install/nginx
0
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7c696cba68
nginx/example/wp-fastcgi_cache.conf

281 lines
8.4 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# -- @WEBSITE_NAME@
# @WEBSITE_NAME@ www.etventure.com
# @DOMAIN.TLD@ etventure.com
#
# @WEB_BASEDIR@ /var/www/@DOMAIN.TLD@/
#
# @DOCUMENT_ROOT@ @WEB_BASEDIR@/htdocs
#
# @CACHE_ZONE@ main
# @CACHE_PATH@ /@WEB_BASEDIR@/cache/
#
# @UPSTREAM_PHP_FPM@ php-7.4-fpm - see dir 'conf.d/php-7.4-fpm.conf'
#
# @DOCUMENT_ROOT_PURGER@ @WEB_BASEDIR@/purger
# ---
# mkdir -p @WEB_BASEDIR@/{htdocs,purger,cache}
#
# NGINX_USER=www-data
# NGINX_GROUP=www-data
#
# SITE_USER=<username-if-change-rooted else $NGINX_USER>
# SITE_GROUP=<groupname-if-change-rooted else $NGINX_GROUP>
#
# chown $NGINX_USER:${NGINX_GROUP}
# ---
#upstream ev-stage.php-7.4-fpm {
# server unix:/tmp/php-7.4-fpm.www.sock;
#}
fastcgi_cache_path @CACHE_PATH@ use_temp_path=off levels=1:2 keys_zone=@CACHE_ZONE@:256m max_size=512m inactive=60m;
server {
listen 80;
listen [::]:80;
server_name @WEBSITE_NAME@;
return 301 https://$host$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name @WEBSITE_NAME@;
root @DOCUMENT_ROOT@;
# Add index.php to the list if you are using PHP
#
index index.php index.html index.htm;
# Include location directive for Let's Encrypt ACME Challenge
#
# Needed for (automated) updating certificate
#
include snippets/letsencrypt-acme-challenge.conf;
ssl on;
ssl_certificate /var/lib/dehydrated/certs/@WEBSITE_NAME@/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/@WEBSITE_NAME@/privkey.pem;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#
# To generate a dhparam.pem file, run in a terminal
# openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
#
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Eable session resumption to improve https performance
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 10m;
ssl_session_tickets off;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
# omit SSLv3 because of POODLE
# omit TLSv1 TLSv1.1
ssl_protocols TLSv1.2 TLSv1.3;
# ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES)
# Everything better than SHA1 (deprecated)
#
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Content-Security-Policy "default-src 'self';" always;
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Permissions-Policy "usb=()";
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
location ~ /\.git {
deny all;
}
location ~ /\.htaccess {
deny all;
}
set $skip_cache 0;
if ($request_method = POST) {
set $skip_cache 1;
}
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $skip_cache 1;
}
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}
if (!-e $request_filename) {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
}
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
location ~ \.php$ {
try_files $uri = 404;
fastcgi_index index.php;
# Use upstream
#
fastcgi_pass @UPSTREAM_PHP_FPM@;
include fastcgi_params;
fastcgi_param HTTPS on;
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_read_timeout 12000;
# ---
# fastcgi cache related
# ---
# Defines a shared memory zone used for caching.
#
fastcgi_cache @CACHE_ZONE@;
# The directive fastcgi_cache_key defines the key for cache lookup. Nginx will
# apply a MD5sum hash function on the cache key and uses the hash result as
# the name of cache files. After entering the two directives in the http context,
# save and close the file.
#
fastcgi_cache_key "$scheme$request_method$host$request_uri";
# Nginx can deliver stale content from its cache when it cant get updated content
# from the upstream PHP-FPM server. For example, when MySQL/MariaDB database
# server is down. Rather than relay the error to clients, Nginx can deliver the
# stale version of the file from its cache. To enable this functionality, we added
# the fastcgi_cache_use_stale directive.
#
fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
# Set 60 minutes of caching for responses with codes 200 and 302
# and 1 minute for responses with code 404.
#
fastcgi_cache_valid 200 302 301 60m;
fastcgi_cache_valid 404 1m;
# Send request to upstream PHP-FPM server (bypass cache)
# Don't save to cache based on $skip_cache
#
# See above for skip_cache setting
#
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
# If multiple clients request a file that is not current in the cache,
# only the first of those requests is allowed through to the upstream
# PHP-FPM server. The remaining requests wait for that request to be
# satisified and then pull the file form the cache. Without
# fastcgi_cache_lock enabled, all requests go straight to the upstream
# PHP-FPM server.
#
fastcgi_cache_lock on;
# adds the X-FastCGI-Cache header in HTTP response. It can be used to
# validate whether the request has been served from the FastCGI cache or not.
#
add_header X-Cache-Status $upstream_cache_status;
add_header X-Cache-Key "$scheme$request_method$host$request_uri";
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Content-Security-Policy "default-src 'self';" always;
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Permissions-Policy "usb=()";
}
# ---
# purging cache
# ---
location ~ /purge(/.*) {
allow 127.0.0.1;
allow ::1;
deny all;
fastcgi_cache_purge @CACHE_ZONE@ "$scheme$request_method$host$1";
}
# clean all cache from local console:
#
# curl --interface "127.0.0.1" https://etventure.oopen.de/purge-all
#
location /purge-all {
allow 127.0.0.1;
allow ::1;
deny all;
root @WEB_BASEDIR@/purger;
# Use upstream
fastcgi_pass @UPSTREAM_PHP_FPM@;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME "@WEB_BASEDIR@/purger/purge.php";
fastcgi_param SCRIPT_NAME "purge.php";
# Hardcoded Environment used by script 'purge.php'
fastcgi_param PURGE_PATH "@CACHE_PATH@";
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
rewrite ^ /index.php;
access_log off;
log_not_found off;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
access_log /var/log/nginx/@WEBSITE_NAME@-access.log;
error_log /var/log/nginx/@WEBSITE_NAME@-error.log;
#auth_basic "Install Area";
#auth_basic_user_file <path-to-dot-htpasswd-file>;
}
Reference in New Issue View Git Blame Copy Permalink