.242.11.186; +set_real_ip_from 37.19.203.80; +set_real_ip_from 65.108.101.60; +set_real_ip_from 185.164.35.8; +set_real_ip_from 185.173.226.42; +set_real_ip_from 195.69.143.190; +set_real_ip_from 94.20.154.22; +set_real_ip_from 185.93.1.244; +set_real_ip_from 89.38.224.138; +set_real_ip_from 213.170.143.68; +set_real_ip_from 156.59.145.154; +set_real_ip_from 143.244.49.177; +set_real_ip_from 138.199.46.66; +set_real_ip_from 138.199.37.227; +set_real_ip_from 138.199.37.231; +set_real_ip_from 138.199.37.230; +set_real_ip_from 138.199.37.229; +set_real_ip_from 103.216.222.103; +set_real_ip_from 138.199.46.69; +set_real_ip_from 138.199.46.68; +set_real_ip_from 138.199.46.67; +set_real_ip_from 185.93.1.246; +set_real_ip_from 103.216.222.105; +set_real_ip_from 103.216.222.107; +set_real_ip_from 138.199.37.232; +set_real_ip_from 103.216.222.109; +set_real_ip_from 195.181.163.196; +set_real_ip_from 107.182.163.162; +set_real_ip_from 195.181.163.195; +set_real_ip_from 84.17.46.53; +set_real_ip_from 212.102.40.114; +set_real_ip_from 84.17.46.54; +set_real_ip_from 138.199.40.58; +set_real_ip_from 143.244.38.134; +set_real_ip_from 185.152.64.17; +set_real_ip_from 84.17.59.115; +set_real_ip_from 89.187.165.194; +set_real_ip_from 103.216.222.111; +set_real_ip_from 138.199.15.193; +set_real_ip_from 89.35.237.170; +set_real_ip_from 37.19.216.130; +set_real_ip_from 185.93.1.247; +set_real_ip_from 185.93.3.244; +set_real_ip_from 180.149.231.39; +set_real_ip_from 143.244.49.179; +set_real_ip_from 143.244.49.180; +set_real_ip_from 138.199.9.104; +set_real_ip_from 122.10.251.138; +set_real_ip_from 185.152.66.243; +set_real_ip_from 143.244.49.178; +set_real_ip_from 169.150.221.147; +set_real_ip_from 146.59.68.188; +set_real_ip_from 200.25.18.73; +set_real_ip_from 84.17.63.178; +set_real_ip_from 200.25.32.131; +set_real_ip_from 37.19.207.34; +set_real_ip_from 204.16.244.131; +set_real_ip_from 208.83.234.216; +set_real_ip_from 134.195.197.175; +set_real_ip_from 192.189.65.146; +set_real_ip_from 143.244.45.177; +set_real_ip_from 185.93.1.249; +set_real_ip_from 185.93.1.250; +set_real_ip_from 169.150.215.115; +set_real_ip_from 209.177.87.197; +set_real_ip_from 156.146.56.162; +set_real_ip_from 156.146.56.161; +set_real_ip_from 185.93.2.246; +set_real_ip_from 185.93.2.245; +set_real_ip_from 212.102.50.58; +set_real_ip_from 212.102.40.113; +set_real_ip_from 185.93.2.244; +set_real_ip_from 158.69.123.215; +set_real_ip_from 143.244.50.82; +set_real_ip_from 143.244.50.83; +set_real_ip_from 156.146.56.163; +set_real_ip_from 129.227.9.2; +set_real_ip_from 185.135.85.154; +set_real_ip_from 185.165.170.74; +set_real_ip_from 129.227.217.178; +set_real_ip_from 200.25.69.94; +set_real_ip_from 128.1.52.179; +set_real_ip_from 200.25.16.103; +set_real_ip_from 15.235.54.226; +set_real_ip_from 102.67.138.155; +set_real_ip_from 156.59.126.78; +set_real_ip_from 192.34.87.166; +set_real_ip_from 102.219.177.93; +set_real_ip_from 146.70.80.218; +set_real_ip_from 156.146.43.65; +set_real_ip_from 195.181.163.203; +set_real_ip_from 195.181.163.202; +set_real_ip_from 156.146.56.169; +set_real_ip_from 156.146.56.170; +set_real_ip_from 156.146.56.166; +set_real_ip_from 156.146.56.171; +set_real_ip_from 169.150.207.210; +set_real_ip_from 156.146.56.167; +set_real_ip_from 143.244.50.84; +set_real_ip_from 143.244.50.85; +set_real_ip_from 143.244.50.86; +set_real_ip_from 143.244.50.87; +set_real_ip_from 156.146.56.168; +set_real_ip_from 169.150.207.211; +set_real_ip_from 212.102.50.59; +set_real_ip_from 146.185.248.15; +set_real_ip_from 143.244.50.90; +set_real_ip_from 143.244.50.91; +set_real_ip_from 143.244.50.88; +set_real_ip_from 143.244.50.209; +set_real_ip_from 143.244.50.213; +set_real_ip_from 143.244.50.214; +set_real_ip_from 143.244.49.183; +set_real_ip_from 143.244.50.89; +set_real_ip_from 143.244.50.210; +set_real_ip_from 143.244.50.211; +set_real_ip_from 143.244.50.212; +set_real_ip_from 138.199.4.137; +set_real_ip_from 5.42.206.66; +set_real_ip_from 94.46.175.183; +set_real_ip_from 38.54.2.20; +set_real_ip_from 38.54.4.6; +set_real_ip_from 182.93.93.90; +set_real_ip_from 169.150.207.57; +set_real_ip_from 169.150.207.58; +set_real_ip_from 81.30.157.81; +set_real_ip_from 128.1.104.170; +set_real_ip_from 169.150.207.213; +set_real_ip_from 169.150.207.214; +set_real_ip_from 169.150.207.215; +set_real_ip_from 169.150.207.212; +set_real_ip_from 169.150.219.114; +set_real_ip_from 62.113.194.3; +set_real_ip_from 169.150.202.210; +set_real_ip_from 169.150.242.193; +set_real_ip_from 185.93.1.251; +set_real_ip_from 169.150.207.216; +set_real_ip_from 169.150.207.217; +set_real_ip_from 169.150.238.19; +set_real_ip_from 102.219.126.20; +set_real_ip_from 138.199.36.4; +set_real_ip_from 138.199.36.5; +set_real_ip_from 156.59.67.118; +set_real_ip_from 122.10.251.130; +set_real_ip_from 185.24.11.18; +set_real_ip_from 138.199.36.7; +set_real_ip_from 138.199.36.8; +set_real_ip_from 138.199.36.9; +set_real_ip_from 138.199.36.10; +set_real_ip_from 138.199.36.11; +set_real_ip_from 138.199.37.225; +set_real_ip_from 84.17.46.49; +set_real_ip_from 138.199.4.177; +set_real_ip_from 84.17.37.217; +set_real_ip_from 169.150.225.35; +set_real_ip_from 169.150.225.36; +set_real_ip_from 169.150.225.37; +set_real_ip_from 169.150.225.38; +set_real_ip_from 169.150.225.39; +set_real_ip_from 169.150.225.34; +set_real_ip_from 169.150.236.97; +set_real_ip_from 169.150.236.98; +set_real_ip_from 169.150.236.99; +set_real_ip_from 169.150.236.100; +set_real_ip_from 93.189.63.146; +set_real_ip_from 143.244.56.49; +set_real_ip_from 143.244.56.50; +set_real_ip_from 143.244.56.51; +set_real_ip_from 169.150.247.40; +set_real_ip_from 169.150.247.33; +set_real_ip_from 169.150.247.34; +set_real_ip_from 169.150.247.35; +set_real_ip_from 169.150.247.36; +set_real_ip_from 169.150.247.37; +set_real_ip_from 169.150.247.38; +set_real_ip_from 169.150.247.39; +set_real_ip_from 95.217.227.2; +set_real_ip_from 38.142.94.218; +set_real_ip_from 87.249.137.52; +set_real_ip_from 138.199.46.75; +set_real_ip_from 38.104.169.186; +set_real_ip_from 89.187.162.241; +set_real_ip_from 66.181.163.74; +set_real_ip_from 84.17.38.227; +set_real_ip_from 84.17.38.228; +set_real_ip_from 84.17.38.229; +set_real_ip_from 84.17.38.230; +set_real_ip_from 84.17.38.231; +set_real_ip_from 84.17.38.232; +set_real_ip_from 169.150.225.41; +set_real_ip_from 169.150.225.42; +set_real_ip_from 176.123.9.90; +set_real_ip_from 169.150.249.162; +set_real_ip_from 169.150.249.163; +set_real_ip_from 169.150.249.164; +set_real_ip_from 169.150.249.165; +set_real_ip_from 169.150.249.166; +set_real_ip_from 169.150.249.167; +set_real_ip_from 169.150.249.168; +set_real_ip_from 169.150.249.169; +set_real_ip_from 185.131.64.122; +set_real_ip_from 156.247.205.114; +set_real_ip_from 37.236.234.2; +set_real_ip_from 169.150.252.209; +set_real_ip_from 212.102.46.118; +set_real_ip_from 192.169.120.162; +set_real_ip_from 93.180.217.214; +set_real_ip_from 37.19.203.178; +set_real_ip_from 107.155.47.146; +set_real_ip_from 104.166.144.106; +set_real_ip_from 154.47.16.177; +set_real_ip_from 193.201.190.174; +set_real_ip_from 156.59.95.218; +set_real_ip_from 213.170.143.139; +set_real_ip_from 129.227.186.154; +set_real_ip_from 195.238.127.98; +set_real_ip_from 5.189.202.62; +set_real_ip_from 128.1.59.74; +set_real_ip_from 200.25.22.6; +set_real_ip_from 204.16.244.92; +set_real_ip_from 200.25.70.101; +set_real_ip_from 200.25.66.100; +set_real_ip_from 139.180.209.182; +set_real_ip_from 103.108.231.41; +set_real_ip_from 103.108.229.5; +set_real_ip_from 103.216.220.9; +set_real_ip_from 103.75.11.45; +set_real_ip_from 169.150.225.40; +set_real_ip_from 116.202.155.146; +set_real_ip_from 116.202.193.178; +set_real_ip_from 116.202.224.168; +set_real_ip_from 188.40.126.227; +set_real_ip_from 88.99.26.189; +set_real_ip_from 168.119.39.238; +set_real_ip_from 88.99.26.97; +set_real_ip_from 168.119.12.188; +set_real_ip_from 199.247.1.226; +set_real_ip_from 169.197.143.195; +set_real_ip_from 176.9.139.55; +set_real_ip_from 176.9.139.94; +set_real_ip_from 5.161.66.71; +set_real_ip_from 142.132.223.79; +set_real_ip_from 142.132.223.80; +set_real_ip_from 142.132.223.81; +set_real_ip_from 5.161.88.97; +set_real_ip_from 5.161.90.228; +set_real_ip_from 5.161.85.161; +set_real_ip_from 5.161.78.181; +set_real_ip_from 5.161.84.169; +set_real_ip_from 5.161.92.86; +set_real_ip_from 5.161.92.85; +set_real_ip_from 5.161.92.84; +set_real_ip_from 5.161.72.83; +set_real_ip_from 5.161.70.244; +set_real_ip_from 5.161.71.198; +set_real_ip_from 5.161.49.93; +set_real_ip_from 5.161.72.89; +set_real_ip_from 5.161.72.135; +set_real_ip_from 5.161.72.194; +set_real_ip_from 5.161.72.200; +set_real_ip_from 5.161.70.230; +set_real_ip_from 5.161.60.80; +set_real_ip_from 104.237.58.186; +set_real_ip_from 143.244.50.81; +set_real_ip_from 143.244.51.75; +set_real_ip_from 