diff --git a/services/etc/nginx/nginx.conf b/services/etc/nginx/nginx.conf index 9045b6c..372e662 100644 --- a/services/etc/nginx/nginx.conf +++ b/services/etc/nginx/nginx.conf @@ -164,7 +164,11 @@ http { proxy_max_temp_file_size 0; # Defines a timeout for establishing a connection with a proxied server. - # It should be noted that this timeout cannot usually exceed 75 seconds. + # It should be noted that this timeout cannot usually exceed 75 seconds. + # + # This should be short; we want the back-end to time-out before the client + # connection does. This way the visitor receives a cached version instead + # of a generic timeout proxy_connect_timeout 2; # Sets a timeout for transmitting a request to the proxied server. @@ -182,6 +186,15 @@ http { proxy_read_timeout 5; + # redirect map in http block - remove fbclid argument from the end + # context: + # https://gist.github.com/lynt-smitka/b5ff2cab70443c17a214006a4d5bc48c + # https://community.cloudflare.com/t/facebook-now-adds-fbclid-query-string-to-urls-busting-cloudflares-cache/40355 + map $request_uri $redirect_fbclid { + "~^(.*?)([?&]fbclid=[a-zA-Z0-9_-]+)$" $1; + } + + ## # Virtual Host Configs ## diff --git a/services/etc/nginx/sites/admin.example.com.conf b/services/etc/nginx/sites/admin.example.com.conf index 0a40bb7..e51fe50 100644 --- a/services/etc/nginx/sites/admin.example.com.conf +++ b/services/etc/nginx/sites/admin.example.com.conf @@ -13,18 +13,10 @@ server { ssl_certificate_key /srv/data/secrets/letsencrypt/live/admin.example.com/privkey.pem; # TLS settings - # can't set headers in an if that is *not* in a location, - # so we need to work around this add_header Strict-Transport-Security "max-age=31536000"; - # proxy params, mainly for properly tracking visitors - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - # needed for keepalive to work - proxy_set_header Connection ""; - proxy_http_version 1.1; + # basic proxy params + import snippets/proxy_headers_general.conf; # tls letsencrypt stateless acme config # no need for webroot and stuff @@ -37,7 +29,8 @@ server { return 200 "$1."; } - # set proxy zone + # set proxy zone to off + # we want no caching of the admin interface proxy_cache off; # reverse proxy to upstream diff --git a/services/etc/nginx/sites/example.com.conf b/services/etc/nginx/sites/example.com.conf index 0d31e72..ce23be0 100644 --- a/services/etc/nginx/sites/example.com.conf +++ b/services/etc/nginx/sites/example.com.conf @@ -28,14 +28,8 @@ server { return 200 "$1."; } - # proxy params, mainly for properly tracking visitors - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - # needed for keepalive to work - proxy_set_header Connection ""; - proxy_http_version 1.1; + # basic proxy params + import snippets/proxy_headers_general.conf; # proxy zone proxy_cache fasada; @@ -43,14 +37,17 @@ server { proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; proxy_cache_background_update on; proxy_cache_revalidate on; - proxy_cache_valid 200 1h; proxy_cache_lock on; + + # reasonable default + proxy_cache_valid 200 10s; - # admin area *have to* be uncached; blocking here + # admin area *has to* be uncached; blocking here, # should be made available on admin.domain.tld location ~* ^/(wp-admin|admin|login|wp-login|signin).* { add_header X-Proxy-Cache $upstream_cache_status; + proxy_cache off; return 403; } @@ -58,21 +55,20 @@ server { location ~* ^/wp-content/themes/.* { # forced cache - proxy_cache_bypass 0; - proxy_hide_header Set-Cookie; - proxy_hide_header Expires; - proxy_hide_header Cache-Control; - proxy_hide_header Pragma; - proxy_ignore_headers Set-Cookie Expires Cache-Control; - add_header Cache-Control "public"; - expires 30m; - add_header X-Proxy-Cache-WP themes; + include snippets/proxy_headers_caching.conf; + # generic settings we need to re-include due to the above using `proxy_set_header` + # and thus invalidating the parent block-level use of it + include snippets/proxy_headers_general.conf; - # debugging - add_header X-Proxy-Cache $upstream_cache_status; + # settings for this location block + add_header Cache-Control "public"; + proxy_cache_valid 200 301 302 303 307 308 30m; + proxy_cache_valid 404 30s; + expires 30m; # no need for access log for these access_log off; + add_header X-OCCRP-Fasada-Content wp-themes; proxy_pass http://127.0.0.1:10080; } @@ -81,14 +77,17 @@ server { location ~* .