Changes specific to empirereportnewyork.com

Fet/php upstream

README.md

@@ -13,6 +13,26 @@ Looking for a modern hosting environment provisioned using Ansible? Check out [W
 
 ## Usage
 
+### PHP configuration
+
+The php-fpm pool configuration is located in `global/php-pool.conf` and defaults to PHP 7.1.  It will need modified if you want the default php-fpm pool service to be a different PHP version.  Additional PHP version upstream definitions can be added to the `/upstreams` folder (a PHP 7.0 sample is provided there).  You can either use the default pool using `$upstream` in your nginx configurations or the specific upstream definition (i.e. php71, php70) setup by your custom upstream definitions.
+
+For example, currently the nginx configuration for `singlesite.com` has the following set for php requests:
+
+```
+fastcgi_pass    $upstream
+```
+
+You could change that to the following to use the php 7.0 php service instead (assuming that php7.0-fpm service is running).
+
+```
+fastcgi_pass    php70
+```
+
+This effectively allows you to have different server blocks execute different versions of PHP if needed.
+
+### Site configuration
+
 You can use these sample configurations as reference or directly by replacing your existing nginx directory. Follow the steps below to replace your existing nginx configuration.
 
 Backup any existing config:

conf.d/.gitignore

@@ -1,2 +1,3 @@
 # Ignore custom module config
 /*
+!.gitignore

global/http.conf

@@ -6,3 +6,17 @@ tcp_nopush on;
 
 # Don't wait to send data in keep-alive state.
 tcp_nodelay on;
+
+
+map $http_user_agent $user_type {
+   default "desktop";
+   # Android
+   "~Mozilla/5.0 \(Linux; Android" mobile;
+   # Opera
+   "~Opera Mini" mobile;
+   # iOS
+   "~Mozilla/5.0 \(iPhone" mobile;
+   # Windows Phone
+   "~Mozilla/5.0 \(Windows Phone" mobile;
+}
+

global/php-pool.conf

@@ -0,0 +1,13 @@
+# Upstream to abstract backend connection(s) for PHP.
+# Additional upstreams can be added to /etc/nginx/upstreams/*.conf and then you just
+# change `default php71` to whatever the new upstream is (could be php70 for example).
+
+#upstream php71 {
+#	server unix:/run/php/php7.1-fpm.sock;
+#}
+
+include /etc/nginx/upstreams/*.conf;
+
+map '' $upstream {
+	default php81;
+}

global/server/defaults.conf

@@ -9,3 +9,5 @@ include global/server/security.conf;
 
 # Static Content
 include global/server/static-files.conf;
+rewrite /sitemap_index.xml$ /index.php?sitemap=1 last;
+rewrite /([^/]+?)-sitemap([0-9]+)?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;

global/server/fastcgi-cache.conf

@@ -1,18 +1,21 @@
 # The key to use when saving cache files, which will run through the MD5 hashing algorithm.
-fastcgi_cache_key "$scheme$request_method$host$request_uri";
+fastcgi_cache_key "$scheme$request_method$host$user_type$request_uri";
 
 # If an error occurs when communicating with FastCGI server, return cached content.
 # Useful for serving cached content if the PHP process dies or timeouts.
-fastcgi_cache_use_stale error timeout invalid_header http_500;
+fastcgi_cache_use_stale error timeout updating invalid_header http_500;
 
 # Allow caching of requests which contain the following headers.
 fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
 
 # Show the cache status in server responses.
 add_header Fastcgi-Cache $upstream_cache_status;
+add_header Fastcgi-Cache-Skip $skip_reason;
+add_header REQUEST_URI $request_uri;
 
 # Don't skip by default
 set $skip_cache 0;
+set $skip_reason "";
 
 # POST requests and urls with a query string should always go to PHP
 if ($request_method = POST) {
@@ -21,14 +24,32 @@ if ($request_method = POST) {
 
 if ($query_string != "") {
 	set $skip_cache 1;
+	set $skip_reason "QueryString${skip_reason}";
 }
 
