Add/Modify example files.

example/purge.php

@@ -0,0 +1,28 @@
+<?php
+function unlinkRecursive($dir) {
+    if ( ! is_dir( $dir ) ) {
+        return;
+    }
+
+    if ( ! $dh = opendir( $dir ) ) {
+        return;
+    }
+
+    while ( false !== ($obj = readdir( $dh )) ) {
+        if ( $obj == '.' || $obj == '..' ) {
+            continue;
+        }
+        if (is_dir($dir . '/' . $obj)) {
+            unlinkRecursive( $dir . '/' . $obj );
+            rmdir($dir . '/' . $obj);
+        }
+        else {
+            unlink( $dir . '/' . $obj );
+        }
+    }
+    closedir( $dh );
+}
+
+if (array_key_exists('PURGE_PATH', $_SERVER)) {
+    unlinkRecursive($_SERVER['PURGE_PATH']);
+}

example/wp-fastcgi_cache.conf

@@ -0,0 +1,264 @@
+# -- @WEBSITE_NAME@
+
+# @WEBSITE_NAME@           www.etventure.com
+# @DOMAIN.TLD@             etventure.com
+#
+# @WEB_BASEDIR@            /var/www/@DOMAIN.TLD@/
+#
+# @DOCUMENT_ROOT@          @WEB_BASEDIR@/htdocs
+#
+# @CACHE_ZONE@             main
+# @CACHE_PATH@             /@WEB_BASEDIR@/cache/
+#
+# @UPSTREAM_PHP_FPM@       php-7.4-fpm - see dir 'conf.d/php-7.4-fpm.conf'
+#
+# @DOCUMENT_ROOT_PURGER@   @WEB_BASEDIR@/purger
+
+# ---
+# mkdir -p @WEB_BASEDIR@/{htdocs,purger,cache}
+#
+# NGINX_USER=www-data
+# NGINX_GROUP=www-data
+#
+# SITE_USER=<username-if-change-rooted else $NGINX_USER>
+# SITE_GROUP=<groupname-if-change-rooted else $NGINX_GROUP>
+#
+# chown $NGINX_USER:${NGINX_GROUP}
+# ---
+
+
+#upstream ev-stage.php-7.4-fpm {
+#   server unix:/tmp/php-7.4-fpm.www.sock;
+#}
+
+fastcgi_cache_path @CACHE_PATH@ use_temp_path=off levels=1:2 keys_zone=@CACHE_ZONE@:256m max_size=512m inactive=60m;
+
+server {
+
+   listen 80;
+   listen [::]:80;
+
+   server_name @WEBSITE_NAME@;
+
+   return 301 https://$host$request_uri;
+}
+
+server {
+
+   listen [::]:443 ssl http2;
+   listen 443 ssl http2;
+
+   server_name @WEBSITE_NAME@;
+
+   root  @DOCUMENT_ROOT@;
+
+   # Add index.php to the list if you are using PHP
+   #
+   index index.php index.html index.htm;
+
+   # Include location directive for Let's Encrypt ACME Challenge
+   #
+   # Needed for (automated) updating certificate
+   #
+   include snippets/letsencrypt-acme-challenge.conf;
+
+   ssl on;
+
+   ssl_certificate /var/lib/dehydrated/certs/@WEBSITE_NAME@/fullchain.pem;
+   ssl_certificate_key /var/lib/dehydrated/certs/@WEBSITE_NAME@/privkey.pem;
+
+   # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+   #
+   # To generate a dhparam.pem file, run in a terminal
+   #    openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
+   #
+   ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+   # Eable session resumption to improve https performance
+   ssl_session_cache shared:SSL:50m;
+   ssl_session_timeout 10m;
+   ssl_session_tickets off;
+
+   #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
+   # omit SSLv3 because of POODLE
+   # omit  TLSv1 TLSv1.1
+   ssl_protocols TLSv1.2 TLSv1.3;
+
+   # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
+   # Everything better than SHA1 (deprecated)
+   #
+   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+   ssl_prefer_server_ciphers on;
+
+   # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+   #
+   add_header Strict-Transport-Security max-age=15768000;
+
+   # OCSP Stapling ---
+   # fetch OCSP records from URL in ssl_certificate and cache them
+   ssl_stapling on;
+   ssl_stapling_verify on;
+
+   location ~ /\.git {
+      deny all;
+   }
+   location ~ /\.htaccess {
+      deny all;
+   }
+
+   set $skip_cache 0;
+
+   if ($request_method = POST) {
+      set $skip_cache 1;
+   }
+
+   if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
+      set $skip_cache 1;
+   }
+
+   if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
+      set $skip_cache 1;
+   }
+
+   if (!-e $request_filename) {
+     rewrite /wp-admin$ $scheme://$host$uri/ permanent;
+   }
+
+   location / {
+      try_files $uri $uri/ /index.php?q=$uri&$args;
+   }
+
+   location ~ \.php$ {
+
+      try_files $uri = 404;
+      fastcgi_index index.php;
+
+      # Use upstream
+      #
+      fastcgi_pass @UPSTREAM_PHP_FPM@;
+      include fastcgi_params;
+
+      fastcgi_param HTTPS on;
+
+      # regex to split $uri to $fastcgi_script_name and $fastcgi_path
+      fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+      fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+
+      fastcgi_buffer_size 128k;
+      fastcgi_buffers 4 256k;
+      fastcgi_busy_buffers_size 256k;