*/(robots\.txt|favicon\.ico|apple-touch-icon\.png|apple-touch-icon-precomposed\.png)$ { # forced cache - proxy_cache_bypass 0; + include snippets/proxy_headers_caching.conf; + # generic settings we need to re-include due to the above using `proxy_set_header` + # and thus invalidating the parent block-level use of it + include snippets/proxy_headers_general.conf; + + # settings for this location block add_header Cache-Control "public"; proxy_cache_valid 200 301 302 303 307 308 5h; + proxy_cache_valid 404 30s; expires 5h; - # debugging - add_header X-Proxy-Cache $upstream_cache_status; - # no need for access log for these access_log off; proxy_pass http://127.0.0.1:10080; @@ -98,12 +97,16 @@ server { location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|json|woff|woff2|ttf|otf|bmp|cur|gz|svgz|mp4|ogg|ogv|webm|htc|mp4|mpeg|mp3|txt|pdf)$ { # forced cache - proxy_cache_bypass 0; - add_header Cache-Control "public"; - proxy_cache_valid 200 301 302 303 307 308 1h; - expires 1h; + include snippets/proxy_headers_caching.conf; + # generic settings we need to re-include due to the above using `proxy_set_header` + # and thus invalidating the parent block-level use of it + include snippets/proxy_headers_general.conf; - add_header X-Proxy-Cache $upstream_cache_status; + # settings for this location block + add_header Cache-Control "public"; + proxy_cache_valid 200 301 302 303 307 308 15m; + proxy_cache_valid 404 30s; + expires 15m; proxy_pass http://127.0.0.1:10080; } @@ -111,18 +114,27 @@ server { # reverse proxy to upstream, for *everything else* # caching for 1 minute location / { + + # if redirect_fbclid map is active, do 301 to the new url + if ( $redirect_fbclid ) { + return 301 $redirect_fbclid; + } + # forced cache - proxy_cache_bypass 0; - proxy_hide_header Set-Cookie; - proxy_hide_header Expires; - proxy_hide_header Cache-Control; - proxy_hide_header Pragma; - proxy_ignore_headers Set-Cookie Expires Cache-Control X-Accel-Expires; + include snippets/proxy_headers_caching.conf; + # generic settings we need to re-include due to the above using `proxy_set_header` + # and thus invalidating the parent block-level use of it + include snippets/proxy_headers_general.conf; + + # settings for this location block add_header Cache-Control "no-store"; proxy_cache_valid 200 301 302 303 307 308 20s; - add_header X-Proxy-Cache $upstream_cache_status; + proxy_cache_valid 404 20s; + + # some basic security headers add_header Content-Security-Policy "frame-ancestors 'self'"; add_header X-Frame-Options SAMEORIGIN; + proxy_pass http://127.0.0.1:10080; } diff --git a/services/etc/nginx/snippets/proxy_headers_caching.conf b/services/etc/nginx/snippets/proxy_headers_caching.conf new file mode 100644 index 0000000..ee17e0e --- /dev/null +++ b/services/etc/nginx/snippets/proxy_headers_caching.conf @@ -0,0 +1,31 @@ +# caching-related proxy headers +# +# this has to be included in every cached location separately +# along with proxy_headers_general +# because proxy_set_header used in a location invalidates +# *all* proxy_set_headers used in the parent blocks, fo *all* headers. + +# this hides any cookies from the back-end +# +# it does *not* modify the response from the backend to the client +# (use proxy_hide_header for that) +proxy_set_header Cookie ""; + +# force the cache *not* to be by-passed +proxy_cache_bypass 0; + +# hide certain headers from the client +# +# that is, modify backend's response, removing certain headers from it +# so that the client cannot get them +proxy_hide_header Set-Cookie; +proxy_hide_header Expires; +proxy_hide_header Cache-Control; +proxy_hide_header Pragma; + +# ignore certain headers that usually invalidate the cache +# since we want to force everything to be cached +proxy_ignore_headers Set-Cookie Expires Cache-Control X-Accel-Expires; + +# debugging +add_header X-Proxy-Cache-Status $upstream_cache_status; diff --git a/services/etc/nginx/snippets/proxy_headers_general.conf b/services/etc/nginx/snippets/proxy_headers_general.conf new file mode 100644 index 0000000..e15e48e --- /dev/null +++ b/services/etc/nginx/snippets/proxy_headers_general.conf @@ -0,0 +1,14 @@ +# general proxy headers +# +# this is needed because we might need to include this +# in every location block we're using `proxy_set_header` explicitly in +# like for caching, for example + +# proxy params, mainly for properly tracking visitors +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +# needed for keepalive to work +proxy_set_header Connection ""; +proxy_http_version 1.1;