 # Don't cache uris containing the following segments
 if ($request_uri ~* "/wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
 	set $skip_cache 1;
+	set $skip_reason "URI${skip_reason}";
 }
 
 # Don't use the cache for logged in users or recent commenters
 if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
 	set $skip_cache 1;
+	set $skip_reason "LoggedIn${skip_reason}";
+}
+
+if ($request_uri ~* "/store.*|/cart.*|/my-account.*|/checkout.*|/addons.*") {
+	set $skip_cache 1;
+	set $skip_reason "Store${skip_reason}";
+}
+
+if ( $arg_add-to-cart != "" ) {
+	set $skip_cache 1;
+	set $skip_reason "AddToCard${skip_reason}";
+}
+
+if ( $cookie_woocommerce_items_in_cart != "" ) {
+	set $skip_cache 1;
+	set $skip_reason "ItemsInCart${skip_reason}";
 }

global/server/ssl.conf

@@ -2,7 +2,7 @@
 # and recommend further improvements.
 
 # Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.2 TLSv1.3;
 
 # Use secure ciphers
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
@@ -21,3 +21,9 @@ add_header Strict-Transport-Security "max-age=31536000;";
 # The default key used by DHE is weak and it's recommended to use a 2048 bit key.
 # Uncomment this line if you have generated a custom key using `cd /etc/ssl/; sudo openssl dhparam -out dhparams.pem 2048`
 # ssl_dhparam /etc/ssl/dhparams.pem;
+
+
+# By default, the buffer size is 16k, which corresponds to minimal overhead when
+# sending big responses. To minimize Time To First Byte it may be beneficial to
+# use smaller values.
+ssl_buffer_size 4k;

global/server/static-files.conf

@@ -1,32 +1,40 @@
 # Don't cache appcache, document html and data.
 location ~* \.(?:manifest|appcache|html?|xml|json)$ {
-	expires -1;
+	expires 0;
 }
 
 # Cache RSS and Atom feeds.
 location ~* \.(?:rss|atom)$ {
 	expires 1h;
-	add_header Cache-Control "public";
 }
 
 # Caches images, icons, video, audio, HTC, etc.
-location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
+location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
 	expires 1y;
-	add_header Cache-Control "public";
+	access_log off;
+}
 
-	# Comment out these lines if you wish to record access/error logs for static files.
-	log_not_found off;
-    access_log off;
+# Cache svgz files, but don't compress them.
+location ~* \.svgz$ {
+	expires 1y;
+	access_log off;
+	gzip off;
 }
 
 # Cache CSS and JavaScript.
 location ~* \.(?:css|js)$ {
 	expires 1y;
-	add_header Cache-Control "public";
+	access_log off;
+}
+
+# Cache WebFonts.
+location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
+	expires 1y;
+	access_log off;
 }
 
 # Don't record access/error logs for robots.txt.
 location = /robots.txt {
-	log_not_found off;
 	access_log off;
+	log_not_found off;
 }

modules-available

@@ -0,0 +1 @@
+/usr/share/nginx/modules

nginx.conf

@@ -12,6 +12,8 @@ worker_rlimit_nofile 8192;
 # File that stores the process ID. Rarely needs changing.
 pid /run/nginx.pid;
 
+load_module modules/ngx_http_cache_purge_module.so;
+
 events {
 	# Set the maximum number of connection each worker process can open. Anything higher than this
 	# will require Unix optimisations.
@@ -32,10 +34,10 @@ http {
 	# Limits & Timeouts
 	include global/limits.conf;
 
-    # Some WP plugins that push large amounts of data via cookies
-    # can cause 500 HTTP erros if these values aren't increased.
-    fastcgi_buffers 16 16k;
-    fastcgi_buffer_size 32k;
+	# Some WP plugins that push large amounts of data via cookies
+	# can cause 500 HTTP errors if these values aren't increased.
+	fastcgi_buffers 16 16k;
+	fastcgi_buffer_size 32k;
 
