kopia lustrzana https://0xacab.org/rysiek/fasada
Deleted services/etc/nginx/sites/example.com_fpm.conf, services/etc/nginx/sites/admin.example.com.conf files
Michał "rysiek" Woźniak
rodzic
4f45772e11
commit
66a3458704
|
|
@ -1,44 +0,0 @@
|
|||
# www.example.com website
|
||||
server {
|
||||
listen 80;
|
||||
listen 443 ssl;
|
||||
server_name admin.example.com;
|
||||
|
||||
# general vhost settings
|
||||
access_log /srv/logs/nginx/admin.example.com.access.log combined;
|
||||
error_log /srv/logs/nginx/admin.example.com.error.log error;
|
||||
|
||||
# ssl keycert
|
||||
ssl_certificate /srv/data/secrets/letsencrypt/live/admin.example.com/fullchain.pem;
|
||||
ssl_certificate_key /srv/data/secrets/letsencrypt/live/admin.example.com/privkey.pem;
|
||||
|
||||
# TLS settings
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
|
||||
# basic proxy params
|
||||
import snippets/proxy_headers_general.conf;
|
||||
|
||||
# tls letsencrypt stateless acme config
|
||||
# no need for webroot and stuff
|
||||
#
|
||||
# this is described for acme.sh,
|
||||
# but should work with any LE client
|
||||
# https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
|
||||
location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
|
||||
default_type text/plain;
|
||||
return 200 "$1.<ACME_THUMBPRINT>";
|
||||
}
|
||||
|
||||
# set proxy zone to off
|
||||
# we want no caching of the admin interface
|
||||
proxy_cache off;
|
||||
|
||||
# reverse proxy to upstream
|
||||
location / {
|
||||
# debugging
|
||||
add_header X-Proxy-Cache $upstream_cache_status;
|
||||
#include snippets/security.conf;
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -1,219 +0,0 @@
|
|||
### THIS IS INCOMPLETE/WORK IN PROGRESS
|
||||
|
||||
# www.example.com website
|
||||
server {
|
||||
listen 80;
|
||||
listen 443 ssl;
|
||||
server_name www.example.com example.com;
|
||||
|
||||
# general vhost settings
|
||||
access_log /srv/logs/nginx/example.com.access.log combined;
|
||||
error_log /srv/logs/nginx/example.com.error.log error;
|
||||
|
||||
# ssl keycert
|
||||
ssl_certificate /srv/data/secrets/letsencrypt/live/example.com/fullchain.pem;
|
||||
ssl_certificate_key /srv/data/secrets/letsencrypt/live/example.com/privkey.pem;
|
||||
|
||||
# TLS settings
|
||||
# can't set headers in an if that is *not* in a location,
|
||||
# so we need to work around this
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
|
||||
# general vhost settings
|
||||
root /srv/www/;
|
||||
|
||||
# fastcgi defaults
|
||||
include snippets/fastcgi.conf;
|
||||
index index.html index.htm index.php;
|
||||
|
||||
# no php is touched for static content.
|
||||
# include the "?$args" part so non-default permalinks don't break
|
||||
# when using query string
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
|
||||
# common blocks
|
||||
include snippets/common-blocks.conf;
|
||||
|
||||
# XML-RPC blocked
|
||||
# https://www.hostinger.com/tutorials/xmlrpc-wordpress
|
||||
location = /xmlrpc.php {
|
||||
return 404;
|
||||
}
|
||||
|
||||
# TLS letsencrypt stateless acme config
|
||||
# no need for webroot and stuff
|
||||
#
|
||||
# this is described for acme.sh,
|
||||
# but should work with any LE client
|
||||
# https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
|
||||
location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
|
||||
default_type text/plain;
|
||||
return 200 "$1.<ACME_THUMBPRINT>";
|
||||
}
|
||||
|
||||
# we simply might not have a favicon, robots.txt, et al -- if we do, serve these, if not, 204 NO CONTENT
|
||||
# and ignore logging either way
|
||||
location ~* .*/(robots\.txt|favicon\.ico|apple-touch-icon\.png|apple-touch-icon-precomposed\.png)$ {
|
||||
try_files $uri =204;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# retina bullshit
|
||||
location ~* ^(.*)@[0-9]x\.(js|css|png|jpg|jpeg|gif|ico|svg|pdf|json|woff|ttf|otf|flv|swf|avi|webm|webp)$ {
|
||||
try_files $uri $1.$2 =404;
|
||||
expires max;
|
||||
log_not_found off;
|
||||
add_header X-Cache-Config "STATIC RETINA" always;
|
||||
}
|
||||
|
||||
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|pdf|json|woff|ttf|otf|flv|swf|avi|webm|webp)$ {
|
||||
try_files $uri =404;
|
||||
expires max;
|
||||
#log_not_found off; # we need this on for the time being
|
||||
add_header X-Cache-Config "STATIC" always;
