mirror
/
fasada
kopia lustrzana https://0xacab.org/rysiek/fasada
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność
fasada/services/etc/nginx/sites/example.com.conf

130 wiersze
4.3 KiB
Plaintext
Czysty Wina Historia

# www.example.com website
server {
listen 80;
listen 443 ssl;
server_name www.example.com example.com;
# general vhost settings
access_log /srv/logs/nginx/example.com.access.log combined;
error_log /srv/logs/nginx/example.com.error.log error;
# ssl keycert
ssl_certificate /srv/data/secrets/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /srv/data/secrets/letsencrypt/live/example.com/privkey.pem;
# TLS settings
# can't set headers in an if that is *not* in a location,
# so we need to work around this
add_header Strict-Transport-Security "max-age=31536000";
# TLS letsencrypt stateless acme config
# no need for webroot and stuff
#
# this is described for acme.sh,
# but should work with any LE client
# https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
default_type text/plain;
return 200 "$1.<ACME_THUMBPRINT>";
}
# proxy params, mainly for properly tracking visitors
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# needed for keepalive to work
proxy_set_header Connection "";
proxy_http_version 1.1;
# proxy zone
proxy_cache fasada;
# use stale cached resources in case upstream is not available for some reason
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_cache_background_update on;
proxy_cache_revalidate on;
proxy_cache_valid 200 1h;
proxy_cache_lock on;
# admin area *have to* be uncached; blocking here
# should be made available on admin.domain.tld
location ~* ^/(wp-admin|admin|login|wp-login|signin).* {
add_header X-Proxy-Cache $upstream_cache_status;
return 403;
}
# WordPress themes
location ~* ^/wp-content/themes/.* {
# forced cache
proxy_cache_bypass 0;
proxy_hide_header Set-Cookie;
proxy_hide_header Expires;
proxy_hide_header Cache-Control;
proxy_hide_header Pragma;
proxy_ignore_headers Set-Cookie Expires Cache-Control;
add_header Cache-Control "public";
expires 30m;
add_header X-Proxy-Cache-WP themes;
# debugging
add_header X-Proxy-Cache $upstream_cache_status;
# no need for access log for these
access_log off;
proxy_pass http://127.0.0.1:10080;
}
# robots.txt, favicons, apple icons, etc
location ~* .*/(robots\.txt|favicon\.ico|apple-touch-icon\.png|apple-touch-icon-precomposed\.png)$ {
# forced cache
proxy_cache_bypass 0;
add_header Cache-Control "public";
proxy_cache_valid 200 301 302 303 307 308 5h;
expires 5h;
# debugging
add_header X-Proxy-Cache $upstream_cache_status;
# no need for access log for these
access_log off;
proxy_pass http://127.0.0.1:10080;
}
# images and other static resources
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|json|woff|woff2|ttf|otf|bmp|cur|gz|svgz|mp4|ogg|ogv|webm|htc|mp4|mpeg|mp3|txt|pdf)$ {
# forced cache
proxy_cache_bypass 0;
add_header Cache-Control "public";
proxy_cache_valid 200 301 302 303 307 308 1h;
expires 1h;
add_header X-Proxy-Cache $upstream_cache_status;
proxy_pass http://127.0.0.1:10080;
}
# reverse proxy to upstream, for *everything else*
# caching for 1 minute
location / {
# forced cache
proxy_cache_bypass 0;
proxy_hide_header Set-Cookie;
proxy_hide_header Expires;
proxy_hide_header Cache-Control;
proxy_hide_header Pragma;
proxy_ignore_headers Set-Cookie Expires Cache-Control X-Accel-Expires;
add_header Cache-Control "no-store";
proxy_cache_valid 200 301 302 303 307 308 20s;
add_header X-Proxy-Cache $upstream_cache_status;
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options SAMEORIGIN;
proxy_pass http://127.0.0.1:10080;
}
}
Reference in New Issue View Git Blame Kopiuj bezpośredni odnośnik