From 32ce7aeed34914a4ffc9c6335b47ada8e5ac2151 Mon Sep 17 00:00:00 2001 From: Ashley Rich Date: Mon, 16 Nov 2015 15:48:18 +0000 Subject: [PATCH] First commit --- global/cache.conf | 22 ++++++++ global/fastcgi-params.conf | 24 +++++++++ global/gzip.conf | 50 ++++++++++++++++++ global/http.conf | 8 +++ global/limits.conf | 15 ++++++ global/logs.conf | 23 ++++++++ global/mime-types.conf | 88 +++++++++++++++++++++++++++++++ global/security.conf | 29 ++++++++++ nginx.conf | 53 +++++++++++++++++++ per-site/fastcgi-cache.conf | 34 ++++++++++++ per-site/ssl.conf | 20 +++++++ sites-available/default | 6 +++ sites-available/fastcgi-cache.com | 55 +++++++++++++++++++ sites-available/simple.com | 37 +++++++++++++ sites-available/ssl.com | 53 +++++++++++++++++++ 15 files changed, 517 insertions(+) create mode 100644 global/cache.conf create mode 100644 global/fastcgi-params.conf create mode 100644 global/gzip.conf create mode 100644 global/http.conf create mode 100644 global/limits.conf create mode 100644 global/logs.conf create mode 100644 global/mime-types.conf create mode 100644 global/security.conf create mode 100644 nginx.conf create mode 100644 per-site/fastcgi-cache.conf create mode 100644 per-site/ssl.conf create mode 100644 sites-available/default create mode 100644 sites-available/fastcgi-cache.com create mode 100644 sites-available/simple.com create mode 100644 sites-available/ssl.com diff --git a/global/cache.conf b/global/cache.conf new file mode 100644 index 0000000..d27c56c --- /dev/null +++ b/global/cache.conf @@ -0,0 +1,22 @@ +# cache.appcache, your document html and data +location ~* \.(?:manifest|appcache|html?|xml|json)$ { + expires -1; +} + +# Feed +location ~* \.(?:rss|atom)$ { + expires 1h; + add_header Cache-Control "public"; +} + +# Media: images, icons, video, audio, HTC +location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { + expires 1y; + add_header Cache-Control "public"; +} + +# CSS and Javascript +location ~* \.(?:css|js)$ { + expires 1y; + add_header Cache-Control "public"; +} \ No newline at end of file diff --git a/global/fastcgi-params.conf b/global/fastcgi-params.conf new file mode 100644 index 0000000..e5c2f5a --- /dev/null +++ b/global/fastcgi-params.conf @@ -0,0 +1,24 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; \ No newline at end of file diff --git a/global/gzip.conf b/global/gzip.conf new file mode 100644 index 0000000..4176883 --- /dev/null +++ b/global/gzip.conf @@ -0,0 +1,50 @@ +# Enable Gzip compression. +gzip on; + +# Disable Gzip on IE6. +gzip_disable "msie6"; + +# Allow proxies to cache both compressed and regular version of file. +# Avoids clients that don't support Gzip outputting gibberish. +gzip_vary on; + +# Compress data, even when the client connects through a proxy. +gzip_proxied any; + +# The level of compression to apply to files. A higher compression level increases +# CPU usage. Level 5 is a happy medium resulting in roughly 75% compression. +gzip_comp_level 5; + +# The minimum HTTP version of a request to perform compression. +gzip_http_version 1.1; + +# Don't compress files smaller than 256 bytes, as size reduction will be negligible. +gzip_min_length: 256; + +# Compress the following MIME types. +gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # text/html is always compressed when enabled. \ No newline at end of file diff --git a/global/http.conf b/global/http.conf new file mode 100644 index 0000000..faf1e6d --- /dev/null +++ b/global/http.conf @@ -0,0 +1,8 @@ +# Speed up file transfer by using sendfile(). +sendfile on; + +# Don't send partial frames, which increases throughput. +tcp_nopush on; + +# Don't wait to send data in keep-alive state. +tcp_nodelay on; \ No newline at end of file diff --git a/global/limits.conf b/global/limits.conf new file mode 100644 index 0000000..6284df7 --- /dev/null +++ b/global/limits.conf @@ -0,0 +1,15 @@ +# How long each connection should stay open for. +keepalive_timeout 15; + +# Timeout for reading client request body. +client_body_timeout 30; + +# Timeout for reading client request header. +client_header_timeout 30; + +# Timeout for transmitting reponse to client. +send_timeout 30; + +# Set the maximum allowed size of client request body. This should be set +# to the value of files sizes you wish to upload to the WordPress Media Library. +client_max_body_size 64m; \ No newline at end of file diff --git a/global/logs.conf b/global/logs.conf new file mode 100644 index 0000000..ed80dd8 --- /dev/null +++ b/global/logs.conf @@ -0,0 +1,23 @@ +# Default error log file. Only used when you don't override error_log in the server block. +error_log /var/log/nginx/error.log warn; + +# Default access log file. Only used when you don't override access_log in the server block. +access_log /var/log/nginx/access.log; + +# Don't record error/access logs for favicon.io. +location = /favicon.ico { + log_not_found off; + access_log off; +} + +# Don't