# http => https server { listen 80; listen [::]:80; # IPv6 support server_name example.com www.example.com; # Replace the path with the actual path to WordPress core files root /home/username/sites/example.com/public; # for LetsEncrypt location ^~ /.well-known/acme-challenge { auth_basic off; try_files $uri =404; expires -1; } location / { return 301 https://$host$request_uri; include 'globals/hsts.conf'; include 'globals/security-headers.conf'; } } # www.example.com => example.com (server-level) # Or example.com => www.example.com (server-level) # use it only if you are a fan of micro-optimization # server { # listen 443 ssl http2; # listen [::]:443 ssl http2; # IPv6 support # uncomment only one depending on the main URL # server_name example.com; # server_name www.example.com; # ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; # ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; # location / { # uncomment only one depending on the main URL # return 301 $scheme://www.example.com$request_uri; # return 301 $scheme://example.com$request_uri; # include 'globals/hsts.conf'; # include 'globals/security-headers.conf'; # } # } server { # "http2" parameter of the "listen" directive is deprecated as of version 1.25.1 released on June 13, 2023 listen 443 ssl http2; listen [::]:443 ssl http2; # IPv6 support # since Nginx version 1.25.1 # https on; # the main URL where the site is served. It could be www.example.com server_name example.com; # comment out the following line, if you enable the server-level 301 redirect above server_name www.example.com; # default file to serve index index.php; # Replace the path with the actual path to WordPress core files root /home/username/sites/example.com/public; # if you use an ACME client that stores the SSL certs in a different path, please update the following ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; # Logs access_log /var/log/nginx/example.com-access.log; # if the log files become too large, you may use the following format. $loggable is defined in conf.d/common.conf # access_log /var/log/nginx/example.com-access.log combined buffer=64k flush=5m if=$loggable; # ideally use it along with fail2ban error_log /var/log/nginx/example.com-error.log; # use the following pattern only for debugging - server support needed # error_log /var/log/nginx/example.com-error.log debug; include globals/restrictions.conf; include globals/assets.conf; include globals/auto-versioning-support.conf; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } # Mitigate https://httpoxy.org/ vulnerabilities fastcgi_param HTTP_PROXY ""; include "fastcgi_params"; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_index index.php; fastcgi_pass fpm; include 'globals/hsts.conf'; include 'globals/security-headers.conf'; } ### Enaable only one of the following lines include "globals/wp-super-cache.conf"; # WP Super Cache plugin support # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support # include "globals/wp-fastest-cache.conf"; # WP Fastest Cache plugin support # include "globals/cache-enabler.conf"; # Cache Enabler plugin support # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache }