120 lines
3.4 KiB
Plaintext
120 lines
3.4 KiB
Plaintext
# - <FQHN-wp-site>
|
|
|
|
server {
|
|
|
|
listen 80;
|
|
listen [::]:80;
|
|
|
|
server_name <FQHN-wp-site>;
|
|
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
server {
|
|
|
|
listen [::]:443 ssl;
|
|
listen 443 ssl;
|
|
|
|
server_name <FQHN-wp-site>;
|
|
|
|
root /var/www/<DOMAIN.TLD-wp-site>/htdocs;
|
|
|
|
# Add index.php to the list if you are using PHP
|
|
#
|
|
index index.php index.html index.htm;
|
|
|
|
# Include location directive for Let's Encrypt ACME Challenge
|
|
#
|
|
# Needed for (automated) updating certificate
|
|
#
|
|
include snippets/letsencrypt-acme-challenge.conf;
|
|
|
|
ssl on;
|
|
|
|
ssl_certificate /var/lib/dehydrated/certs/<FQHN-wp-site>/fullchain.pem;
|
|
ssl_certificate_key /var/lib/dehydrated/certs/<FQHN-wp-site>/privkey.pem;
|
|
|
|
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
|
|
#
|
|
# To generate a dhparam.pem file, run in a terminal
|
|
# openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
|
|
#
|
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
|
|
|
# Eable session resumption to improve https performance
|
|
ssl_session_cache shared:SSL:50m;
|
|
ssl_session_timeout 10m;
|
|
ssl_session_tickets off;
|
|
|
|
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
|
|
# omit SSLv3 because of POODLE
|
|
# omit TLSv1 TLSv1.1
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
|
# ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES)
|
|
# Everything better than SHA1 (deprecated)
|
|
#
|
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
|
#
|
|
add_header Strict-Transport-Security max-age=15768000;
|
|
|
|
# OCSP Stapling ---
|
|
# fetch OCSP records from URL in ssl_certificate and cache them
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
location = /favicon.ico {
|
|
log_not_found off;
|
|
access_log off;
|
|
}
|
|
|
|
location = /robots.txt {
|
|
allow all;
|
|
log_not_found off;
|
|
access_log off;
|
|
}
|
|
|
|
location / {
|
|
# This is cool because no php is touched for static content.
|
|
# include the "?$args" part so non-default permalinks doesn't break when using query string
|
|
try_files $uri $uri/ /index.php?$args;
|
|
}
|
|
|
|
location ~ \.php$ {
|
|
|
|
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
|
|
fastcgi_intercept_errors on;
|
|
|
|
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
|
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
|
|
|
# Bypass the fact that try_files resets $fastcgi_path_info
|
|
# see: http://trac.nginx.org/nginx/ticket/321
|
|
set $path_info $fastcgi_path_info;
|
|
fastcgi_param PATH_INFO $path_info;
|
|
|
|
fastcgi_index index.php;
|
|
|
|
# Use PHP-FPM socket directly
|
|
#
|
|
#fastcgi_pass unix:/tmp/php-7.4-fpm.www.sock;
|
|
|
|
# Use upstream
|
|
#
|
|
fastcgi_pass php-7.4-fpm;
|
|
|
|
include fastcgi_params;
|
|
#The following parameter can be also included in fastcgi_params file
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
|
}
|
|
|
|
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
|
|
expires max;
|
|
log_not_found off;
|
|
}
|
|
}
|