|
||||
}
|
||||
|
||||
# basic proxy params
|
||||
import snippets/proxy_headers_general.conf;
|
||||
|
||||
# proxy zone
|
||||
proxy_cache fasada;
|
||||
# use stale cached resources in case upstream is not available for some reason
|
||||
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
|
||||
proxy_cache_background_update on;
|
||||
proxy_cache_revalidate on;
|
||||
proxy_cache_lock on;
|
||||
|
||||
# reasonable default
|
||||
proxy_cache_valid 200 10s;
|
||||
|
||||
|
||||
# admin area *has to* be uncached; blocking here,
|
||||
# should be made available on admin.domain.tld
|
||||
location ~* ^/(wp-admin|admin|login|wp-login|signin).* {
|
||||
add_header X-Proxy-Cache $upstream_cache_status;
|
||||
proxy_cache off;
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
|
||||
# WordPress themes
|
||||
location ~* ^/wp-content/themes/.* {
|
||||
|
||||
# forced cache
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
# settings for this location block
|
||||
add_header Cache-Control "public";
|
||||
proxy_cache_valid 200 301 302 303 307 308 30m;
|
||||
proxy_cache_valid 404 30s;
|
||||
expires 30m;
|
||||
|
||||
# no need for access log for these
|
||||
access_log off;
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
|
||||
}
|
||||
|
||||
# robots.txt, favicons, apple icons, etc
|
||||
location ~* .*/(robots\.txt|favicon\.ico|apple-touch-icon\.png|apple-touch-icon-precomposed\.png)$ {
|
||||
|
||||
# forced cache
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
# settings for this location block
|
||||
add_header Cache-Control "public";
|
||||
proxy_cache_valid 200 301 302 303 307 308 5h;
|
||||
proxy_cache_valid 404 30s;
|
||||
expires 5h;
|
||||
|
||||
# no need for access log for these
|
||||
access_log off;
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
|
||||
# images and other static resources
|
||||
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|json|woff|woff2|ttf|otf|bmp|cur|gz|svgz|mp4|ogg|ogv|webm|htc|mp4|mpeg|mp3|txt|pdf)$ {
|
||||
|
||||
# forced cache
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
# settings for this location block
|
||||
add_header Cache-Control "public";
|
||||
proxy_cache_valid 200 301 302 303 307 308 15m;
|
||||
proxy_cache_valid 404 30s;
|
||||
expires 15m;
|
||||
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
|
||||
# reverse proxy to upstream, for *everything else*
|
||||
# caching for 1 minute
|
||||
location / {
|
||||
|
||||
# if redirect_fbclid map is active, do 301 to the new url
|
||||
if ( $redirect_fbclid ) {
|
||||
return 301 $redirect_fbclid;
|
||||
}
|
||||
|
||||
# if we have the wordpress admin cookie set, no caching please
|
||||
#
|
||||
# this makes previews work and fixes the admin interface
|
||||
# (by allowing /wp-json/ requests to be uncached and have cookies on them)
|
||||
#
|
||||
# using an error page hack because nginx config is lacking in this area
|
||||
# ref:
|
||||
# - https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
|
||||
# - https://serverfault.com/a/811981
|
||||
# - https://wordpress.stackexchange.com/questions/218588/post-preview-mechanism-architecture
|
||||
error_page 418 = @uncached;
|
||||
if ( $http_cookie ~* ".*wordpress_logged_in_.+" ) {
|
||||
return 418;
|
||||
}
|
||||
|
||||
# forced cache
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
# settings for this location block
|
||||
add_header Cache-Control "no-store";
|
||||
proxy_cache_valid 200 301 302 303 307 308 20s;
|
||||
proxy_cache_valid 404 20s;
|
||||
|
||||
# some basic security headers
|
||||
add_header Content-Security-Policy "frame-ancestors 'self'";
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
|
||||
# the php fpm proxy
|
||||
location ~ \.php$ {
|
||||
# this controls the read-only mode (basically, limits HTTP methods to GET only)
|
||||
include snippets/read-only-mode.conf;
|
||||
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
|
||||
fastcgi_next_upstream error timeout invalid_header http_500;
|
||||
fastcgi_connect_timeout 2;
|
||||
|
||||
fastcgi_pass phpfpm;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# explicitly uncached
|
||||
location @uncached {
|
||||
add_header X-Proxy-Cache-Status $upstream_cache_status;
|
||||
proxy_cache off;
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
Ładowanie…
Reference in New Issue