empire-report-ny/wordpress-nginx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First commit

Browse Source
This commit is contained in:
Ashley Rich 2015-11-16 15:48:18 +00:00
commit 32ce7aeed3
15 changed files with 517 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
global/cache.conf Normal file
View File

@ -0,0 +1,22 @@
# cache.appcache, your document html and data
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires -1;
}
# Feed
location ~* \.(?:rss|atom)$ {
expires 1h;
add_header Cache-Control "public";
}
# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1y;
add_header Cache-Control "public";
}
# CSS and Javascript
location ~* \.(?:css|js)$ {
expires 1y;
add_header Cache-Control "public";
}

24
global/fastcgi-params.conf Normal file
View File

@ -0,0 +1,24 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

50
global/gzip.conf Normal file
View File

@ -0,0 +1,50 @@
# Enable Gzip compression.
gzip on;
# Disable Gzip on IE6.
gzip_disable "msie6";
# Allow proxies to cache both compressed and regular version of file.
# Avoids clients that don't support Gzip outputting gibberish.
gzip_vary on;
# Compress data, even when the client connects through a proxy.
gzip_proxied any;
# The level of compression to apply to files. A higher compression level increases
# CPU usage. Level 5 is a happy medium resulting in roughly 75% compression.
gzip_comp_level 5;
# The minimum HTTP version of a request to perform compression.
gzip_http_version 1.1;
# Don't compress files smaller than 256 bytes, as size reduction will be negligible.
gzip_min_length: 256;
# Compress the following MIME types.
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# text/html is always compressed when enabled.

8
global/http.conf Normal file
View File

@ -0,0 +1,8 @@
# Speed up file transfer by using sendfile().
sendfile on;
# Don't send partial frames, which increases throughput.
tcp_nopush on;
# Don't wait to send data in keep-alive state.
tcp_nodelay on;

15
global/limits.conf Normal file
View File

@ -0,0 +1,15 @@
# How long each connection should stay open for.
keepalive_timeout 15;
# Timeout for reading client request body.
client_body_timeout 30;
# Timeout for reading client request header.
client_header_timeout 30;
# Timeout for transmitting reponse to client.
send_timeout 30;
# Set the maximum allowed size of client request body. This should be set
# to the value of files sizes you wish to upload to the WordPress Media Library.
client_max_body_size 64m;

23
global/logs.conf Normal file
View File

@ -0,0 +1,23 @@
# Default error log file. Only used when you don't override error_log in the server block.
error_log /var/log/nginx/error.log warn;
# Default access log file. Only used when you don't override access_log in the server block.
access_log /var/log/nginx/access.log;
# Don't record error/access logs for favicon.io.
location = /favicon.ico {
log_not_found off;
access_log off;
}
# Don't record error/access logs for robots.txt.
location = /robots.txt {
log_not_found off;
access_log off;
}
# Don't record error/access logs for static assets.
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|css|js)$ {
log_not_found off;
access_log off;
}

88
global/mime-types.conf Normal file
View File

@ -0,0 +1,88 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}

29
global/security.conf Normal file
View File

@ -0,0 +1,29 @@
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Hide Nginx version in error messages and reponse headers.
server_tokens off;
# Don't allow pages to be rendered in an iframe on external domains.
add_header X-Frame-Options "SAMEORIGIN" always;
# MIME sniffing prevention
add_header X-Content-Type-Options "nosniff" always;
# Enable cross-site scripting filter in supported browsers.
add_header X-Xss-Protection "1; mode=block" always;
# Whitelist sources which are allowed to load assets (JS, CSS, etc). The following will block
# only none HTTPS assets, but check out https://scotthelme.co.uk/content-security-policy-an-introduction/
# for an in-depth guide on creating a more restrictive policy.
# add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

53
nginx.conf Normal file
View File

@ -0,0 +1,53 @@
# The user account used by the worker processes. If following along with Hosting WordPress Yourself,
# it's recommened to set this to your username, but only when running a single user access server.
# https://deliciousbrains.com/hosting-wordpress-yourself-nginx-php-mysql/
user www-data;
# Set to number of CPU cores, auto will try to autodetect.
worker_processes auto;
# Maximum open file descriptors per process. Should be greater than worker_connections.
worker_rlimit_nofile 8192;
# File that stores the process ID. Rarely needs changing.
pid /run/nginx.pid;
events {
# Set the maximum number of connection each worker process can open
worker_connections 8000;
# Accept all new connections at a time
multi_accept on;
}
http {
# HTTP
include global/http.conf;
# MIME Types
include global/mime-types.conf;
default_type application/octet-stream;
# Limits & Timeouts
include global/limits.conf;
# Logs
include global/logs.conf;
# Gzip
include global/gzip.conf;
# Cache Static Content
include global/cache.conf;
# Security
include global/security.conf;
# Modules
include /etc/nginx/conf.d/*.conf;
# Sites
include /etc/nginx/sites-enabled/*;
}

34
per-site/fastcgi-cache.conf Normal file
View File

@ -0,0 +1,34 @@
# The key to use when saving cache files, which will run through the MD5 hashing algorithm.
fastcgi_cache_key "$scheme$request_method$host$request_uri";
# If an error occurs when communicating with FastCGI server, return cached content.
# Useful for serving cached content if the PHP process dies or timeouts.
fastcgi_cache_use_stale error timeout invalid_header http_500;
# Allow caching of requests which contain the following headers.
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
# Show the cache status in server responses.
add_header Fastcgi-Cache $upstream_cache_status;
# Don't skip by default
set $skip_cache 0;
# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
set $skip_cache 1;
}
if ($query_string != "") {
set $skip_cache 1;
}
# Don't cache uris containing the following segments
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
set $skip_cache 1;
}
# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}

20
per-site/ssl.conf Normal file
View File

@ -0,0 +1,20 @@
# Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Use secure ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# Define the size of the SSL session cache in MBs.
ssl_session_cache shared:SSL:10m;
# Define the time in minutes to cache SSL sessions.
ssl_session_timeout 1h;
# Use HTTPS exclusively for 1 year, uncomment one. Second line applies to subdomains.
add_header Strict-Transport-Security "max-age=31536000;";
# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# The default key used by DHE is weak and it's recommended to use a 2048 bit key.
# Uncomment this line if you have generated a custom key using `cd /etc/ssl/; sudo openssl dhparam -out dhparams.pem 2048`
# ssl_dhparam /etc/ssl/dhparams.pem;

6
sites-available/default Normal file
View File

@ -0,0 +1,6 @@
server {
listen 80 default_server;
server_name _;
return 444;
}

55
sites-available/fastcgi-cache.com Normal file
View File

@ -0,0 +1,55 @@
# Define path to cache and memory zone.
# keys_zone=fastcgi-cache.com:100m creates the memory zone and sets the maximum size in MBs.
# inactive=60m will remove cached items that haven't been accessed for 60 minutes or more.
fastcgi_cache_path /sites/fastcgi-cache.com/cache levels=1:2 keys_zone=fastcgi-cache.com:100m inactive=60m;
server {
# Ports to listen on
listen: 80;
# Server name to listen for
server_name fastcgi-cache.com;
# Path to document root
root /sites/fastcgi-cache.com/public;
# File to be used as index
index index.php;
# Overrides logs defined in global/logs.conf, allows per site logs.
access_log /sites/fastcgi-cache.com/logs/access.log;
error_log /sites/fastcgi-cache.com/logs/error.log;
# Fastcgi cache rules
include per-site/fastcgi-cache.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include global/fastcgi-params.conf;
# Change socket if using PHP pools
fastcgi_pass unix:/var/run/php5-fpm.sock;
# Skip cache based on rules in per-site/fastcgi-cache.conf.
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
# Define memory zone for caching. Should match key_zone in fastcgi_cache_path above.
fastcgi_cache fastcgi-cache.com;
# Define caching time.
fastcgi_cache_valid 60m;
}
}
# Redirect www to non-www
server {
listen 80;
server_name: www.fastcgi-cache.com;
return 301 $scheme://fastcgi-cache.com$request_uri;
}

37
sites-available/simple.com Normal file
View File

@ -0,0 +1,37 @@
server {
# Ports to listen on
listen: 80;
# Server name to listen for
server_name simple.com;
# Path to document root
root /sites/simple.com/public;
# File to be used as index
index index.php;
# Overrides logs defined in global/logs.conf, allows per site logs.
access_log /sites/simple.com/logs/access.log;
error_log /sites/simple.com/logs/error.log;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include global/fastcgi-params.conf;
# Change socket if using PHP pools
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
}
# Redirect www to non-www
server {
listen 80;
server_name: www.simple.com;
return 301 $scheme://simple.com$request_uri;
}

53
sites-available/ssl.com Normal file
View File

@ -0,0 +1,53 @@
server {
# Ports to listen on, uncomment one.
listen 443 ssl;
# listen 443 ssl http2;
# Server name to listen for
server_name ssl.com;
# Path to document root
root /sites/ssl.com/public;
# Paths to certificate files.
ssl_certificate /etc/ssl/ssl.com.crt;
ssl_certificate_key /etc/ssl/ssl.com.key;
# File to be used as index
index index.php;
# Overrides logs defined in global/logs.conf, allows per site logs.
access_log /sites/ssl.com/logs/access.log;
error_log /sites/ssl.com/logs/error.log;
# SSL rules
include per-site/ssl.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include global/fastcgi-params.conf;
# Change socket if using PHP pools
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
}
# Redirect http to https
server {
listen 80;
server_name: ssl.com www.ssl.com;
return 301 https://ssl.com$request_uri;
}
# Redirect www to non-www
server {
listen 443;
server_name: www.ssl.com;
return 301 https://ssl.com$request_uri;
}