# -- @WEBSITE_NAME@ # @WEBSITE_NAME@ www.etventure.com # @DOMAIN.TLD@ etventure.com # # @WEB_BASEDIR@ /var/www/@DOMAIN.TLD@/ # # @DOCUMENT_ROOT@ @WEB_BASEDIR@/htdocs # # @CACHE_ZONE@ main # @CACHE_PATH@ /@WEB_BASEDIR@/cache/ # # @UPSTREAM_PHP_FPM@ php-7.4-fpm - see dir 'conf.d/php-7.4-fpm.conf' # # @DOCUMENT_ROOT_PURGER@ @WEB_BASEDIR@/purger # --- # mkdir -p @WEB_BASEDIR@/{htdocs,purger,cache} # # NGINX_USER=www-data # NGINX_GROUP=www-data # # SITE_USER= # SITE_GROUP= # # chown $NGINX_USER:${NGINX_GROUP} # --- #upstream ev-stage.php-7.4-fpm { # server unix:/tmp/php-7.4-fpm.www.sock; #} fastcgi_cache_path @CACHE_PATH@ use_temp_path=off levels=1:2 keys_zone=@CACHE_ZONE@:256m max_size=512m inactive=60m; server { listen 80; listen [::]:80; server_name @WEBSITE_NAME@; return 301 https://$host$request_uri; } server { listen [::]:443 ssl http2; listen 443 ssl http2; server_name @WEBSITE_NAME@; root @DOCUMENT_ROOT@; # Add index.php to the list if you are using PHP # index index.php index.html index.htm; # Include location directive for Let's Encrypt ACME Challenge # # Needed for (automated) updating certificate # include snippets/letsencrypt-acme-challenge.conf; ssl on; ssl_certificate /var/lib/dehydrated/certs/@WEBSITE_NAME@/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/@WEBSITE_NAME@/privkey.pem; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits # # To generate a dhparam.pem file, run in a terminal # openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048 # ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Eable session resumption to improve https performance ssl_session_cache shared:SSL:50m; ssl_session_timeout 10m; ssl_session_tickets off; #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE # omit SSLv3 because of POODLE # omit TLSv1 TLSv1.1 ssl_protocols TLSv1.2 TLSv1.3; # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) # Everything better than SHA1 (deprecated) # ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) # add_header Strict-Transport-Security "max-age=31536000" always; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN" always; add_header Content-Security-Policy "default-src 'self';" always; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Permissions-Policy "usb=()"; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; location ~ /\.git { deny all; } location ~ /\.htaccess { deny all; } set $skip_cache 0; if ($request_method = POST) { set $skip_cache 1; } if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") { set $skip_cache 1; } if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { set $skip_cache 1; } if (!-e $request_filename) { rewrite /wp-admin$ $scheme://$host$uri/ permanent; } location / { try_files $uri $uri/ /index.php?q=$uri&$args; } location ~ \.php$ { try_files $uri = 404; fastcgi_index index.php; # Use upstream # fastcgi_pass @UPSTREAM_PHP_FPM@; include fastcgi_params; fastcgi_param HTTPS on; # regex to split $uri to $fastcgi_script_name and $fastcgi_path fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 4 256k; fastcgi_busy_buffers_size 256k; fastcgi_read_timeout 12000; # --- # fastcgi cache related # --- # Defines a shared memory zone used for caching. # fastcgi_cache @CACHE_ZONE@; # The directive fastcgi_cache_key defines the key for cache lookup. Nginx will # apply a MD5sum hash function on the cache key and uses the hash result as # the name of cache files. After entering the two directives in the http context, # save and close the file. # fastcgi_cache_key "$scheme$request_method$host$request_uri"; # Nginx can deliver stale content from its cache when it can’t get updated content # from the upstream PHP-FPM server. For example, when MySQL/MariaDB database # server is down. Rather than relay the error to clients, Nginx can deliver the # stale version of the file from its cache. To enable this functionality, we added # the fastcgi_cache_use_stale directive. # fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503; # Set 60 minutes of caching for responses with codes 200 and 302 # and 1 minute for responses with code 404. # fastcgi_cache_valid 200 302 301 60m; fastcgi_cache_valid 404 1m; # Send request to upstream PHP-FPM server (bypass cache) # Don't save to cache based on $skip_cache # # See above for skip_cache setting # fastcgi_cache_bypass $skip_cache; fastcgi_no_cache $skip_cache; # If multiple clients request a file that is not current in the cache, # only the first of those requests is allowed through to the upstream # PHP-FPM server. The remaining requests wait for that request to be # satisified and then pull the file form the cache. Without # fastcgi_cache_lock enabled, all requests go straight to the upstream # PHP-FPM server. # fastcgi_cache_lock on; # adds the X-FastCGI-Cache header in HTTP response. It can be used to # validate whether the request has been served from the FastCGI cache or not. # add_header X-Cache-Status $upstream_cache_status; add_header X-Cache-Key "$scheme$request_method$host$request_uri"; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) # add_header Strict-Transport-Security "max-age=31536000" always; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN" always; add_header Content-Security-Policy "default-src 'self';" always; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Permissions-Policy "usb=()"; } # --- # purging cache # --- location ~ /purge(/.*) { allow 127.0.0.1; allow ::1; deny all; fastcgi_cache_purge @CACHE_ZONE@ "$scheme$request_method$host$1"; } # clean all cache from local console: # # curl --interface "127.0.0.1" https://etventure.oopen.de/purge-all # location /purge-all { allow 127.0.0.1; allow ::1; deny all; root @WEB_BASEDIR@/purger; # Use upstream fastcgi_pass @UPSTREAM_PHP_FPM@; include fastcgi_params; fastcgi_param SCRIPT_FILENAME "@WEB_BASEDIR@/purger/purge.php"; fastcgi_param SCRIPT_NAME "purge.php"; # Hardcoded Environment used by script 'purge.php' fastcgi_param PURGE_PATH "@CACHE_PATH@"; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { rewrite ^ /index.php; access_log off; log_not_found off; } location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires max; log_not_found off; } access_log /var/log/nginx/@WEBSITE_NAME@-access.log; error_log /var/log/nginx/@WEBSITE_NAME@-error.log; #auth_basic "Install Area"; #auth_basic_user_file ; }