kopia lustrzana https://0xacab.org/rysiek/fasada
initial jab at fpm config
rodzic
4015e8456a
commit
8fc3182cb9
|
@ -0,0 +1,219 @@
|
|||
### THIS IS INCOMPLETE/WORK IN PROGRESS
|
||||
|
||||
# www.example.com website
|
||||
server {
|
||||
listen 80;
|
||||
listen 443 ssl;
|
||||
server_name www.example.com example.com;
|
||||
|
||||
# general vhost settings
|
||||
access_log /srv/logs/nginx/example.com.access.log combined;
|
||||
error_log /srv/logs/nginx/example.com.error.log error;
|
||||
|
||||
# ssl keycert
|
||||
ssl_certificate /srv/data/secrets/letsencrypt/live/example.com/fullchain.pem;
|
||||
ssl_certificate_key /srv/data/secrets/letsencrypt/live/example.com/privkey.pem;
|
||||
|
||||
# TLS settings
|
||||
# can't set headers in an if that is *not* in a location,
|
||||
# so we need to work around this
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
|
||||
# general vhost settings
|
||||
root /srv/www/;
|
||||
|
||||
# fastcgi defaults
|
||||
include snippets/fastcgi.conf;
|
||||
index index.html index.htm index.php;
|
||||
|
||||
# no php is touched for static content.
|
||||
# include the "?$args" part so non-default permalinks don't break
|
||||
# when using query string
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
|
||||
# common blocks
|
||||
include snippets/common-blocks.conf;
|
||||
|
||||
# XML-RPC blocked
|
||||
# https://www.hostinger.com/tutorials/xmlrpc-wordpress
|
||||
location = /xmlrpc.php {
|
||||
return 404;
|
||||
}
|
||||
|
||||
# TLS letsencrypt stateless acme config
|
||||
# no need for webroot and stuff
|
||||
#
|
||||
# this is described for acme.sh,
|
||||
# but should work with any LE client
|
||||
# https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
|
||||
location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
|
||||
default_type text/plain;
|
||||
return 200 "$1.<ACME_THUMBPRINT>";
|
||||
}
|
||||
|
||||
# we simply might not have a favicon, robots.txt, et al -- if we do, serve these, if not, 204 NO CONTENT
|
||||
# and ignore logging either way
|
||||
location ~* .*/(robots\.txt|favicon\.ico|apple-touch-icon\.png|apple-touch-icon-precomposed\.png)$ {
|
||||
try_files $uri =204;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# retina bullshit
|
||||
location ~* ^(.*)@[0-9]x\.(js|css|png|jpg|jpeg|gif|ico|svg|pdf|json|woff|ttf|otf|flv|swf|avi|webm|webp)$ {
|
||||
try_files $uri $1.$2 =404;
|
||||
expires max;
|
||||
log_not_found off;
|
||||
add_header X-Cache-Config "STATIC RETINA" always;
|
||||
}
|
||||
|
||||
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|pdf|json|woff|ttf|otf|flv|swf|avi|webm|webp)$ {
|
||||
try_files $uri =404;
|
||||
expires max;
|
||||
#log_not_found off; # we need this on for the time being
|
||||
add_header X-Cache-Config "STATIC" always;
|
||||
}
|
||||
|
||||
# basic proxy params
|
||||
import snippets/proxy_headers_general.conf;
|
||||
|
||||
# proxy zone
|
||||
proxy_cache fasada;
|
||||
# use stale cached resources in case upstream is not available for some reason
|
||||
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
|
||||
proxy_cache_background_update on;
|
||||
proxy_cache_revalidate on;
|
||||
proxy_cache_lock on;
|
||||
|
||||
# reasonable default
|
||||
proxy_cache_valid 200 10s;
|
||||
|
||||
|
||||
# admin area *has to* be uncached; blocking here,
|
||||
# should be made available on admin.domain.tld
|
||||
location ~* ^/(wp-admin|admin|login|wp-login|signin).* {
|
||||
add_header X-Proxy-Cache $upstream_cache_status;
|
||||
proxy_cache off;
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
|
||||
# WordPress themes
|
||||
location ~* ^/wp-content/themes/.* {
|
||||
|
||||
# forced cache
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
# settings for this location block
|
||||
add_header Cache-Control "public";
|
||||
proxy_cache_valid 200 301 302 303 307 308 30m;
|
||||
proxy_cache_valid 404 30s;
|
||||
expires 30m;
|
||||
|
||||
# no need for access log for these
|
||||
access_log off;
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
|
||||
}
|
||||
|
||||
# robots.txt, favicons, apple icons, etc
|
||||
location ~* .*/(robots\.txt|favicon\.ico|apple-touch-icon\.png|apple-touch-icon-precomposed\.png)$ {
|
||||
|
||||
# forced cache
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
# settings for this location block
|
||||
add_header Cache-Control "public";
|
||||
proxy_cache_valid 200 301 302 303 307 308 5h;
|
||||
proxy_cache_valid 404 30s;
|
||||
expires 5h;
|
||||
|
||||
# no need for access log for these
|
||||
access_log off;
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
|
||||
# images and other static resources
|
||||
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|json|woff|woff2|ttf|otf|bmp|cur|gz|svgz|mp4|ogg|ogv|webm|htc|mp4|mpeg|mp3|txt|pdf)$ {
|
||||
|
||||
# forced cache
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
# settings for this location block
|
||||
add_header Cache-Control "public";
|
||||
proxy_cache_valid 200 301 302 303 307 308 15m;
|
||||
proxy_cache_valid 404 30s;
|
||||
expires 15m;
|
||||
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
|
||||
# reverse proxy to upstream, for *everything else*
|
||||
# caching for 1 minute
|
||||
location / {
|
||||
|
||||
# if redirect_fbclid map is active, do 301 to the new url
|
||||
if ( $redirect_fbclid ) {
|
||||
return 301 $redirect_fbclid;
|
||||
}
|
||||
|
||||
# if we have the wordpress admin cookie set, no caching please
|
||||
#
|
||||
# this makes previews work and fixes the admin interface
|
||||
# (by allowing /wp-json/ requests to be uncached and have cookies on them)
|
||||
#
|
||||
# using an error page hack because nginx config is lacking in this area
|
||||
# ref:
|
||||
# - https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
|
||||
# - https://serverfault.com/a/811981
|
||||
# - https://wordpress.stackexchange.com/questions/218588/post-preview-mechanism-architecture
|
||||
error_page 418 = @uncached;
|
||||
if ( $http_cookie ~* ".*wordpress_logged_in_.+" ) {
|
||||
return 418;
|
||||
}
|
||||
|
||||
# forced cache
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
# settings for this location block
|
||||
add_header Cache-Control "no-store";
|
||||
proxy_cache_valid 200 301 302 303 307 308 20s;
|
||||
proxy_cache_valid 404 20s;
|
||||
|
||||
# some basic security headers
|
||||
add_header Content-Security-Policy "frame-ancestors 'self'";
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
|
||||
# the php fpm proxy
|
||||
location ~ \.php$ {
|
||||
# this controls the read-only mode (basically, limits HTTP methods to GET only)
|
||||
include snippets/read-only-mode.conf;
|
||||
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
|
||||
fastcgi_next_upstream error timeout invalid_header http_500;
|
||||
fastcgi_connect_timeout 2;
|
||||
|
||||
fastcgi_pass phpfpm;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# explicitly uncached
|
||||
location @uncached {
|
||||
add_header X-Proxy-Cache-Status $upstream_cache_status;
|
||||
proxy_cache off;
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
|
@ -0,0 +1,41 @@
|
|||
# common locations that are blocked
|
||||
# to be included in all sites
|
||||
#
|
||||
# these have to be defined as regex locations
|
||||
# (~ or ~*)
|
||||
|
||||
# seriously, no flash please
|
||||
location ~* .*\.swf(\?.*)?$ {
|
||||
return 410;
|
||||
}
|
||||
|
||||
# .htaccess should always be blocked
|
||||
location ~* .*/\.ht {
|
||||
return 410;
|
||||
}
|
||||
|
||||
# git-related stuff
|
||||
location ~* .*/\.(git|svn).* {
|
||||
return 410;
|
||||
}
|
||||
|
||||
# README.md
|
||||
location ~* .*/README(\..+)?$ {
|
||||
return 410;
|
||||
}
|
||||
|
||||
# we just don't host these
|
||||
location ~* .*/.*\.(jsp|asp|sh|cgi)$ {
|
||||
return 410;
|
||||
}
|
||||
|
||||
# dotfiles -- nope, unless we're talking about .well-known
|
||||
location ~* .*/\.(?!well-known)[a-zA-Z0-9]+ {
|
||||
return 410;
|
||||
}
|
||||
|
||||
# script files should never be served
|
||||
# especially from images/cache/media/log/temp/upload directories
|
||||
location ~* /(images?|cache|media|logs?|te?mp|uploads?)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
|
||||
return 410;
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param DOCUMENT_URI $document_uri;
|
||||
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
||||
|
||||
# for codeigniter
|
||||
fastcgi_buffer_size 128k;
|
||||
fastcgi_buffers 4 256k;
|
||||
fastcgi_busy_buffers_size 256k;
|
||||
|
||||
# yeah, we want php-fpm errors in nginx errorlogs
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_index index.php;
|
Ładowanie…
Reference in New Issue