kopia lustrzana https://0xacab.org/rysiek/fasada
fbclid fix; major fixes for caching config
rodzic
b64a969854
commit
aff4fb66d3
|
@ -164,7 +164,11 @@ http {
|
|||
proxy_max_temp_file_size 0;
|
||||
|
||||
# Defines a timeout for establishing a connection with a proxied server.
|
||||
# It should be noted that this timeout cannot usually exceed 75 seconds.
|
||||
# It should be noted that this timeout cannot usually exceed 75 seconds.
|
||||
#
|
||||
# This should be short; we want the back-end to time-out before the client
|
||||
# connection does. This way the visitor receives a cached version instead
|
||||
# of a generic timeout
|
||||
proxy_connect_timeout 2;
|
||||
|
||||
# Sets a timeout for transmitting a request to the proxied server.
|
||||
|
@ -182,6 +186,15 @@ http {
|
|||
proxy_read_timeout 5;
|
||||
|
||||
|
||||
# redirect map in http block - remove fbclid argument from the end
|
||||
# context:
|
||||
# https://gist.github.com/lynt-smitka/b5ff2cab70443c17a214006a4d5bc48c
|
||||
# https://community.cloudflare.com/t/facebook-now-adds-fbclid-query-string-to-urls-busting-cloudflares-cache/40355
|
||||
map $request_uri $redirect_fbclid {
|
||||
"~^(.*?)([?&]fbclid=[a-zA-Z0-9_-]+)$" $1;
|
||||
}
|
||||
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
|
|
@ -13,18 +13,10 @@ server {
|
|||
ssl_certificate_key /srv/data/secrets/letsencrypt/live/admin.example.com/privkey.pem;
|
||||
|
||||
# TLS settings
|
||||
# can't set headers in an if that is *not* in a location,
|
||||
# so we need to work around this
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
|
||||
# proxy params, mainly for properly tracking visitors
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# needed for keepalive to work
|
||||
proxy_set_header Connection "";
|
||||
proxy_http_version 1.1;
|
||||
# basic proxy params
|
||||
import snippets/proxy_headers_general.conf;
|
||||
|
||||
# tls letsencrypt stateless acme config
|
||||
# no need for webroot and stuff
|
||||
|
@ -37,7 +29,8 @@ server {
|
|||
return 200 "$1.<ACME_THUMBPRINT>";
|
||||
}
|
||||
|
||||
# set proxy zone
|
||||
# set proxy zone to off
|
||||
# we want no caching of the admin interface
|
||||
proxy_cache off;
|
||||
|
||||
# reverse proxy to upstream
|
||||
|
|
|
@ -28,14 +28,8 @@ server {
|
|||
return 200 "$1.<ACME_THUMBPRINT>";
|
||||
}
|
||||
|
||||
# proxy params, mainly for properly tracking visitors
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# needed for keepalive to work
|
||||
proxy_set_header Connection "";
|
||||
proxy_http_version 1.1;
|
||||
# basic proxy params
|
||||
import snippets/proxy_headers_general.conf;
|
||||
|
||||
# proxy zone
|
||||
proxy_cache fasada;
|
||||
|
@ -43,14 +37,17 @@ server {
|
|||
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
|
||||
proxy_cache_background_update on;
|
||||
proxy_cache_revalidate on;
|
||||
proxy_cache_valid 200 1h;
|
||||
proxy_cache_lock on;
|
||||
|
||||
# reasonable default
|
||||
proxy_cache_valid 200 10s;
|
||||
|
||||
|
||||
# admin area *have to* be uncached; blocking here
|
||||
# admin area *has to* be uncached; blocking here,
|
||||
# should be made available on admin.domain.tld
|
||||
location ~* ^/(wp-admin|admin|login|wp-login|signin).* {
|
||||
add_header X-Proxy-Cache $upstream_cache_status;
|
||||
proxy_cache off;
|
||||
return 403;
|
||||
}
|
||||
|
||||
|
@ -58,21 +55,20 @@ server {
|
|||
location ~* ^/wp-content/themes/.* {
|
||||
|
||||
# forced cache
|
||||
proxy_cache_bypass 0;
|
||||
proxy_hide_header Set-Cookie;
|
||||
proxy_hide_header Expires;
|
||||
proxy_hide_header Cache-Control;
|
||||
proxy_hide_header Pragma;
|
||||
proxy_ignore_headers Set-Cookie Expires Cache-Control;
|
||||
add_header Cache-Control "public";
|
||||
expires 30m;
|
||||
add_header X-Proxy-Cache-WP themes;
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
# debugging
|
||||
add_header X-Proxy-Cache $upstream_cache_status;
|
||||
# settings for this location block
|
||||
add_header Cache-Control "public";
|
||||
proxy_cache_valid 200 301 302 303 307 308 30m;
|
||||
proxy_cache_valid 404 30s;
|
||||
expires 30m;
|
||||
|
||||
# no need for access log for these
|
||||
access_log off;
|
||||
add_header X-OCCRP-Fasada-Content wp-themes;
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
|