46.4.116.17; +set_real_ip_from 46.4.119.81; +set_real_ip_from 167.235.114.167; +set_real_ip_from 159.69.68.171; +set_real_ip_from 178.63.21.52; +set_real_ip_from 46.4.120.152; +set_real_ip_from 116.202.80.247; +set_real_ip_from 5.9.71.119; +set_real_ip_from 195.201.11.156; +set_real_ip_from 78.46.123.17; +set_real_ip_from 143.244.50.153; +set_real_ip_from 143.244.50.154; +set_real_ip_from 138.199.9.99; +set_real_ip_from 138.199.9.98; +set_real_ip_from 143.244.50.155; +set_real_ip_from 46.4.113.143; +set_real_ip_from 109.248.43.116; +set_real_ip_from 109.248.43.117; +set_real_ip_from 109.248.43.162; +set_real_ip_from 109.248.43.163; +set_real_ip_from 109.248.43.164; +set_real_ip_from 109.248.43.165; +set_real_ip_from 49.12.71.27; +set_real_ip_from 49.12.0.158; +set_real_ip_from 78.47.94.156; +set_real_ip_from 109.248.43.159; +set_real_ip_from 109.248.43.160; +set_real_ip_from 109.248.43.208; +set_real_ip_from 109.248.43.179; +set_real_ip_from 109.248.43.232; +set_real_ip_from 109.248.43.231; +set_real_ip_from 109.248.43.241; +set_real_ip_from 109.248.43.236; +set_real_ip_from 109.248.43.240; +set_real_ip_from 116.202.118.194; +set_real_ip_from 116.202.80.29; +set_real_ip_from 159.69.57.80; +set_real_ip_from 139.180.129.216; +set_real_ip_from 139.99.174.7; +set_real_ip_from 89.187.169.18; +set_real_ip_from 89.187.162.166; +set_real_ip_from 89.187.162.245; +set_real_ip_from 185.180.13.241; +set_real_ip_from 185.59.220.203; +set_real_ip_from 185.59.220.200; +set_real_ip_from 185.59.220.202; +set_real_ip_from 185.59.220.201; +set_real_ip_from 143.244.63.120; +set_real_ip_from 138.199.9.97; +set_real_ip_from 138.199.40.49; +set_real_ip_from 138.199.40.50; +set_real_ip_from 138.199.40.51; +set_real_ip_from 138.199.9.105; +set_real_ip_from 143.244.38.133; +set_real_ip_from 37.19.222.241; +set_real_ip_from 143.244.49.181; +set_real_ip_from 37.19.222.242; +set_real_ip_from 89.187.179.7; +set_real_ip_from 143.244.51.70; +set_real_ip_from 143.244.51.71; +set_real_ip_from 143.244.51.69; +set_real_ip_from 212.102.43.85; +set_real_ip_from 212.102.43.86; +set_real_ip_from 143.244.62.213; +set_real_ip_from 143.244.51.74; +set_real_ip_from 185.93.3.246; +set_real_ip_from 195.181.163.198; +set_real_ip_from 185.152.64.19; +set_real_ip_from 84.17.37.211; +set_real_ip_from 212.102.50.54; +set_real_ip_from 138.199.4.133; +set_real_ip_from 138.199.4.132; +set_real_ip_from 212.102.46.115; +set_real_ip_from 84.17.35.199; +set_real_ip_from 143.244.38.135; +set_real_ip_from 84.17.35.218; +set_real_ip_from 89.187.185.21; +set_real_ip_from 169.150.238.21; +set_real_ip_from 169.150.238.22; +set_real_ip_from 169.150.207.51; +set_real_ip_from 169.150.207.49; +set_real_ip_from 84.17.38.226; +set_real_ip_from 84.17.38.225; +set_real_ip_from 169.150.247.139; +set_real_ip_from 169.150.247.177; +set_real_ip_from 109.61.89.46; +set_real_ip_from 109.61.89.47; +set_real_ip_from 109.61.89.48; +set_real_ip_from 109.61.89.49; +set_real_ip_from 109.61.89.51; +set_real_ip_from 109.61.89.52; +set_real_ip_from 109.61.89.53; +set_real_ip_from 109.61.89.54; +set_real_ip_from 109.61.89.55; +set_real_ip_from 109.61.89.56; +set_real_ip_from 185.59.220.194; +set_real_ip_from 212.102.43.88; +set_real_ip_from 89.187.169.26; +set_real_ip_from 2400:52e0:1a02::625:1; +set_real_ip_from 2400:52e0:1500::641:1; +set_real_ip_from 2400:52e0:1500::714:1; +set_real_ip_from 2400:52e0:1500::715:1; +set_real_ip_from 2400:52e0:1a00::718:1; +set_real_ip_from 2400:52e0:1e00::722:1; +set_real_ip_from 2400:52e0:1e00::723:1; +set_real_ip_from 2400:52e0:1500::747:1; +set_real_ip_from 2400:52e0:1500::749:1; +set_real_ip_from 2400:52e0:1500::782:1; +set_real_ip_from 2400:52e0:1500::783:1; +set_real_ip_from 2400:52e0:1500::784:1; +set_real_ip_from 2a01:4f9:6b:2c80::2; +set_real_ip_from 2400:52e0:1a00::845:1; +set_real_ip_from 2400:52e0:1a01::852:1; +set_real_ip_from 2400:52e0:1500::858:1; +set_real_ip_from 2400:52e0:1e00::860:1; +set_real_ip_from 2400:52e0:1e00::863:1; +set_real_ip_from 2400:52e0:1e00::864:1; +set_real_ip_from 2400:52e0:1e00::865:1; +set_real_ip_from 2400:52e0:1500::867:1; +set_real_ip_from 2400:52e0:1500::868:1; +set_real_ip_from 2400:52e0:1500::869:1; +set_real_ip_from 2400:52e0:1a00::871:1; +set_real_ip_from 2400:52e0:1e00::874:1; +set_real_ip_from 2400:52e0:1a02::876:1; +set_real_ip_from 2400:52e0:1a02::878:1; +set_real_ip_from 2400:52e0:1e01::879:1; +set_real_ip_from 2400:52e0:1e01::883:1; +set_real_ip_from 2a02:6ea0:c454::1; +set_real_ip_from 2400:52e0:1a00::894:1; +set_real_ip_from 2400:52e0:1a01::899:1; +set_real_ip_from 2400:52e0:1a01::900:1; +set_real_ip_from 2400:52e0:1a01::907:1; +set_real_ip_from 2400:52e0:1a01::912:1; +set_real_ip_from 2800:1e0:2410:1::9; +set_real_ip_from 2607:fdc0:1:a:bace:f6ff:fe01:e295; +set_real_ip_from 2400:52e0:1a00::940:1; +set_real_ip_from 2400:52e0:1a00::941:1; +set_real_ip_from 2400:52e0:1500::944:1; +set_real_ip_from 2400:52e0:1500::945:1; +set_real_ip_from 2400:52e0:1e02::946:1; +set_real_ip_from 2400:52e0:1e02::947:1; +set_real_ip_from 2400:52e0:1501::948:1; +set_real_ip_from 2400:52e0:1e02::951:1; +set_real_ip_from 2607:5300:60:9ad7::1; +set_real_ip_from 2400:52e0:1a01::953:1; +set_real_ip_from 2400:52e0:1a01::954:1; +set_real_ip_from 2400:52e0:1500::955:1; +set_real_ip_from 2607:5300:203:a1e2::1; +set_real_ip_from 2400:52e0:1a02::974:1; +set_real_ip_from 2400:52e0:1a02::975:1; +set_real_ip_from 2400:52e0:1a02::976:1; +set_real_ip_from 2400:52e0:1500::977:1; +set_real_ip_from 2400:52e0:1500::978:1; +set_real_ip_from 2400:52e0:1500::979:1; +set_real_ip_from 2400:52e0:1500::980:1; +set_real_ip_from 2400:52e0:1500::981:1; +set_real_ip_from 2400:52e0:1500::982:1; +set_real_ip_from 2400:52e0:1a01::984:1; +set_real_ip_from 2400:52e0:1a01::985:1; +set_real_ip_from 2400:52e0:1a01::986:1; +set_real_ip_from 2400:52e0:1a01::987:1; +set_real_ip_from 2400:52e0:1500::988:1; +set_real_ip_from 2400:52e0:1500::989:1; +set_real_ip_from 2400:52e0:1501::990:1; +set_real_ip_from 2400:52e0:1a01::992:1; +set_real_ip_from 2400:52e0:1a01::993:1; +set_real_ip_from 2400:52e0:1a01::994:1; +set_real_ip_from 2400:52e0:1a01::995:1; +set_real_ip_from 2400:52e0:1a01::996:1; +set_real_ip_from 2400:52e0:1a01::997:1; +set_real_ip_from 2400:52e0:1a01::998:1; +set_real_ip_from 2400:52e0:1a01::999:1; +set_real_ip_from 2400:52e0:1a01::1000:1; +set_real_ip_from 2400:52e0:1a01::1001:1; +set_real_ip_from 2400:52e0:1a01::1002:1; +set_real_ip_from 2400:52e0:1500::1015:1; +set_real_ip_from 2400:52e0:1500::1016:1; +set_real_ip_from 2400:52e0:1500::1020:1; +set_real_ip_from 2400:52e0:1500::1021:1; +set_real_ip_from 2400:52e0:1500::1022:1; +set_real_ip_from 2400:52e0:1500::1024:1; +set_real_ip_from 2400:52e0:1a00::1029:1; +set_real_ip_from 2400:52e0:1500::1030:1; +set_real_ip_from 2400:52e0:1500::1031:1; +set_real_ip_from 2400:52e0:1e00::1047:1; +set_real_ip_from 2400:52e0:1e00::1048:1; +set_real_ip_from 2400:52e0:1e00::1049:1; +set_real_ip_from 2400:52e0:1e00::1053:1; +set_real_ip_from 2400:52e0:1e00::1054:1; +set_real_ip_from 2400:52e0:1e00::1055:1; +set_real_ip_from 2400:52e0:1e01::1056:1; +set_real_ip_from 2400:52e0:1502::1059:1; +set_real_ip_from 2400:52e0:1501::1061:1; +set_real_ip_from 2400:52e0:1501::1062:1; +set_real_ip_from 2400:52e0:1501::1063:1; +set_real_ip_from 2400:52e0:1501::1064:1; +set_real_ip_from 2400:52e0:1501::1065:1; +set_real_ip_from 2400:52e0:1501::1066:1; +set_real_ip_from 2400:52e0:1a00::1067:1; +set_real_ip_from 2400:52e0:1a00::1068:1; +set_real_ip_from 2400:52e0:1a00::1069:1; +set_real_ip_from 2400:52e0:1a00::1070:1; +set_real_ip_from 2400:52e0:1e02::1072:1; +set_real_ip_from 2400:52e0:1e02::1073:1; +set_real_ip_from 2400:52e0:1e02::1074:1; +set_real_ip_from 2400:52e0:1e00::1075:1; +set_real_ip_from 2400:52e0:1e00::1076:1; +set_real_ip_from 2400:52e0:1e00::1077:1; +set_real_ip_from 2400:52e0:1e00::1078:1; +set_real_ip_from 2400:52e0:1e00::1079:1; +set_real_ip_from 2400:52e0:1e00::1080:1; +set_real_ip_from 2400:52e0:1e00::1081:1; +set_real_ip_from 2400:52e0:1e00::1082:1; +set_real_ip_from 2a01:4f9:4b:4b0b::2; +set_real_ip_from 2400:52e0:1500::1087:1; +set_real_ip_from 2400:52e0:1500::1089:1; +set_real_ip_from 2400:52e0:1500::1091:1; +set_real_ip_from 2400:52e0:1500::1092:1; +set_real_ip_from 2400:52e0:1500::1093:1; +set_real_ip_from 2400:52e0:1500::1094:1; +set_real_ip_from 2400:52e0:1500::1095:1; +set_real_ip_from 2400:52e0:1500::1096:1; +set_real_ip_from 2400:52e0:1501::1097:1; +set_real_ip_from 2400:52e0:1501::1098:1; +set_real_ip_from 2400:52e0:1a01::1108:1; +set_real_ip_from 2400:52e0:1a01::1109:1; +set_real_ip_from 2400:52e0:1a01::1110:1; +set_real_ip_from 2400:52e0:1a01::1111:1; +set_real_ip_from 2400:52e0:1a01::1112:1; +set_real_ip_from 2400:52e0:1a01::1113:1; +set_real_ip_from 2400:52e0:1a01::1114:1; +set_real_ip_from 2400:52e0:1a01::1115:1; +set_real_ip_from 2607:fdc0:1:2d:262:bff:fecc:a610; +set_real_ip_from 