record error/access logs for robots.txt. +location = /robots.txt { + log_not_found off; + access_log off; +} + +# Don't record error/access logs for static assets. +location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|css|js)$ { + log_not_found off; + access_log off; +} \ No newline at end of file diff --git a/global/mime-types.conf b/global/mime-types.conf new file mode 100644 index 0000000..ded019d --- /dev/null +++ b/global/mime-types.conf @@ -0,0 +1,88 @@ +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} \ No newline at end of file diff --git a/global/security.conf b/global/security.conf new file mode 100644 index 0000000..0886a44 --- /dev/null +++ b/global/security.conf @@ -0,0 +1,29 @@ +# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). +# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) +location ~ /\. { + deny all; +} + +# Deny access to any files with a .php extension in the uploads directory +# Works in sub-directory installs and also in multisite network +# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) +location ~* /(?:uploads|files)/.*\.php$ { + deny all; +} + +# Hide Nginx version in error messages and reponse headers. +server_tokens off; + +# Don't allow pages to be rendered in an iframe on external domains. +add_header X-Frame-Options "SAMEORIGIN" always; + +# MIME sniffing prevention +add_header X-Content-Type-Options "nosniff" always; + +# Enable cross-site scripting filter in supported browsers. +add_header X-Xss-Protection "1; mode=block" always; + +# Whitelist sources which are allowed to load assets (JS, CSS, etc). The following will block +# only none HTTPS assets, but check out https://scotthelme.co.uk/content-security-policy-an-introduction/ +# for an in-depth guide on creating a more restrictive policy. +# add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; \ No newline at end of file diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..2e1c99c --- /dev/null +++ b/nginx.conf @@ -0,0 +1,53 @@ +# The user account used by the worker processes. If following along with Hosting WordPress Yourself, +# it's recommened to set this to your username, but only when running a single user access server. +# https://deliciousbrains.com/hosting-wordpress-yourself-nginx-php-mysql/ +user www-data; + +# Set to number of CPU cores, auto will try to autodetect. +worker_processes auto; + +# Maximum open file descriptors per process. Should be greater than worker_connections. +worker_rlimit_nofile 8192; + +# File that stores the process ID. Rarely needs changing. +pid /run/nginx.pid; + +events { + # Set the maximum number of connection each worker process can open + worker_connections 8000; + + # Accept all new connections at a time + multi_accept on; +} + +http { + + # HTTP + include global/http.conf; + + # MIME Types + include global/mime-types.conf; + default_type application/octet-stream; + + # Limits & Timeouts + include global/limits.conf; + + # Logs + include global/logs.conf; + + # Gzip + include global/gzip.conf; + + # Cache Static Content + include global/cache.conf; + + # Security + include global/security.conf; + + # Modules + include /etc/nginx/conf.d/*.conf; + + # Sites + include /etc/nginx/sites-enabled/*; + +} \ No newline at end of file diff --git a/per-site/fastcgi-cache.conf b/per-site/fastcgi-cache.conf new file mode 100644 index 0000000..6ca822f --- /dev/null +++ b/per-site/fastcgi-cache.conf @@ -0,0 +1,34 @@ +# The key to use when saving cache files, which will run through the MD5 hashing algorithm. +fastcgi_cache_key "$scheme$request_method$host$request_uri"; + +# If an error occurs when communicating with FastCGI server, return cached content. +# Useful for serving cached content if the PHP process dies or timeouts. +fastcgi_cache_use_stale error timeout invalid_header http_500; + +# Allow caching of requests which contain the following headers. +fastcgi_ignore_headers Cache-Control Expires Set-Cookie; + +# Show the cache status in server responses. +add_header Fastcgi-Cache $upstream_cache_status; + +# Don't skip by default +set $skip_cache 0; + +# POST requests and urls with a query string should always go to PHP +if ($request_method = POST) { + set $skip_cache 1; +} + +if ($query_string != "") { + set $skip_cache 1; +} + +# Don't cache uris containing the following segments +if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { + set $skip_cache 1; +} + +# Don't use the cache for logged in users or recent commenters +if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { + set $skip_cache 1; +} \ No newline at end of file diff --git a/per-site/ssl.conf b/per-site/ssl.conf new file mode 100644 index 0000000..341ed45 --- /dev/null +++ b/per-site/ssl.conf @@ -0,0 +1,20 @@ +# Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks. +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +# Use secure ciphers +ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; +ssl_prefer_server_ciphers on; + +# Define the size of the SSL session cache in MBs. +ssl_session_cache shared:SSL:10m; + +# Define the time in minutes to cache SSL sessions. +ssl_session_timeout 1h; + +# Use HTTPS exclusively for 1 year, uncomment one. Second line applies to subdomains. +add_header Strict-Transport-Security "max-age=31536000;"; +# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + +# The default key used by DHE is weak and it's recommended to use a 2048 bit key. +# Uncomment this line if you have generated a custom key using `cd /etc/ssl/; sudo openssl dhparam -out dhparams.pem 2048` +# ssl_dhparam /etc/ssl/dhparams.pem; \ No newline at end of file diff --git a/sites-available/default b/sites-available/default new file mode 100644 index 0000000..cac06be --- /dev/null +++ b/sites-available/default @@ -0,0 +1,6 @@ +server { + listen 80 default_server; + server_name _; + + return 444; +} \ No newline at end of file diff --git a/sites-available/fastcgi-cache.com b/sites-available/fastcgi-cache.com new file mode 100644 index 0000000..e550075 --- /dev/null +++ b/sites-available/fastcgi-cache.com @@ -0,0 +1,55 @@ +# Define path to cache and memory zone. +# keys_zone=fastcgi-cache.com:100m creates the memory zone and sets the maximum size in MBs. +# inactive=60m will remove cached items that haven't been accessed for 60 minutes or more. +fastcgi_cache_path /sites/fastcgi-cache.com/cache levels=1:2 keys_zone=fastcgi-cache.com:100m inactive=60m; + +server { + # Ports to listen on + listen: 80; + + # Server name to listen for + server_name fastcgi-cache.com; + + # Path to document root + root /sites/fastcgi-cache.com/public; + + # File to be used as index + index index.php; + + # Overrides logs defined in global/logs.conf, allows per site logs. + access_log /sites/fastcgi-cache.com/logs/access.log; + error_log /sites/fastcgi-cache.com/logs/error.log; + + # Fastcgi cache rules + include per-site/fastcgi-cache.conf; + + location / { + try_files $uri $uri/ /index.php?$args; + } + + location ~ \.php$ { + try_files $uri =404; + include global/fastcgi-params.conf; + + # Change socket if using PHP pools + fastcgi_pass unix:/var/run/php5-fpm.sock; + + # Skip cache based on rules in per-site/fastcgi-cache.conf. + fastcgi_cache_bypass $skip_cache; + fastcgi_no_cache $skip_cache; + + # Define memory zone for caching. Should match key_zone in fastcgi_cache_path above. + fastcgi_cache fastcgi-cache.com; + + # Define caching time. + fastcgi_cache_valid 60m; + } +} + +# Redirect www to non-www +server { + listen 80; + server_name: www.fastcgi-cache.com; + + return 301 $scheme://fastcgi-cache.com$request_uri; +} \ No newline at end of file diff --git a/sites-available/simple.com b/sites-available/simple.com new file mode 100644 index 0000000..a01cbbe --- /dev/null +++ b/sites-available/simple.com @@ -0,0 +1,37 @@ +server { + # Ports to listen on + listen: 80; + + # Server name to listen for + server_name simple.com; + + # Path to document root + root /sites/simple.com/public; + + # File to be used as index + index index.php; + + # Overrides logs defined in global/logs.conf, allows per site logs. + access_log /sites/simple.com/logs/access.log; + error_log /sites/simple.com/logs/error.log; + + location / { + try_files $uri $uri/ /index.php?$args; + } + + location ~ \.php$ { + try_files $uri =404; + include global/fastcgi-params.conf; + + # Change socket if using PHP pools + fastcgi_pass unix:/var/run/php5-fpm.sock; + } +} + +# Redirect www to non-www +server { + listen 80; + server_name: www.simple.com; + + return 301 $scheme://simple.com$request_uri; +} \ No newline at end of file diff --git a/sites-available/ssl.com b/sites-available/ssl.com new file mode 100644 index 0000000..7f23a97 --- /dev/null +++ b/sites-available/ssl.com @@ -0,0 +1,53 @@ +server { + # Ports to listen on, uncomment one. + listen 443 ssl; + # listen 443 ssl http2; + + # Server name to listen for + server_name ssl.com; + + # Path to document root + root /sites/ssl.com/public; + + # Paths to certificate files. + ssl_certificate /etc/ssl/ssl.com.crt; + ssl_certificate_key /etc/ssl/ssl.com.key; + + # File to be used as index + index index.php; + + # Overrides logs defined in global/logs.conf, allows per site logs. + access_log /sites/ssl.com/logs/access.log; + error_log /sites/ssl.com/logs/error.log; + + # SSL rules + include per-site/ssl.conf; + + location / { + try_files $uri $uri/ /index.php?$args; + } + + location ~ \.php$ { + try_files $uri =404; + include global/fastcgi-params.conf; + + # Change socket if using PHP pools + fastcgi_pass unix:/var/run/php5-fpm.sock; + } +} + +# Redirect http to https +server { + listen 80; + server_name: ssl.com www.ssl.com; + + return 301 https://ssl.com$request_uri; +} + +# Redirect www to non-www +server { + listen 443; + server_name: www.ssl.com; + + return 301 https://ssl.com$request_uri; +} \ No newline at end of file