||||
}
|
||||
|
@ -81,14 +77,17 @@ server {
|
|||
location ~* .*/(robots\.txt|favicon\.ico|apple-touch-icon\.png|apple-touch-icon-precomposed\.png)$ {
|
||||
|
||||
# forced cache
|
||||
proxy_cache_bypass 0;
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
# settings for this location block
|
||||
add_header Cache-Control "public";
|
||||
proxy_cache_valid 200 301 302 303 307 308 5h;
|
||||
proxy_cache_valid 404 30s;
|
||||
expires 5h;
|
||||
|
||||
# debugging
|
||||
add_header X-Proxy-Cache $upstream_cache_status;
|
||||
|
||||
# no need for access log for these
|
||||
access_log off;
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
|
@ -98,12 +97,16 @@ server {
|
|||
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|json|woff|woff2|ttf|otf|bmp|cur|gz|svgz|mp4|ogg|ogv|webm|htc|mp4|mpeg|mp3|txt|pdf)$ {
|
||||
|
||||
# forced cache
|
||||
proxy_cache_bypass 0;
|
||||
add_header Cache-Control "public";
|
||||
proxy_cache_valid 200 301 302 303 307 308 1h;
|
||||
expires 1h;
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
add_header X-Proxy-Cache $upstream_cache_status;
|
||||
# settings for this location block
|
||||
add_header Cache-Control "public";
|
||||
proxy_cache_valid 200 301 302 303 307 308 15m;
|
||||
proxy_cache_valid 404 30s;
|
||||
expires 15m;
|
||||
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
|
@ -111,18 +114,27 @@ server {
|
|||
# reverse proxy to upstream, for *everything else*
|
||||
# caching for 1 minute
|
||||
location / {
|
||||
|
||||
# if redirect_fbclid map is active, do 301 to the new url
|
||||
if ( $redirect_fbclid ) {
|
||||
return 301 $redirect_fbclid;
|
||||
}
|
||||
|
||||
# forced cache
|
||||
proxy_cache_bypass 0;
|
||||
proxy_hide_header Set-Cookie;
|
||||
proxy_hide_header Expires;
|
||||
proxy_hide_header Cache-Control;
|
||||
proxy_hide_header Pragma;
|
||||
proxy_ignore_headers Set-Cookie Expires Cache-Control X-Accel-Expires;
|
||||
include snippets/proxy_headers_caching.conf;
|
||||
# generic settings we need to re-include due to the above using `proxy_set_header`
|
||||
# and thus invalidating the parent block-level use of it
|
||||
include snippets/proxy_headers_general.conf;
|
||||
|
||||
# settings for this location block
|
||||
add_header Cache-Control "no-store";
|
||||
proxy_cache_valid 200 301 302 303 307 308 20s;
|
||||
add_header X-Proxy-Cache $upstream_cache_status;
|
||||
proxy_cache_valid 404 20s;
|
||||
|
||||
# some basic security headers
|
||||
add_header Content-Security-Policy "frame-ancestors 'self'";
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
# caching-related proxy headers
|
||||
#
|
||||
# this has to be included in every cached location separately
|
||||
# along with proxy_headers_general
|
||||
# because proxy_set_header used in a location invalidates
|
||||
# *all* proxy_set_headers used in the parent blocks, fo *all* headers.
|
||||
|
||||
# this hides any cookies from the back-end
|
||||
#
|
||||
# it does *not* modify the response from the backend to the client
|
||||
# (use proxy_hide_header for that)
|
||||
proxy_set_header Cookie "";
|
||||
|
||||
# force the cache *not* to be by-passed
|
||||
proxy_cache_bypass 0;
|
||||
|
||||
# hide certain headers from the client
|
||||
#
|
||||
# that is, modify backend's response, removing certain headers from it
|
||||
# so that the client cannot get them
|
||||
proxy_hide_header Set-Cookie;
|
||||
proxy_hide_header Expires;
|
||||
proxy_hide_header Cache-Control;
|
||||
proxy_hide_header Pragma;
|
||||
|
||||
# ignore certain headers that usually invalidate the cache
|
||||
# since we want to force everything to be cached
|
||||
proxy_ignore_headers Set-Cookie Expires Cache-Control X-Accel-Expires;
|
||||
|
||||
# debugging
|
||||
add_header X-Proxy-Cache-Status $upstream_cache_status;
|
|
@ -0,0 +1,14 @@
|
|||
# general proxy headers
|
||||
#
|
||||
# this is needed because we might need to include this
|
||||
# in every location block we're using `proxy_set_header` explicitly in
|
||||
# like for caching, for example
|
||||
|
||||
# proxy params, mainly for properly tracking visitors
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# needed for keepalive to work
|
||||
proxy_set_header Connection "";
|
||||
proxy_http_version 1.1;
|
Ładowanie…
Reference in New Issue