From 9c7951f8d81cfdfe206b7c3d1e84320216f9f89c Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 30 May 2020 03:41:00 +0200 Subject: [PATCH] Add/Modify example files. --- example/purge.php | 28 ++++ example/wp-fastcgi_cache.conf | 264 ++++++++++++++++++++++++++++++++++ example/wp-site.conf | 14 +- 3 files changed, 299 insertions(+), 7 deletions(-) create mode 100644 example/purge.php create mode 100644 example/wp-fastcgi_cache.conf diff --git a/example/purge.php b/example/purge.php new file mode 100644 index 0000000..d2f7c90 --- /dev/null +++ b/example/purge.php @@ -0,0 +1,28 @@ + +# SITE_GROUP= +# +# chown $NGINX_USER:${NGINX_GROUP} +# --- + + +#upstream ev-stage.php-7.4-fpm { +# server unix:/tmp/php-7.4-fpm.www.sock; +#} + +fastcgi_cache_path @CACHE_PATH@ use_temp_path=off levels=1:2 keys_zone=@CACHE_ZONE@:256m max_size=512m inactive=60m; + +server { + + listen 80; + listen [::]:80; + + server_name @WEBSITE_NAME@; + + return 301 https://$host$request_uri; +} + +server { + + listen [::]:443 ssl http2; + listen 443 ssl http2; + + server_name @WEBSITE_NAME@; + + root @DOCUMENT_ROOT@; + + # Add index.php to the list if you are using PHP + # + index index.php index.html index.htm; + + # Include location directive for Let's Encrypt ACME Challenge + # + # Needed for (automated) updating certificate + # + include snippets/letsencrypt-acme-challenge.conf; + + ssl on; + + ssl_certificate /var/lib/dehydrated/certs/@WEBSITE_NAME@/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/@WEBSITE_NAME@/privkey.pem; + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + # + # To generate a dhparam.pem file, run in a terminal + # openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048 + # + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Eable session resumption to improve https performance + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 10m; + ssl_session_tickets off; + + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE + # omit SSLv3 because of POODLE + # omit TLSv1 TLSv1.1 + ssl_protocols TLSv1.2 TLSv1.3; + + # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) + # Everything better than SHA1 (deprecated) + # + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + # + add_header Strict-Transport-Security max-age=15768000; + + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; + + location ~ /\.git { + deny all; + } + location ~ /\.htaccess { + deny all; + } + + set $skip_cache 0; + + if ($request_method = POST) { + set $skip_cache 1; + } + + if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") { + set $skip_cache 1; + } + + if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { + set $skip_cache 1; + } + + if (!-e $request_filename) { + rewrite /wp-admin$ $scheme://$host$uri/ permanent; + } + + location / { + try_files $uri $uri/ /index.php?q=$uri&$args; + } + + location ~ \.php$ { + + try_files $uri = 404; + fastcgi_index index.php; + + # Use upstream + # + fastcgi_pass @UPSTREAM_PHP_FPM@; + include fastcgi_params; + + fastcgi_param HTTPS on; + + # regex to split $uri to $fastcgi_script_name and $fastcgi_path + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + + fastcgi_read_timeout 12000; + + # --- + # fastcgi cache related + # --- + + # Defines a shared memory zone used for caching. + # + fastcgi_cache @CACHE_ZONE@; + + # The directive fastcgi_cache_key defines the key for cache lookup. Nginx will + # apply a MD5sum hash function on the cache key and uses the hash result as + # the name of cache files. After entering the two directives in the http context, + # save and close the file. + # + fastcgi_cache_key "$scheme$request_method$host$request_uri"; + + # Nginx can deliver stale content from its cache when it can’t get updated content + # from the upstream PHP-FPM server. For example, when MySQL/MariaDB database + # server is down. Rather than relay the error to clients, Nginx can deliver the + # stale version of the file from its cache. To enable this functionality, we added + # the fastcgi_cache_use_stale directive. + # + fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503; + + # Set 60 minutes of caching for responses with codes 200 and 302 + # and 1 minute for responses with code 404. + # + fastcgi_cache_valid 200 302 301 60m; + fastcgi_cache_valid 404 1m; + + # Send request to upstream PHP-FPM server (bypass cache) + # Don't save to cache based on $skip_cache + # + # See above for skip_cache setting + # + fastcgi_cache_bypass $skip_cache; + fastcgi_no_cache $skip_cache; + + # If multiple clients request a file that is not current in the cache, + # only the first of those requests is allowed through to the upstream + # PHP-FPM server. The remaining requests wait for that request to be + # satisified and then pull the file form the cache. Without + # fastcgi_cache_lock enabled, all requests go straight to the upstream + # PHP-FPM server. + # + fastcgi_cache_lock on; + + # adds the X-FastCGI-Cache header in HTTP response. It can be used to + # validate whether the request has been served from the FastCGI cache or not. + # + add_header X-Cache-Status $upstream_cache_status; + add_header X-Cache-Key "$scheme$request_method$host$request_uri"; + + } + + + # --- + # purging cache + # --- + + location ~ /purge(/.*) { + allow 127.0.0.1; + allow ::1; + deny all; + + fastcgi_cache_purge @CACHE_ZONE@ "$scheme$request_method$host$1"; + } + + # clean all cache from local console: + # + # curl --interface "127.0.0.1" https://etventure.oopen.de/purge-all + # + location /purge-all { + allow 127.0.0.1; + allow ::1; + deny all; + + root @WEB_BASEDIR@/purger; + + # Use upstream + fastcgi_pass @UPSTREAM_PHP_FPM@; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME "@WEB_BASEDIR@/purger/purge.php"; + fastcgi_param SCRIPT_NAME "purge.php"; + + # Hardcoded Environment used by script 'purge.php' + fastcgi_param PURGE_PATH "@CACHE_PATH@"; + } + + location = /favicon.ico { + log_not_found off; + access_log off; + } + location = /robots.txt { + rewrite ^ /index.php; + access_log off; + log_not_found off; + } + + location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { + expires max; + log_not_found off; + } + + access_log /var/log/nginx/@WEBSITE_NAME@-access.log; + error_log /var/log/nginx/@WEBSITE_NAME@-error.log; + + #auth_basic "Install Area"; + #auth_basic_user_file ; +} diff --git a/example/wp-site.conf b/example/wp-site.conf index e9483bd..1b5535c 100644 --- a/example/wp-site.conf +++ b/example/wp-site.conf @@ -1,21 +1,21 @@ -# - +# - @WEBSITE_URL@ server { listen 80; listen [::]:80; - server_name ; + server_name @WEBSITE_URL@; return 301 https://$host$request_uri; } server { - listen [::]:443 ssl; - listen 443 ssl; + listen [::]:443 ssl http2; + listen 443 ssl http2; - server_name ; + server_name @WEBSITE_URL@; root /var/www//htdocs; @@ -31,8 +31,8 @@ server { ssl on; - ssl_certificate /var/lib/dehydrated/certs//fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certs//privkey.pem; + ssl_certificate /var/lib/dehydrated/certs/@WEBSITE_URL@/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/@WEBSITE_URL@/privkey.pem; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits #