Add some example files.

example/wp-site.conf

@@ -0,0 +1,119 @@
+# - <FQHN-wp-site>
+
+server {
+
+   listen 80;
+   listen [::]:80;
+
+   server_name <FQHN-wp-site>;
+
+   return 301 https://$host$request_uri;
+}
+
+server {
+
+   listen [::]:443 ssl;
+   listen 443 ssl;
+
+   server_name <FQHN-wp-site>;
+
+   root /var/www/<DOMAIN.TLD-wp-site>/htdocs;
+
+   # Add index.php to the list if you are using PHP
+   #
+   index index.php index.html index.htm;
+
+   # Include location directive for Let's Encrypt ACME Challenge
+   #
+   # Needed for (automated) updating certificate
+   #
+   include snippets/letsencrypt-acme-challenge.conf;
+
+   ssl on;
+
+   ssl_certificate /var/lib/dehydrated/certs/<FQHN-wp-site>/fullchain.pem;
+   ssl_certificate_key /var/lib/dehydrated/certs/<FQHN-wp-site>/privkey.pem;
+
+   # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+   #
+   # To generate a dhparam.pem file, run in a terminal
+   #    openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
+   #
+   ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+   # Eable session resumption to improve https performance
+   ssl_session_cache shared:SSL:50m;
+   ssl_session_timeout 10m;
+   ssl_session_tickets off;
+
+   #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
+   # omit SSLv3 because of POODLE
+   # omit  TLSv1 TLSv1.1
+   ssl_protocols TLSv1.2 TLSv1.3;
+
+   # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
+   # Everything better than SHA1 (deprecated)
+   #
+   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+   ssl_prefer_server_ciphers on;
+
+   # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+   #
+   add_header Strict-Transport-Security max-age=15768000;
+
+   # OCSP Stapling ---
+   # fetch OCSP records from URL in ssl_certificate and cache them
+   ssl_stapling on;
+   ssl_stapling_verify on;
+
+   location = /favicon.ico {
+      log_not_found off;
+      access_log off;
+   }
+
+   location = /robots.txt {
+      allow all;
+      log_not_found off;
+      access_log off;
+   }
+
+   location / {
+      # This is cool because no php is touched for static content.
+      # include the "?$args" part so non-default permalinks doesn't break when using query string
+      try_files $uri $uri/ /index.php?$args;
+   }
+
+   location ~ \.php$ {
+
+      #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
+      fastcgi_intercept_errors on;
+
+      # regex to split $uri to $fastcgi_script_name and $fastcgi_path
+      fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+
+      # Bypass the fact that try_files resets $fastcgi_path_info
+      # see: http://trac.nginx.org/nginx/ticket/321
+      set $path_info $fastcgi_path_info;
+      fastcgi_param PATH_INFO $path_info;
+
+      fastcgi_index   index.php;
+
+      # Use PHP-FPM socket directly
+      #
+      #fastcgi_pass   unix:/tmp/php-7.4-fpm.www.sock;
+
+      # Use upstream
+      #
+      fastcgi_pass php-7.4-fpm;
+
+      include fastcgi_params;
+      #The following parameter can be also included in fastcgi_params file
+      fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;
+      fastcgi_param  SCRIPT_NAME       $fastcgi_script_name;
+   }
+
+   location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+      expires max;
+      log_not_found off;
+   }
+}