2404:f780:0:2::d; +set_real_ip_from 2404:f780:0:2::f; +set_real_ip_from 2404:f780:0:2::11; +set_real_ip_from 2404:f780:5:cafe::f; +set_real_ip_from 2400:52e0:1501::1143:1; +set_real_ip_from 2a04:ff07:d9:12::1; +set_real_ip_from 2a04:ff07:d9:13::1; +set_real_ip_from 2a04:ff07:d9:39::1; +set_real_ip_from 2a04:ff07:d9:3::1; +set_real_ip_from 2a04:ff07:d9:3a::1; +set_real_ip_from 2a04:ff07:d9:3b::1; +set_real_ip_from 2a04:ff07:d9:1::1; +set_real_ip_from 2a04:ff07:d9:1b::1; +set_real_ip_from 2a01:4f8:c17:aec0::1; +set_real_ip_from 2a01:4f8:c17:fc7::1; +set_real_ip_from 2a01:4f8:c17:20b2::1; diff --git a/globals/bunnycdn.conf b/globals/bunnycdn.conf new file mode 100644 index 0000000..07c8924 --- /dev/null +++ b/globals/bunnycdn.conf @@ -0,0 +1,12 @@ +# Ref: https://support.bunny.net/hc/en-us/articles/115003578911-How-to-detect-when-BunnyCDN-PoP-servers-are-accessing-your-backend +# https://bunnycdn.com/api/system/edgeserverlist +# https://bunnycdn.com/api/system/edgeserverlist/IPv6 + +# TODO: make sure to update bunnycdn-ip-list.conf regularly via a script + +include '/etc/nginx/globals/bunnycdn-ip-list.conf'; + +# use any of the following two options (but not both) +real_ip_header X-Forwarded-For; + +real_ip_recursive on; diff --git a/globals/cache-enabler.conf b/globals/cache-enabler.conf new file mode 100644 index 0000000..17412cc --- /dev/null +++ b/globals/cache-enabler.conf @@ -0,0 +1,72 @@ +# To improve the perf, we may use open_file_cache +# ref: https://nginx.org/r/open_file_cache +# open_file_cache max=1000; +# open_file_cache_valid 60s; +# open_file_cache_min_uses 2; +# open_file_cache_errors off; + +location / { + # requires server support + # gzip_static on; + + error_page 418 = @cachemiss; + error_page 419 = @mobileaccess; + recursive_error_pages on; + + # bypass POST requests + if ($request_method = POST) { return 418; } + + # uncommenting the following degrades the performance on certain sites. YMMV + # if ($query_string != "") { return 418; } + + # bypass cache for common query strings + if ($arg_s != "") { return 418; } # search query + if ($arg_p != "") { return 418; } # request a post / page by ID + if ($args ~ "amp") { return 418; } # amp test + if ($arg_preview = "true") { return 418; } # preview post / page + if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin + + if ($http_cookie ~* "wordpress_logged_in_") { return 418; } + if ($http_cookie ~* "comment_author_") { return 418; } + if ($http_cookie ~* "wp_postpass_") { return 418; } + + # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; } + + # uncomment the following if deemed fit + # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; } + + try_files "/wp-content/cache/cache-enabler/$host${uri}index.html" $uri $uri/ /index.php$is_args$args; + + #--> all the following would apply, only if the request hits the cache + + add_header "X-Cache" "HIT - Cache Enabler"; + # include "globals/hsts.conf"; + include 'globals/security-headers.conf'; + + # expires modified 30m; + expires 30m; + add_header "Cache-Control" "must-revalidate"; + + # For proxies + # add_header "Cache-Control" "s-maxage=3600"; +} + +location @mobileaccess { + # try_files $uri $uri/ /index.php$is_args$args; + try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args; + + add_header "X-Cache" "HIT - Mobile - Cache Enabler"; + # include "globals/hsts.conf"; + include 'globals/security-headers.conf'; + + # expires modified 30m; + expires 30m; + add_header "Cache-Control" "must-revalidate"; + + # For proxies + # add_header "Cache-Control" "s-maxage=3600"; +} + +location @cachemiss { + try_files $uri $uri/ /index.php$is_args$args; +} diff --git a/globals/cloudflare-ip-list.conf b/globals/cloudflare-ip-list.conf new file mode 100644 index 0000000..0bfb300 --- /dev/null +++ b/globals/cloudflare-ip-list.conf @@ -0,0 +1,21 @@ +set_real_ip_from 103.21.244.0/22; +set_real_ip_from 103.22.200.0/22; +set_real_ip_from 103.31.4.0/22; +set_real_ip_from 104.16.0.0/12; +set_real_ip_from 108.162.192.0/18; +set_real_ip_from 131.0.72.0/22; +set_real_ip_from 141.101.64.0/18; +set_real_ip_from 162.158.0.0/15; +set_real_ip_from 172.64.0.0/13; +set_real_ip_from 173.245.48.0/20; +set_real_ip_from 188.114.96.0/20; +set_real_ip_from 190.93.240.0/20; +set_real_ip_from 197.234.240.0/22; +set_real_ip_from 198.41.128.0/17; +set_real_ip_from 2400:cb00::/32; +set_real_ip_from 2405:8100::/32; +set_real_ip_from 2405:b500::/32; +set_real_ip_from 2606:4700::/32; +set_real_ip_from 2803:f800::/32; +set_real_ip_from 2c0f:f248::/32; +set_real_ip_from 2a06:98c0::/29; diff --git a/globals/cloudflare.conf b/globals/cloudflare.conf new file mode 100644 index 0000000..df2eb26 --- /dev/null +++ b/globals/cloudflare.conf @@ -0,0 +1,9 @@ +# make sure you set up a cron to run update-cloudflare-ip-list.sh regularly + +include '/etc/nginx/globals/cloudflare-ip-list.conf'; + +# use any of the following two options (but not both) +real_ip_header CF-Connecting-IP; +# real_ip_header X-Forwarded-For; + +real_ip_recursive on; diff --git a/globals/dev.restrictions.conf b/globals/dev.restrictions.conf new file mode 100644 index 0000000..9fc4b93 --- /dev/null +++ b/globals/dev.restrictions.conf @@ -0,0 +1,13 @@ +##### for public facing development sites; also called as staging sites ##### + +# deny access to robots.txt across the board +location = /robots.txt { access_log off; deny all; } +location ~ /sitemap { access_log off; deny all; } + +# block sitemaps with .xml and .xml.gz endings such as news-sitemap.xml (Yoast SEO) +location ~ \.xml$ { access_log off; deny all; } +location ~ \.xml\.gz$ { access_log off; deny all; } + +# deny specific bots +if ( $http_user_agent ~ "Google" ) { return 403; } +if ( $http_user_agent ~ "bingbot" ) { return 403; } diff --git a/globals/error-pages.conf b/globals/error-pages.conf new file mode 100644 index 0000000..b3bced2 --- /dev/null +++ b/globals/error-pages.conf @@ -0,0 +1,23 @@ +# Custom 403 Page +error_page 403 @fetch403; + +location @fetch403 { + root /etc/nginx/errors; + try_files /403.html =404; +} + +# Custom 404 Page +error_page 404 @fetch404; + +location @fetch404 { + root /etc/nginx/errors; + try_files /404.html =404; +} + +# Custom 550 Page +error_page 550 @fetch550; + +location @fetch550 { + root /etc/nginx/errors; + try_files /550.html =404; +} diff --git a/globals/hide-headers.conf b/globals/hide-headers.conf new file mode 100644 index 0000000..4941fe0 --- /dev/null +++ b/globals/hide-headers.conf @@ -0,0 +1,12 @@ +### Security (through obscurity) - https://en.wikipedia.org/wiki/Security_through_obscurity +# To hide nginx version +server_tokens off; + +# To hide PHP version and other related fastcgi headers +fastcgi_hide_header X-Powered-By; +fastcgi_hide_header X-Pingback; +fastcgi_hide_header Link; + +proxy_hide_header X-Powered-By; +proxy_hide_header X-Pingback; +proxy_hide_header X-Link; diff --git a/globals/hsts.conf b/globals/hsts.conf new file mode 100644 index 0000000..c3b0734 --- /dev/null +++ b/globals/hsts.conf @@ -0,0 +1 @@ +add_header Strict-Transport-Security "max-age=31536000"; diff --git a/globals/mu-dir.conf b/globals/mu-dir.conf new file mode 100644 index 0000000..24a1cc8 --- /dev/null +++ b/globals/mu-dir.conf @@ -0,0 +1,9 @@ +# Rules for Multisite Sub-directory install + +# For sub-directory redirects +# Only one would apply +# If two needed to be applied, it'd throw a 404 +if (!-e $request_filename) { + rewrite ^/[_0-9a-zA-Z-]+(/wp-(content|admin|includes).*) $1 break; + rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 break; +} diff --git a/globals/mu-files.conf b/globals/mu-files.conf new file mode 100644 index 0000000..7c95cda --- /dev/null +++ b/globals/mu-files.conf @@ -0,0 +1,6 @@ +# Rules for any Multisite install + +# For uploads +if ( $uri ~ "files" ) { + rewrite ^/(?:.*/)?files/(.+) /wp-includes/ms-files.php?file=$1; +} diff --git a/globals/pagespeed.conf b/globals/pagespeed.conf new file mode 100644 index 0000000..e933b04 --- /dev/null +++ b/globals/pagespeed.conf @@ -0,0 +1,9 @@ +pagespeed off; +pagespeed FileCachePath /var/cache/ngx_pagespeed_cache; +pagespeed MemcachedServers "127.0.0.1:11211"; +pagespeed XHeaderValue "Powered By ngx_pagespeed"; +pagespeed BlockingRewriteKey "fullyoptimized"; + +pagespeed Disallow "*/wp-admin/*"; +pagespeed Disallow "*/wp-login.php*"; + diff --git a/globals/php.conf b/globals/php.conf new file mode 100644 index 0000000..0fed870 --- /dev/null +++ b/globals/php.conf @@ -0,0 +1,9 @@ +location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + include "fastcgi.conf"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; +} diff --git a/globals/restrictions.conf b/globals/restrictions.conf new file mode 100644 index 0000000..4a50360 --- /dev/null +++ b/globals/restrictions.conf @@ -0,0 +1,33 @@ +# Global restrictions configuration file. +# Designed to be included in any server {} block. + +# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac), .git. +location /.git { deny all; } +location /.htaccess { deny all; } +location /.htpasswd { deny all; } +location /.user.ini { deny all; } +# this actually covers every dot file, except what follows below it (ex: CertBot) +location ~ ^/\. { deny all; } + +# but allow CertBot - see http://stackoverflow.com/a/34262192 +location ^~ /.well-known/acme-challenge { + auth_basic off; + try_files $uri =404; + expires -1; +} + +# Deny access to any files with a .php extension in the uploads directory +location ~* /uploads/.*\.php$ { deny all; } + +# Deny access to any files with a .php extension in the uploads directory for multisite +location ~* /files/.*\.php$ { deny all; } + +# Since version 2.5.7, Akismet introduced a new .htaccess file to block direct access to php files +# Ref: http://wordpress.org/extend/plugins/akismet/changelog/ +location ~* /akismet/.*\.php$ { deny all; } + +# Restrict direct access to cached content +location /wp-content/cache/ { deny all; } + +# Deny access to backup files! +location ~ ~$ { deny all; } diff --git a/globals/security-headers.conf b/globals/security-headers.conf new file mode 100644 index 0000000..c728608 --- /dev/null +++ b/globals/security-headers.conf @@ -0,0 +1,13 @@ +add_header X-Content-Type-Options nosniff; + +# please see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +# add_header X-Frame-Options deny; +add_header X-Frame-Options SAMEORIGIN; + +add_header X-XSS-Protection "1; mode=block"; + +add_header Referrer-Policy "no-referrer-when-downgrade"; + +# optional header - use it with care - you are warned! +# add_header Access-Control-Allow-Origin "*"; + diff --git a/globals/sucuri-real-ip.conf b/globals/sucuri-real-ip.conf new file mode 100644 index 0000000..c45da07 --- /dev/null +++ b/globals/sucuri-real-ip.conf @@ -0,0 +1,12 @@ +# https://docs.sucuri.net/website-firewall/troubleshooting/same-ip-for-all-users/#nginx + +# ref: https://docs.sucuri.net/website-firewall/troubleshooting/same-ip-for-all-users/#nginx +# Define header with original client IP +real_ip_header X-Forwarded-For; +# Define trusted Firewall IPs +set_real_ip_from 192.88.134.0/23; +set_real_ip_from 185.93.228.0/22; +set_real_ip_from 66.248.200.0/22; +set_real_ip_from 208.109.0.0/22; +set_real_ip_from 2a02:fe80::/29; # this line can be removed if IPv6 is disabled + diff --git a/globals/sucuri-waf.conf b/globals/sucuri-waf.conf new file mode 100644 index 0000000..cd72955 --- /dev/null +++ b/globals/sucuri-waf.conf @@ -0,0 +1,12 @@ +# allow local requests +allow 127.0.0.1; + +# Sucuri WAF +allow 192.88.134.0/23; +allow 185.93.228.0/22; +allow 2a02:fe80::/29; +allow 66.248.200.0/22; +allow 208.109.0.0/22; + +# deny all requests that bypass Sucuri +deny all; diff --git a/globals/varnish-as-front-end-compatibility.conf b/globals/varnish-as-front-end-compatibility.conf new file mode 100644 index 0000000..8a25d70 --- /dev/null +++ b/globals/varnish-as-front-end-compatibility.conf @@ -0,0 +1,7 @@ +### If Varnish is used as front end +set_real_ip_from 127.0.0.1; +real_ip_header X-Forwarded-For; +real_ip_recursive on; + +# Default value: on +port_in_redirect off; diff --git a/globals/wordpress-seo-plugin-support.conf b/globals/wordpress-seo-plugin-support.conf new file mode 100644 index 0000000..d1bb870 --- /dev/null +++ b/globals/wordpress-seo-plugin-support.conf @@ -0,0 +1,6 @@ + +# Yoast's WordPress SEO plugin requires this... +# Ref: http://wordpress.org/extend/plugins/wordpress-seo/faq/ +rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last; +rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last; + diff --git a/globals/wp-fastest-cache.conf b/globals/wp-fastest-cache.conf new file mode 100644 index 0000000..c010b83 --- /dev/null +++ b/globals/wp-fastest-cache.conf @@ -0,0 +1,93 @@ +# configuration directives to support WP Fastest Cache plugin. +# note not all features are supported. + +# default location block +# - directs mobile visitors to @mobileaccess, if configured. +# - directs cache misses to PHP (via @cachemiss). +# - directs requests "that shouldn't be cached" to PHP (via @cachemiss): example - requests from a logged-in user. + +location / { + error_page 418 = @cachemiss; # to handle cache misses + error_page 419 = @mobileaccess; # to handle mobile visits + recursive_error_pages on; + + set $pathDomain "/wp-content/cache/${host}/all${uri}"; # path domain for multisite + set $path "/wp-content/cache/all${uri}"; + + # bypass POST requests + if ($request_method = POST) { return 418; } + + # uncommenting the following degrades the performance on certain sites. YMMV + # if ($query_string != "") { return 418; } + + # bypass cache for common query strings + if ($arg_s != "") { return 418; } # search query + if ($arg_p != "") { return 418; } # request a post / page by ID + if ($args ~ "amp") { return 418; } # amp test + if ($arg_preview = "true") { return 418; } # preview post / page + if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin + + # if WP related cookies are found, skip cache + if ($http_cookie ~* "wordpress_logged_in_") { return 418; } + if ($http_cookie ~* "comment_author_") { return 418; } + if ($http_cookie ~* "wp_postpass_") { return 418; } + + # avoid duplicate content on Amazon CloudFront and KeyCDN. + if ( $http_user_agent = "Amazon CloudFront" ) { return 403; access_log off; } + if ($http_x_pull = "KeyCDN") { return 403; access_log off; } + + # uncomment the following, if WP Fastest Cache plugin is set to create a separate cache for mobile visitors + # if ( $http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad" ) { return 419; } + # add_header "Vary" "User-Agent"; + + # uncomment the following if deemed fit, in addition to the above line to enable @mobileaccess + # if ( $http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad" ) { return 419; } + + # look for cached version; if-not-found, then send the request to PHP + try_files "${path}index.html" "${path}/index.html" "${pathDomain}index.html" "${pathDomain}/index.html" $uri $uri/ /index.php$is_args$args; + + #--> all the following would apply, only if the request hits the cache + + # add some useful headers + add_header "X-Cache" "HIT - WP Fastest Cache"; + add_header "X-CF-Powered-By" "WP Fastest Cache"; + add_header "Vary" "Cookie"; + # include "globals/hsts.conf"; + include 'globals/security-headers.conf'; + + expires 30m; + # expires modified 30m; + add_header "Cache-Control" "must-revalidate"; + + # For proxies + # add_header "Cache-Control" "s-maxage=600"; +} + +# location to handle requests come from mobile devices +location @mobileaccess { + set $pathDomain "/wp-content/cache/${host}/wpfc-mobile-cache${uri}"; # path domain for multisite + set $path "/wp-content/cache/wpfc-mobile-cache${uri}"; + + # look for cached version for mobiles; if-not-found, then send the request to PHP + try_files "${path}index.html" "${path}/index.html" "${pathDomain}index.html" "${pathDomain}/index.html" $uri $uri/ /index.php$is_args$args; + + #--> all the following would apply, only if the request hits the cache + + # add some useful headers + add_header "X-Cache" "HIT - Mobile - WP Fastest Cache"; + add_header "Vary" "User-Agent, Cookie"; + # include "globals/hsts.conf"; + include 'globals/security-headers.conf'; + + expires 30m; + # expires modified 30m; + add_header "Cache-Control" "must-revalidate"; + + # For proxies + # add_header "Cache-Control" "s-maxage=600"; +} + +location @cachemiss { + # on cache miss, send the request to PHP + try_files $uri $uri/ /index.php$is_args$args; +} diff --git a/globals/wp-rocket.conf b/globals/wp-rocket.conf new file mode 100644 index 0000000..acbe41c --- /dev/null +++ b/globals/wp-rocket.conf @@ -0,0 +1,78 @@ +# To improve the perf, let's use open_file_cache +# ref: nginx.org/r/open_file_cache +# open_file_cache max=1000; +# open_file_cache_valid 60s; +# open_file_cache_min_uses 2; +# open_file_cache_errors off; + +location / { + # disable WP Rocket preload bot; had numerous trouble with in on high-traffic sites + if ($http_user_agent ~ wprocketbot) { return 403; access_log off; } + + error_page 418 = @cachemiss; + error_page 419 = @mobileaccess; + recursive_error_pages on; + + # bypass POST requests + if ($request_method = POST) { return 418; } + + # uncommenting the following degrades the performance on certain sites. YMMV + # if ($query_string != "") { return 418; } + + # bypass cache for common query strings + if ($arg_s != "") { return 418; } # search query + if ($arg_p != "") { return 418; } # request a post / page by ID + if ($args ~ "amp") { return 418; } # amp test + if ($arg_preview = "true") { return 418; } # preview post / page + if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin + + if ($http_cookie ~* "wordpress_logged_in_") { return 418; } + if ($http_cookie ~* "comment_author_") { return 418; } + if ($http_cookie ~* "wp_postpass_") { return 418; } + + # avoid duplicate content on Amazon CloudFront and KeyCDN. + if ( $http_user_agent = "Amazon CloudFront" ) { return 403; access_log off; } + if ($http_x_pull = "KeyCDN") { return 403; access_log off; } + + # uncomment the following, if WP Rocket plugin is set to create a separate cache for mobile visitors + # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; } + # add_header "Vary" "User-Agent"; + + # uncomment the following if deemed fit, in addition to the above line to enable @mobileaccess + # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; } + + try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index$https_suffix.html" $uri $uri/ /index.php$is_args$args; + + #--> all the following would apply, only if the request hits the cache + + add_header "X-Cache" "HIT - WP Rocket"; + add_header "Vary" "Cookie"; + # include "globals/hsts.conf"; + include 'globals/security-headers.conf'; + + expires modified 30m; + add_header "Cache-Control" "must-revalidate"; + + # For proxies + # add_header "Cache-Control" "s-maxage=600"; +} + +location @mobileaccess { + # try_files $uri $uri/ /index.php$is_args$args; + try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index-mobile$https_suffix.html" $uri $uri/ /index.php$is_args$args; + + add_header "X-Cache" "HIT - Mobile - WP Rocket"; + add_header "Vary" "User-Agent, Cookie"; + # include "globals/hsts.conf"; + include 'globals/security-headers.conf'; + + expires modified 30m; + add_header "Cache-Control" "must-revalidate"; + + # For proxies + # add_header "Cache-Control" "s-maxage=600"; +} + +location @cachemiss { + try_files $uri $uri/ /index.php$is_args$args; +} diff --git a/globals/wp-super-cache.conf b/globals/wp-super-cache.conf new file mode 100644 index 0000000..01742b5 --- /dev/null +++ b/globals/wp-super-cache.conf @@ -0,0 +1,80 @@ +# To improve the perf, we may use open_file_cache +# ref: https://nginx.org/r/open_file_cache +# open_file_cache max=1000; +# open_file_cache_valid 60s; +# open_file_cache_min_uses 2; +# open_file_cache_errors off; + +location / { + # requires server support + # gzip_static on; + + error_page 418 = @cachemiss; + error_page 419 = @mobileaccess; + recursive_error_pages on; + + # bypass POST requests + if ($request_method = POST) { return 418; } + + # uncommenting the following degrades the performance on certain sites. YMMV + # if ($query_string != "") { return 418; } + + # bypass cache for common query strings + if ($arg_s != "") { return 418; } # search query + if ($arg_p != "") { return 418; } # request a post / page by ID + if ($args ~ "amp") { return 418; } # amp test + if ($arg_preview = "true") { return 418; } # preview post / page + if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin + + if ($http_cookie ~* "wordpress_logged_in_") { return 418; } + if ($http_cookie ~* "comment_author_") { return 418; } + if ($http_cookie ~* "wp_postpass_") { return 418; } + + # avoid duplicate content on Amazon CloudFront and KeyCDN. + if ( $http_user_agent = "Amazon CloudFront" ) { return 403; access_log off; } + if ($http_x_pull = "KeyCDN") { return 403; access_log off; } + + # uncomment the following, if WP Super Cache plugin is set to create a separate cache for mobile visitors + # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; } + # add_header "Vary" "User-Agent"; + + # uncomment the following if deemed fit, in addition to the above line to enable @mobileaccess + # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; } + + try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix.html" $uri $uri/ /index.php$is_args$args; + + #--> all the following would apply, only if the request hits the cache + + add_header "X-Cache" "HIT - WP Super Cache"; + # include "globals/hsts.conf"; + include 'globals/security-headers.conf'; + + # expires modified 30m; + expires 30m; + add_header "Cache-Control" "must-revalidate"; + + # For proxies + # add_header "Cache-Control" "s-maxage=3600"; +} + +location @mobileaccess { + # try_files $uri $uri/ /index.php$is_args$args; + try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args; + + add_header "X-Cache" "HIT - Mobile - WP Super Cache"; + # include "globals/hsts.conf"; + include 'globals/security-headers.conf'; + + # expires modified 30m; + expires 30m; + add_header "Cache-Control" "must-revalidate"; + + # For proxies + # add_header "Cache-Control" "s-maxage=3600"; +} + +location @cachemiss { + try_files $uri $uri/ /index.php$is_args$args; +} + + diff --git a/globals/wpfc.conf b/globals/wpfc.conf new file mode 100644 index 0000000..dd87344 --- /dev/null +++ b/globals/wpfc.conf @@ -0,0 +1,34 @@ +# The rewrite magic +location / { + gzip_static on; + + # set these globally, if not done already + # gzip_http_version 1.1; + # gzip_proxied expired no-cache no-store private auth; + # gzip_disable "MSIE [1-6]\."; + # gzip_vary on; + + error_page 418 = @cachemiss; + + if ($request_method = POST) { return 418; } + + if ($query_string != "") { return 418; } + + if ($http_cookie ~* "wordpress_logged_in_") { return 418; } + if ($http_cookie ~* "comment_author_") { return 418; } + if ($http_cookie ~* "wp_postpass_") { return 418; } + + try_files "/wp-content/cache/all${uri}index.html" =418; + + add_header "X-WPFC-Cache" "HIT"; + + # choose or modify any of the following cache-control headers + expires 30m; + # add_header "Cache-Control" "max-age=10, must-revalidate"; + # add_header "Vary" "Cookie"; +} + +location @cachemiss { + try_files $uri $uri/ /index.php$is_args$args; +} + diff --git a/mime.types b/mime.types new file mode 100644 index 0000000..cd3d700 --- /dev/null +++ b/mime.types @@ -0,0 +1,88 @@ +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..88accd6 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,32 @@ +# user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + gzip on; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*.conf; +} diff --git a/proxy.conf b/proxy.conf new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/proxy.conf @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/proxy_params b/proxy_params new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/proxy_params @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/scripts/update-cloudflare-ip-list.sh b/scripts/update-cloudflare-ip-list.sh new file mode 100644 index 0000000..4fc2f8b --- /dev/null +++ b/scripts/update-cloudflare-ip-list.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# script to set Cloudflare IPs (ipv4 and ipv6) + +# empty the list +echo -n > /etc/nginx/globals/cloudflare-ip-list.conf; + +# fetch and update ipv4 +for i in `curl -s https://www.cloudflare.com/ips-v4`; do + echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf; +done + +# fetch and update ipv6 +for i in `curl -s https://www.cloudflare.com/ips-v6`; do + echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf; +done diff --git a/sites-available/admin-over-ssl.conf b/sites-available/admin-over-ssl.conf new file mode 100644 index 0000000..0166cbd --- /dev/null +++ b/sites-available/admin-over-ssl.conf @@ -0,0 +1,74 @@ +### No need to enable the following in wp-config.php +# define('FORCE_SSL_ADMIN', true); +# define('FORCE_SSL_LOGIN', true); + +### Process non-SSL requests +server { + listen 80; + server_name example.com; + index index.php; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + # Process PHP requests + location ~ \.php$ { + # Request to wp-login to go through HTTPS protocol + location ~ /wp-(admin|login) { + return 301 https://$host$request_uri; + } + + # Process non-admin requests + try_files $uri =404; + include "fastcgi.conf"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + } + + # Nginx way of mod_write + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + +} +server { + listen 443 ssl; + server_name example.com; + index index.php; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + # Generate Certificates + # http://wiki.nginx.org/HttpSslModule#Generate_Certificates + ssl_certificate /path/to/combined.crt; + ssl_certificate_key /path/to/server.key; + + # Logs + access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable; + error_log /var/log/nginx/example.com-error.log; + + # Process requests to wp-admin/* and wp-login.php + location ~ /wp-(admin|login) { + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + fastcgi_index index.php; + fastcgi_intercept_errors on; + fastcgi_pass fpm; + include "fastcgi.conf"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + } + + # Process non-admin requests + include globals/assets.conf; + + # To avoid displaying posts and post previews in HTTPS + location / { + return 301 http://example.com$request_uri; + } + +} diff --git a/sites-available/catchall.conf b/sites-available/catchall.conf new file mode 100644 index 0000000..f9ade70 --- /dev/null +++ b/sites-available/catchall.conf @@ -0,0 +1,28 @@ +# Ref - http://wiki.nginx.org/ServerBlockExample#A_Default_.22Catch_All.22_Server_Block +server { + listen 80 default_server; + server_name _; + + access_log off; + error_log off; + + # return nothing + # a Nginx specific error code + # return 444; + + # deny all + # include globals/error-pages.conf; + location / { + return 403; + } + + # Let Varnish or others ping to know the status of PHP-FPM + location /ping { + allow 127.0.0.1; + deny all; + + fastcgi_pass fpm; + keepalive_timeout 0; + expires -1; + } +} diff --git a/sites-available/default.conf b/sites-available/default.conf new file mode 100644 index 0000000..6c06559 --- /dev/null +++ b/sites-available/default.conf @@ -0,0 +1,24 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + # create dummy certificates, if you'd like to enable the following... + # listen 443 ssl http2 default_server; + # listen [::]:443 ssl http2 default_server; + + # ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; + # ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; + + # to catch all domains not hosted here! + server_name _; + + include globals/error-pages.conf; + location / { + # return nothing + # a Nginx specific error code + # return 444; + + # or send error code 550 - not hosted here! + return 550; + } +} diff --git a/sites-available/dev.example.com.conf b/sites-available/dev.example.com.conf new file mode 100644 index 0000000..7c1d5b9 --- /dev/null +++ b/sites-available/dev.example.com.conf @@ -0,0 +1,57 @@ +server { + listen 80; + listen [::]:80; # IPv6 support + listen 443 ssl http2; + listen [::]:443 ssl http2; # IPv6 support + + server_name dev.example.com; + + index index.php; + + # Replace the path with the actual path to WordPress core files + root /home/dev/sites/dev.example.com/public; + + # ssl_certificate "/etc/letsencrypt/live/dev.example.com/fullchain.pem"; + # ssl_certificate_key "/etc/letsencrypt/live/dev.example.com/privkey.pem"; + + # access_log off; + access_log /var/log/nginx/dev-example.com-access.log; + error_log /var/log/nginx/dev-example.com-error.log; + # error_log /var/log/nginx/dev-example.com-error.log debug; + + include "globals/restrictions.conf"; + + location ~* \.(?:css|js|jpg|jpeg|png|gif|ico|svg|ttf|eot|woff|otf)$ { expires max; try_files $uri @prod; } + + location @prod { + proxy_pass https://0.0.0.0; + + proxy_set_header Host "www.example.com"; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + include fastcgi.conf; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_intercept_errors on; + fastcgi_pass fpm-dev; + + add_header "X-Cache" "MISS"; + } + + # The rewrite magic + location / { try_files $uri $uri/ /index.php$is_args$args; } + # include "globals/wp-super-cache.conf"; # WP Super Cache plugin support + # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support + # include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support +} diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf new file mode 100644 index 0000000..63011ba --- /dev/null +++ b/sites-available/example.com.conf @@ -0,0 +1,65 @@ +# The primary template file for WordPress sites +# Feel free to follow the same pattern for other files in the /sites-available/ directory +# Remember to create a symlink to /sites-enabled/ to enable a site or configuration file + +### server-level 301 redirect +# you are a fan of micro-optimization, please use the following to redirect www.example.com => example.com (301) +# server { + # listen 80; + # listen [::]:80; # IPv6 support + # server_name www.example.com; + # return 301 $scheme://example.com$request_uri; +# } + +server { + listen 80; + listen [::]:80; # IPv6 support + server_name example.com; + + server_name www.example.com; # hide this line, if you enable the server-level 301 redirect above + + index index.php; # default file to serve + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + ### Logs + access_log /var/log/nginx/example.com-access.log; + # if the log files become too large, you may use the following format. $loggable is defined in conf.d/common.conf + # access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable; + + # ideally use it along with fail2ban + error_log /var/log/nginx/example.com-error.log; + # use the following pattern only for debugging - server support needed + # error_log /var/log/nginx/example.com-error.log debug; + + # Optional configurations + # include "globals/auto-versioning-support.conf"; + # include "globals/wordpress-seo-plugin-support.conf"; + + include "globals/restrictions.conf"; + include "globals/assets.conf"; + + location ~* \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { return 404; } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + include "fastcgi_params"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + + add_header "X-Cache" "MISS"; + } + + ### Enaable only one of the following lines + include "globals/wp-super-cache.conf"; # WP Super Cache plugin support + # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support + # include "globals/wp-fastest-cache.conf"; # WP Fastest Cache plugin support + # include "globals/cache-enabler.conf"; # Cache Enabler plugin support + # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache + +} diff --git a/sites-available/ip.conf b/sites-available/ip.conf new file mode 100644 index 0000000..7d14617 --- /dev/null +++ b/sites-available/ip.conf @@ -0,0 +1,95 @@ +# safe to ignore, if you don't understand what it is doing! + +server { + listen 80; + + # please replace 127.0.0.1 with the actual IP of the server + server_name 127.0.0.1; + + root /var/www/html; + + ### logs + # enable only one of the following + access_log off; + # access_log /var/log/nginx/ip-access.log; # simple log + # access_log /var/log/nginx/ip-access.log combined buffer=64k flush=5m if=$loggable; # log only non-2xx and non-3xx requests; $loggable is defined in conf.d/common.conf + + # enable only one of the following + error_log off; + # error_log /var/log/nginx/ip-error.log; + # error_log /var/log/nginx/ip-error.log debug; # depends on server support + + ### PhpMyAdmin + # note: it's a bad idea to serve PhpMyAdmin via the server's IP as it is the known target by bad bots + # keeping it here for historical reasons + # location /phpmyadmin { + # include whitelist.conf; + # try_files $uri $uri/ /phpmyadmin/index.php$is_args$args; + + # location ~* \.php$ { + # try_files $uri = 404; + # fastcgi_split_path_info ^(.+\.php)(/.+)$; + + # include fastcgi.conf; + # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # fastcgi_index index.php; + # fastcgi_pass fpm; + # } + # } + + # Nginx status + location = /nginxstatus { + stub_status on; + access_log off; + + include whitelist.conf; + + expires -1; + } + + # PHP-FPM ping + location = /ping { + fastcgi_pass fpm; + include fastcgi_params; + + include whitelist.conf; + + expires -1; + } + + # PHP-FPM status + location = /status { + fastcgi_pass fpm; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + + include whitelist.conf; + + expires -1; + } + + location /munin { + alias "/var/cache/munin/www"; + try_files $uri $uri/ /index.html; + + include whitelist.conf; + + expires -1; + } + + location /monit/ { + rewrite ^/monit/(.*) /$1 break; + proxy_pass http://127.0.0.1:2812; + # replace 127.0.0.2 with the IP of the server + # proxy_redirect http://127.0.0.1:2812/monit/ http://127.0.0.2/monit/; + + include whitelist.conf; + + expires -1; + } + + # Redirect to the main site domainname.com + location / { + return $scheme://example.com$request_uri; + } +} diff --git a/sites-available/login-over-ssl.conf b/sites-available/login-over-ssl.conf new file mode 100644 index 0000000..8de592e --- /dev/null +++ b/sites-available/login-over-ssl.conf @@ -0,0 +1,69 @@ +### No need to enable the following in wp-config.php +# define('FORCE_SSL_ADMIN', true); +# define('FORCE_SSL_LOGIN', true); + +server { + listen 80; + server_name example.com; + index index.php; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + include globals/assets.conf; + include globals/restrictions.conf; + + location ~ \.php$ { + # Request to wp-login to go through HTTPS protocol + location ~ /wp-login\.php { + return 301 https://$host$request_uri; + } + + # Process other requests + include "fastcgi.conf"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + try_files $uri =404; + fastcgi_index index.php; + fastcgi_pass fpm; + } + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + +} +server { + listen 443 ssl; + server_name example.com; + index index.php; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + # Generate Certificates + # http://wiki.nginx.org/HttpSslModule#Generate_Certificates + ssl_certificate /path/to/combined.crt; + ssl_certificate_key /path/to/server.key; + + access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable; + error_log /var/log/nginx/example.com-error.log; + + include globals/assets.conf; + include globals/restrictions.conf; + + location ~ /wp-login\.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + include "fastcgi.conf"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + } + + # The rewrite magic + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + +} diff --git a/sites-available/mu-dir-dir-example.com.conf b/sites-available/mu-dir-dir-example.com.conf new file mode 100644 index 0000000..c4fcc2a --- /dev/null +++ b/sites-available/mu-dir-dir-example.com.conf @@ -0,0 +1,73 @@ +### Use case +# example.com has a non-WordPress installation at its root +# example.com/blogs is a WordPress multisite sub-directory installation +# example.com/blogs/blog1 is a site in WP multisite +# example.com/blogs/blog2 is another site in WP multisite +# The site would be accessed primarily as example.com (instead of www.example.com) +# Please replace blogs with the actual name of the sub-directory inwhich WP is (would be) installed + +### Remember that IfIsEvil, if used inappropriately. +# Ref: http://wiki.nginx.org/IfIsEvil + +# Redirect www.example.com/anything to example.com/anything +server { + listen 80; + server_name www.example.com; + return 301 $scheme://example.com$request_uri; +} + +# Process requests to example.com +server { + listen 80; + server_name example.com; + index index.php; + + # Change this to the actual location of non-WordPress files + root /home/username/sites/example.com/public; + + # Logs + access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable; + error_log /var/log/nginx/example.com-error.log; + + ### modified version of globals/mu-files.conf; + # For uploads + if ( $uri ~ "files" ) { + rewrite ^/blogs/(?:.*/)?files/(.+) /blogs/wp-includes/ms-files.php?file=$1; + } + + ### modified version of globals/mu-dir.conf; + # For sub-directory redirects + # Only one would apply + # If two needed to be applied, it'd throw a 404 + if (!-e $request_filename) { + rewrite ^/blogs/[_0-9a-zA-Z-]+(/wp-(content|admin|includes).*) /blogs$1 break; + rewrite ^/blogs/[_0-9a-zA-Z-]+(/.*\.php)$ /blogs$1 break; + } + + # Process PHP requests + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + include "fastcgi.conf"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + } + + # To process WordPress site/s + location /blogs { + try_files $uri $uri/ /blogs/index.php$is_args$args; + } + + # Let's include usual location directives, including 'location / { try files ; }' directive + # To process the non-WordPress PHP site + include globals/assets.conf; + include globals/restrictions.conf; + + # The rewrite magic + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + +} diff --git a/sites-available/mu-dir-example.com.conf b/sites-available/mu-dir-example.com.conf new file mode 100644 index 0000000..138b0e7 --- /dev/null +++ b/sites-available/mu-dir-example.com.conf @@ -0,0 +1,42 @@ +# Configuration for multisite - subdirectory + +server { + listen 80; + server_name www.example.com; + return 301 $scheme://example.com$request_uri; +} + +server { + listen 80; + + server_name example.com; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + index index.php; + + # logs + access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable; + error_log /var/log/nginx/example.com-error.log; + + include "globals/mu-files.conf"; + include "globals/mu-dir.conf"; + include "globals/assets.conf"; + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + include "fastcgi.conf"; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass fpm; + } + + # The rewrite magic + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + +} diff --git a/sites-available/mu-dom-example.com.conf b/sites-available/mu-dom-example.com.conf new file mode 100644 index 0000000..fe7a760 --- /dev/null +++ b/sites-available/mu-dom-example.com.conf @@ -0,0 +1,42 @@ +# Configuration for multisite - subdomain + +server { + listen 80; + server_name www.example.com; + return 301 $scheme://example.com$request_uri; +} + +server { + listen 80; + + server_name .example.com; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + index index.php; + + # logs + access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable; + error_log /var/log/nginx/example.com-error.log; + + include "globals/mu-files.conf"; + include "globals/assets.conf"; + include "globals/restrictions.conf"; + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + include "fastcgi.conf"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + } + + # The rewrite magic + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + +} diff --git a/sites-available/multiple-vhosts.conf b/sites-available/multiple-vhosts.conf new file mode 100644 index 0000000..5377a17 --- /dev/null +++ b/sites-available/multiple-vhosts.conf @@ -0,0 +1,31 @@ +# TODO: +# blog post explaining how it could be incorporated and useful, pros and cons of this setup + +server { + listen 80; + server_name *.example.com example.net example.org; + + # keep the files in the following way... + # site1.example.com at /path/to/sites/site1.example.com/public + # site2.example.com at /path/to/sites/site2.example.com/public + # site3.example.com at /path/to/sites/site3.example.com/public + # example.net at /path/to/sites/example.net/public + # example.org at /path/to/sites/example.org/public + + root /path/to/sites/$host/public; + + index index.php index.html; + + # Let's have a common log for all the sites + # individual logs are not possible to create for each site + access_log /var/log/nginx/common-vhost-access.log combined buffer=64k flush=5m if=$loggable; + error_log /var/log/nginx/common-vhost-error.log error; + + include "globals/restrictions.conf"; + include "globals/assets.conf"; + include "globals/php.conf"; + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } +} diff --git a/sites-available/nginx-varnish-apache.conf b/sites-available/nginx-varnish-apache.conf new file mode 100644 index 0000000..b58f244 --- /dev/null +++ b/sites-available/nginx-varnish-apache.conf @@ -0,0 +1,38 @@ +iserver { + listen 80; + server_name www.example.com; + return 301 $scheme://example.com$request_uri; +} + +server { + listen 80; + server_name example.com; + index index.php; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable; + error_log /var/log/nginx/example.com-error.log; + + include "globals/assets.conf"; + include "globals/restrictions.conf"; + + # Add trailing slash to */wp-admin requests. + rewrite /wp-admin$ $scheme://$host$uri/ permanent; + + location ~ \.php$ { + proxy_pass http://apache; + include proxy_params; + } + + location @backend { + proxy_pass http://varnish; + include proxy_params; + } + + location / { + try_files $uri @backend; + } + +} diff --git a/sites-available/nginx-varnish-nginx.conf b/sites-available/nginx-varnish-nginx.conf new file mode 100644 index 0000000..f7447ef --- /dev/null +++ b/sites-available/nginx-varnish-nginx.conf @@ -0,0 +1,82 @@ +server { + listen 80; + server_name example.com; + + # Replace the path with the actual path to WordPress core files + root "/home/username/sites/example.com/public"; + + index index.php; + + # Logs - do check these, if sth goes wrong + access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable; + error_log /var/log/nginx/example.com-error.log; + + include globals/restrictions.conf; + include globals/assets.conf; + + location / { + error_page 418 = @phpfpm; + if ($request_method = POST) { return 418; } + if ($http_cookie ~* "wordpress_logged_in") { return 418; } + if ($http_cookie ~* "comment_") { return 418; } + if ($http_cookie ~* "wp_postpass_") { return 418; } + + proxy_pass http://varnish; + include proxy.conf; + } + + location @phpfpm { + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + include "fastcgi.conf"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + } + + location ~ /wp-admin { + try_files $uri $uri/ /index.php$is_args$args; + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + include "fastcgi.conf"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + } + } + +} + +# To serve requests from Varnish +# Setup Varnish to use 127.0.0.1:82 as backend for this domain +server { + listen 127.0.0.1:82; + server_name example.com; + + # Replace the path with the actual path to WordPress core files + root "/home/username/sites/example.com/public"; + + index index.php; + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + include "fastcgi.conf"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + } +} + diff --git a/sites-available/pma.example.com.conf b/sites-available/pma.example.com.conf new file mode 100644 index 0000000..c948164 --- /dev/null +++ b/sites-available/pma.example.com.conf @@ -0,0 +1,61 @@ +### IMPORTANT +### If phpMyAdmin is accessed via a different port +### as in the case of a Varnish -> Nginx setup, please do the following + +### SET $cfg['PmaAbsoluteUri'] = 'http://your.domain.com/path/to/phpmyadmin/'; in config.inc.php +### Ref: http://serverfault.com/questions/246300/running-phpmyadmin-on-nginx-port-8080-passed-to-varnish-not-working-well +### Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1340187&group_id=23067&atid=377409 + +# http => https +server { + listen 80; + listen [::]:80; # IPv6 support + server_name pma.example.com; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/pma.example.com/public; + + # for LetsEncrypt + location ^~ /.well-known/acme-challenge { + auth_basic off; + try_files $uri =404; + expires -1; + } + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + server_name pma.example.com; + index index.php; + + # Replace the path with the actual path to Phpmyadmin core files + root /home/username/sites/pma.example.com/public; + + access_log /var/log/nginx/pma.example.com-access.log combined buffer=64k flush=5m if=$loggable; # $loggable is defined in conf.d/common.conf + error_log /var/log/nginx/pma.example.com-error.log; + + ssl_certificate "/etc/letsencrypt/live/pma.example.com/fullchain.pem"; + ssl_certificate_key "/etc/letsencrypt/live/pma.example.com/privkey.pem"; + + include globals/restrictions.conf; + include globals/assets.conf; + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { return 404; } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + include "fastcgi_params"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + } + + location / { try_files $uri $uri/ /index.php$is_args$args; } +} diff --git a/sites-available/ssl-example.com.conf b/sites-available/ssl-example.com.conf new file mode 100644 index 0000000..2bd7482 --- /dev/null +++ b/sites-available/ssl-example.com.conf @@ -0,0 +1,104 @@ +# http => https +server { + listen 80; + listen [::]:80; # IPv6 support + server_name example.com www.example.com; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + # for LetsEncrypt + location ^~ /.well-known/acme-challenge { + auth_basic off; + try_files $uri =404; + expires -1; + } + + location / { + return 301 https://$host$request_uri; + include 'globals/hsts.conf'; + include 'globals/security-headers.conf'; + } +} + +# www.example.com => example.com (server-level) +# Or example.com => www.example.com (server-level) +# use it only if you are a fan of micro-optimization +# server { + # listen 443 ssl http2; + # listen [::]:443 ssl http2; # IPv6 support + # uncomment only one depending on the main URL + # server_name example.com; + # server_name www.example.com; + # ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; + # ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; + # location / { + # uncomment only one depending on the main URL + # return 301 $scheme://www.example.com$request_uri; + # return 301 $scheme://example.com$request_uri; + # include 'globals/hsts.conf'; + # include 'globals/security-headers.conf'; + # } +# } + +server { + # "http2" parameter of the "listen" directive is deprecated as of version 1.25.1 released on June 13, 2023 + listen 443 ssl http2; + listen [::]:443 ssl http2; # IPv6 support + + # since Nginx version 1.25.1 + # https on; + + # the main URL where the site is served. It could be www.example.com + server_name example.com; + + # comment out the following line, if you enable the server-level 301 redirect above + server_name www.example.com; + + # default file to serve + index index.php; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + # if you use an ACME client that stores the SSL certs in a different path, please update the following + ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; + ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; + + # Logs + access_log /var/log/nginx/example.com-access.log; + # if the log files become too large, you may use the following format. $loggable is defined in conf.d/common.conf + # access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable; + + # ideally use it along with fail2ban + error_log /var/log/nginx/example.com-error.log; + # use the following pattern only for debugging - server support needed + # error_log /var/log/nginx/example.com-error.log debug; + + include globals/restrictions.conf; + include globals/assets.conf; + include globals/auto-versioning-support.conf; + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { return 404; } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + include "fastcgi_params"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + + include 'globals/hsts.conf'; + include 'globals/security-headers.conf'; + } + + ### Enaable only one of the following lines + include "globals/wp-super-cache.conf"; # WP Super Cache plugin support + # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support + # include "globals/wp-fastest-cache.conf"; # WP Fastest Cache plugin support + # include "globals/cache-enabler.conf"; # Cache Enabler plugin support + # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache +} diff --git a/sites-available/static-site.conf b/sites-available/static-site.conf new file mode 100644 index 0000000..a25262a --- /dev/null +++ b/sites-available/static-site.conf @@ -0,0 +1,74 @@ +# http => https +server { + listen 80; + listen [::]:80; # IPv6 support + server_name example.com www.example.com; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + # for LetsEncrypt + location ^~ /.well-known/acme-challenge { + auth_basic off; + try_files $uri =404; + expires -1; + } + + location / { + return 301 https://$host$request_uri; + include 'globals/hsts.conf'; + include 'globals/security-headers.conf'; + } +} + +# www.example.com => example.com (server-level) +# use it only if you are a fan of micro-optimization +# server { + # listen 443 ssl http2; + # listen [::]:443 ssl http2; # IPv6 support + # server_name www.example.com; + # ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; + # ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; + # location / { + # return 301 $scheme://example.com$request_uri; + # include 'globals/hsts.conf'; + # include 'globals/security-headers.conf'; + # } +# } + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; # IPv6 support + server_name example.com; + + # hide the following line, if you enable the server-level 301 redirect above + server_name www.example.com; + + # default file to serve + index index.html; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; + ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; + + # Logs + access_log /var/log/nginx/example.com-access.log; + error_log /var/log/nginx/example.com-error.log; + + include globals/restrictions.conf; + include globals/assets.conf; + include globals/auto-versioning-support.conf; + + location / { + try_files $uri $uri/ =404; + + # you may adjust the expiry information here! + # expires 30m; # since static content rarely changes, it is safe to keep it to 30 minutes. YMMV. + + include 'globals/hsts.conf'; + include 'globals/security-headers.conf'; + } +} + diff --git a/sites-available/wpfc.example.com.conf b/sites-available/wpfc.example.com.conf new file mode 100644 index 0000000..8d75410 --- /dev/null +++ b/sites-available/wpfc.example.com.conf @@ -0,0 +1,33 @@ +server { + listen 80; + listen [::]:80; # IPv6 support + + server_name wpfc.example.com; + index index.php; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/wpsc.example.com/public; + + access_log /var/log/nginx/wp-fastest-cache.example.com-access.log combined buffer=64k flush=5m if=$loggable; + error_log /var/log/nginx/wp-fastest-cache.example.com-error.log; + + include "globals/assets.conf"; + include "globals/restrictions.conf"; + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + include fastcgi.conf; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + + add_header "X-Cache" "MISS"; + } + + include "globals/wp-fastest-cache.conf"; +} diff --git a/sites-available/wpsc.example.com.conf b/sites-available/wpsc.example.com.conf new file mode 100644 index 0000000..608edd4 --- /dev/null +++ b/sites-available/wpsc.example.com.conf @@ -0,0 +1,33 @@ +server { + listen 80; + listen [::]:80; # IPv6 support + + server_name wpsc.example.com; + index index.php; + + # Replace the path with the actual path to WordPress core files + root "/home/username/sites/wpsc.example.com/public"; + + access_log /var/log/nginx/wpsc.example.com-access.log combined buffer=64k flush=5m if=$loggable; + error_log /var/log/nginx/wpsc.example.com-error.log; + + include "globals/assets.conf"; + include "globals/restrictions.conf"; + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + include fastcgi.conf; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass fpm; + + add_header "X-Cache" "MISS"; + } + + include "globals/wp-super-cache.conf"; +}