 	# Default Logs
 	error_log /var/log/nginx/error.log warn;
@@ -44,6 +46,9 @@ http {
 	# Gzip
 	include global/gzip.conf;
 
+	# exposes configured php pool on $upstream variable
+	include global/php-pool.conf;
+
 	# Modules
 	include /etc/nginx/conf.d/*.conf;
 

sites-available/fastcgi-cache.com

@@ -35,10 +35,9 @@ server {
 		try_files $uri =404;
 		include global/fastcgi-params.conf;
 
-		# Change socket if using PHP pools or different PHP version
-		fastcgi_pass unix:/run/php/php7.1-fpm.sock;
-		#fastcgi_pass unix:/run/php/php7.0-fpm.sock;
-		#fastcgi_pass unix:/var/run/php5-fpm.sock;
+		# Use the php pool defined in the upstream variable.
+		# See global/php-pool.conf for definition.
+		fastcgi_pass   $upstream;
 
 		# Skip cache based on rules in global/server/fastcgi-cache.conf.
 		fastcgi_cache_bypass $skip_cache;
@@ -51,8 +50,8 @@ server {
 		fastcgi_cache_valid 60m;
 	}
 
-    # Rewrite robots.txt
-    rewrite ^/robots.txt$ /index.php last;
+	# Rewrite robots.txt
+	rewrite ^/robots.txt$ /index.php last;
 
 	# Uncomment if using the fastcgi_cache_purge module and Nginx Helper plugin (https://wordpress.org/plugins/nginx-helper/)
 	# location ~ /purge(/.*) {

sites-available/multisite-subdirectory.com

@@ -30,14 +30,13 @@ server {
 		try_files $uri =404;
 		include global/fastcgi-params.conf;
 
-		# Change socket if using PHP pools or different PHP version
-        fastcgi_pass unix:/run/php/php7.1-fpm.sock;
-        #fastcgi_pass unix:/run/php/php7.0-fpm.sock;
-        #fastcgi_pass unix:/var/run/php5-fpm.sock;
+		# Use the php pool defined in the upstream variable.
+		# See global/php-pool.conf for definition.
+		fastcgi_pass   $upstream;
 	}
 
-    # Rewrite robots.txt
-    rewrite ^/robots.txt$ /index.php last;
+	# Rewrite robots.txt
+	rewrite ^/robots.txt$ /index.php last;
 }
 
 # Redirect www to non-www

sites-available/multisite-subdomain.com

@@ -27,14 +27,13 @@ server {
 		try_files $uri =404;
 		include global/fastcgi-params.conf;
 
-		# Change socket if using PHP pools or different PHP version
-        fastcgi_pass unix:/run/php/php7.1-fpm.sock;
-        #fastcgi_pass unix:/run/php/php7.0-fpm.sock;
-        #fastcgi_pass unix:/var/run/php5-fpm.sock;
+		# Use the php pool defined in the upstream variable.
+		# See global/php-pool.conf for definition.
+		fastcgi_pass   $upstream;
 	}
 
-    # Rewrite robots.txt
-    rewrite ^/robots.txt$ /index.php last;
+	# Rewrite robots.txt
+	rewrite ^/robots.txt$ /index.php last;
 }
 
 # Redirect www to non-www

sites-available/singlesite.com

@@ -27,14 +27,13 @@ server {
 		try_files $uri =404;
 		include global/fastcgi-params.conf;
 
-		# Change socket if using PHP pools or different PHP version
-        fastcgi_pass unix:/run/php/php7.1-fpm.sock;
-        #fastcgi_pass unix:/run/php/php7.0-fpm.sock;
-        #fastcgi_pass unix:/var/run/php5-fpm.sock;
+		# Use the php pool defined in the upstream variable.
+		# See global/php-pool.conf for definition.
+		fastcgi_pass   $upstream;
 	}
 