+
+      fastcgi_read_timeout 12000;
+
+      # ---
+      # fastcgi cache related
+      # ---
+
+      # Defines a shared memory zone used for caching.
+      #
+      fastcgi_cache @CACHE_ZONE@;
+
+      # The directive fastcgi_cache_key defines the key for cache lookup. Nginx will
+      # apply a MD5sum hash function on the cache key and uses the hash result as
+      # the name of cache files. After entering the two directives in the http context,
+      # save and close the file.
+      #
+      fastcgi_cache_key "$scheme$request_method$host$request_uri";
+
+      # Nginx can deliver stale content from its cache when it can’t get updated content
+      # from the upstream PHP-FPM server. For example, when MySQL/MariaDB database
+      # server is down. Rather than relay the error to clients, Nginx can deliver the
+      # stale version of the file from its cache. To enable this functionality, we added
+      # the fastcgi_cache_use_stale directive.
+      #
+      fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
+
+      # Set 60 minutes of caching for responses with codes 200 and 302
+      # and 1 minute for responses with code 404.
+      #
+      fastcgi_cache_valid 200 302 301 60m;
+      fastcgi_cache_valid 404      1m;
+
+      # Send request to upstream PHP-FPM server (bypass cache)
+      # Don't save to cache based on $skip_cache
+      #
+      # See above for skip_cache setting
+      #
+      fastcgi_cache_bypass $skip_cache;
+      fastcgi_no_cache $skip_cache;
+
+      # If multiple clients request a file that is not current in the cache, 
+      # only the first of those requests is allowed through to the upstream 
+      # PHP-FPM server. The remaining requests wait for that request to be 
+      # satisified and then pull the file form the cache. Without 
+      # fastcgi_cache_lock enabled, all requests go straight to the upstream 
+      # PHP-FPM server.
+      #
+      fastcgi_cache_lock on;
+
+      # adds the X-FastCGI-Cache header in HTTP response. It can be used to 
+      # validate whether the request has been served from the FastCGI cache or not.
+      #
+      add_header X-Cache-Status $upstream_cache_status;
+      add_header X-Cache-Key "$scheme$request_method$host$request_uri";
+
+   }
+
+
+   # ---
+   # purging cache
+   # ---
+
+   location ~ /purge(/.*) {
+      allow 127.0.0.1;
+      allow ::1;
+      deny all;
+
+      fastcgi_cache_purge @CACHE_ZONE@ "$scheme$request_method$host$1";
+   }
+
+   # clean all cache from local console:
+   #
+   #    curl --interface "127.0.0.1" https://etventure.oopen.de/purge-all
+   #
+   location /purge-all {
+      allow 127.0.0.1;
+      allow ::1;
+      deny all;
+
+      root @WEB_BASEDIR@/purger;
+
+      # Use upstream
+      fastcgi_pass @UPSTREAM_PHP_FPM@;
+
+      include fastcgi_params;
+      fastcgi_param SCRIPT_FILENAME "@WEB_BASEDIR@/purger/purge.php";
+      fastcgi_param SCRIPT_NAME "purge.php";
+
+      # Hardcoded Environment used by script 'purge.php'
+      fastcgi_param PURGE_PATH "@CACHE_PATH@";
+   }
+
+   location = /favicon.ico {
+      log_not_found off;
+      access_log off;
+   }
+   location = /robots.txt {
+      rewrite ^ /index.php;
+      access_log off;
+      log_not_found off;
+   }
+
+   location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+      expires max;
+      log_not_found off;
+   }
+
+   access_log /var/log/nginx/@WEBSITE_NAME@-access.log;
+   error_log /var/log/nginx/@WEBSITE_NAME@-error.log;
+
+   #auth_basic "Install Area";
+   #auth_basic_user_file <path-to-dot-htpasswd-file>;
+}

example/wp-site.conf

@@ -1,21 +1,21 @@
-# - <FQHN-wp-site>
+# - @WEBSITE_URL@
 
 server {
 
    listen 80;
    listen [::]:80;
 
-   server_name <FQHN-wp-site>;
+   server_name @WEBSITE_URL@;
 
    return 301 https://$host$request_uri;
 }
 
 server {
 
-   listen [::]:443 ssl;
+   listen [::]:443 ssl http2;
-   listen 443 ssl;
+   listen 443 ssl http2;
 
-   server_name <FQHN-wp-site>;
+   server_name @WEBSITE_URL@;
 
    root /var/www/<DOMAIN.TLD-wp-site>/htdocs;
 
@@ -31,8 +31,8 @@ server {
 
    ssl on;
 
-   ssl_certificate /var/lib/dehydrated/certs/<FQHN-wp-site>/fullchain.pem;
+   ssl_certificate /var/lib/dehydrated/certs/@WEBSITE_URL@/fullchain.pem;
-   ssl_certificate_key /var/lib/dehydrated/certs/<FQHN-wp-site>/privkey.pem;
+   ssl_certificate_key /var/lib/dehydrated/certs/@WEBSITE_URL@/privkey.pem;
 
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    #