-    # Rewrite robots.txt
-    rewrite ^/robots.txt$ /index.php last;
+	# Rewrite robots.txt
+	rewrite ^/robots.txt$ /index.php last;
 }
 
 # Redirect www to non-www

sites-available/ssl-fastcgi-cache.com

@@ -16,7 +16,7 @@ server {
 
 	# Paths to certificate files.
 	ssl_certificate /etc/letsencrypt/live/ssl-fastcgi-cache.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/ssl-fastcgi-cache.com/privkey.pem;
+	ssl_certificate_key /etc/letsencrypt/live/ssl-fastcgi-cache.com/privkey.pem;
 
 	# File to be used as index
 	index index.php;
@@ -42,10 +42,9 @@ server {
 		try_files $uri =404;
 		include global/fastcgi-params.conf;
 
-		# Change socket if using PHP pools or different PHP version
-        fastcgi_pass unix:/run/php/php7.1-fpm.sock;
-        #fastcgi_pass unix:/run/php/php7.0-fpm.sock;
-        #fastcgi_pass unix:/var/run/php5-fpm.sock;
+		# Use the php pool defined in the upstream variable.
+		# See global/php-pool.conf for definition.
+		fastcgi_pass   $upstream;
 
 		# Skip cache based on rules in global/server/fastcgi-cache.conf.
 		fastcgi_cache_bypass $skip_cache;
@@ -58,8 +57,8 @@ server {
 		fastcgi_cache_valid 60m;
 	}
 
-    # Rewrite robots.txt
-    rewrite ^/robots.txt$ /index.php last;
+	# Rewrite robots.txt
+	rewrite ^/robots.txt$ /index.php last;
 
 	# Uncomment if using the fastcgi_cache_purge module and Nginx Helper plugin (https://wordpress.org/plugins/nginx-helper/)
 	# location ~ /purge(/.*) {

sites-available/ssl.com

@@ -10,8 +10,8 @@ server {
 	root /sites/ssl.com/public;
 
 	# Paths to certificate files.
-    ssl_certificate /etc/letsencrypt/live/ssl.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/ssl.com/privkey.pem;
+	ssl_certificate /etc/letsencrypt/live/ssl.com/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/ssl.com/privkey.pem;
 
 	# File to be used as index
 	index index.php;
@@ -34,14 +34,13 @@ server {
 		try_files $uri =404;
 		include global/fastcgi-params.conf;
 
-		# Change socket if using PHP pools or different PHP version
-        fastcgi_pass unix:/run/php/php7.1-fpm.sock;
-        #fastcgi_pass unix:/run/php/php7.0-fpm.sock;
-        #fastcgi_pass unix:/var/run/php5-fpm.sock;
+		# Use the php pool defined in the upstream variable.
+		# See global/php-pool.conf for definition.
+		fastcgi_pass   $upstream;
 	}
 
-    # Rewrite robots.txt
-    rewrite ^/robots.txt$ /index.php last;
+	# Rewrite robots.txt
+	rewrite ^/robots.txt$ /index.php last;
 }
 
 # Redirect http to https

sites-enabled/.gitignore

@@ -1,2 +1,3 @@
 # Ignore everything in sites-enabled directory
 /*
+!.gitignore

upstreams/php70.conf

@@ -0,0 +1,4 @@
+# Defines the upstream for PHP 7.0
+upstream php70 {
+	server unix:/run/php/php7.0-fpm.sock;
+}

upstreams/php73.conf

@@ -0,0 +1,4 @@
+# Defines the upstream for PHP 7.3
+upstream php73 {
+	server unix:/run/php/php7.3-fpm.sock;
+}

upstreams/php74.conf

@@ -0,0 +1,4 @@
+# Defines the upstream for PHP 7.0
+upstream php74 {
+        server unix:/run/php/php7.4-fpm.sock;
+}

upstreams/php81.conf

@@ -0,0 +1,4 @@
+# Defines the upstream for PHP 7.0
+upstream php81 {
+        server unix:/run/php/php8.1-fpm.sock;
+}