kopia lustrzana https://0xacab.org/rysiek/fasada
130 wiersze
4.3 KiB
Plaintext
130 wiersze
4.3 KiB
Plaintext
# www.example.com website
|
|
server {
|
|
listen 80;
|
|
listen 443 ssl;
|
|
server_name www.example.com example.com;
|
|
|
|
# general vhost settings
|
|
access_log /srv/logs/nginx/example.com.access.log combined;
|
|
error_log /srv/logs/nginx/example.com.error.log error;
|
|
|
|
# ssl keycert
|
|
ssl_certificate /srv/data/secrets/letsencrypt/live/example.com/fullchain.pem;
|
|
ssl_certificate_key /srv/data/secrets/letsencrypt/live/example.com/privkey.pem;
|
|
|
|
# TLS settings
|
|
# can't set headers in an if that is *not* in a location,
|
|
# so we need to work around this
|
|
add_header Strict-Transport-Security "max-age=31536000";
|
|
|
|
# TLS letsencrypt stateless acme config
|
|
# no need for webroot and stuff
|
|
#
|
|
# this is described for acme.sh,
|
|
# but should work with any LE client
|
|
# https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
|
|
location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
|
|
default_type text/plain;
|
|
return 200 "$1.<ACME_THUMBPRINT>";
|
|
}
|
|
|
|
# proxy params, mainly for properly tracking visitors
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
# needed for keepalive to work
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
|
|
# proxy zone
|
|
proxy_cache fasada;
|
|
# use stale cached resources in case upstream is not available for some reason
|
|
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
|
|
proxy_cache_background_update on;
|
|
proxy_cache_revalidate on;
|
|
proxy_cache_valid 200 1h;
|
|
proxy_cache_lock on;
|
|
|
|
|
|
# admin area *have to* be uncached; blocking here
|
|
# should be made available on admin.domain.tld
|
|
location ~* ^/(wp-admin|admin|login|wp-login|signin).* {
|
|
add_header X-Proxy-Cache $upstream_cache_status;
|
|
return 403;
|
|
}
|
|
|
|
# WordPress themes
|
|
location ~* ^/wp-content/themes/.* {
|
|
|
|
# forced cache
|
|
proxy_cache_bypass 0;
|
|
proxy_hide_header Set-Cookie;
|
|
proxy_hide_header Expires;
|
|
proxy_hide_header Cache-Control;
|
|
proxy_hide_header Pragma;
|
|
proxy_ignore_headers Set-Cookie Expires Cache-Control;
|
|
add_header Cache-Control "public";
|
|
expires 30m;
|
|
add_header X-Proxy-Cache-WP themes;
|
|
|
|
# debugging
|
|
add_header X-Proxy-Cache $upstream_cache_status;
|
|
|
|
# no need for access log for these
|
|
access_log off;
|
|
proxy_pass http://127.0.0.1:10080;
|
|
|
|
}
|
|
|
|
# robots.txt, favicons, apple icons, etc
|
|
location ~* .*/(robots\.txt|favicon\.ico|apple-touch-icon\.png|apple-touch-icon-precomposed\.png)$ {
|
|
|
|
# forced cache
|
|
proxy_cache_bypass 0;
|
|
add_header Cache-Control "public";
|
|
proxy_cache_valid 200 301 302 303 307 308 5h;
|
|
expires 5h;
|
|
|
|
# debugging
|
|
add_header X-Proxy-Cache $upstream_cache_status;
|
|
|
|
# no need for access log for these
|
|
access_log off;
|
|
proxy_pass http://127.0.0.1:10080;
|
|
}
|
|
|
|
# images and other static resources
|
|
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|json|woff|woff2|ttf|otf|bmp|cur|gz|svgz|mp4|ogg|ogv|webm|htc|mp4|mpeg|mp3|txt|pdf)$ {
|
|
|
|
# forced cache
|
|
proxy_cache_bypass 0;
|
|
add_header Cache-Control "public";
|
|
proxy_cache_valid 200 301 302 303 307 308 1h;
|
|
expires 1h;
|
|
|
|
add_header X-Proxy-Cache $upstream_cache_status;
|
|
|
|
proxy_pass http://127.0.0.1:10080;
|
|
}
|
|
|
|
# reverse proxy to upstream, for *everything else*
|
|
# caching for 1 minute
|
|
location / {
|
|
# forced cache
|
|
proxy_cache_bypass 0;
|
|
proxy_hide_header Set-Cookie;
|
|
proxy_hide_header Expires;
|
|
proxy_hide_header Cache-Control;
|
|
proxy_hide_header Pragma;
|
|
proxy_ignore_headers Set-Cookie Expires Cache-Control X-Accel-Expires;
|
|
add_header Cache-Control "no-store";
|
|
proxy_cache_valid 200 301 302 303 307 308 20s;
|
|
add_header X-Proxy-Cache $upstream_cache_status;
|
|
add_header Content-Security-Policy "frame-ancestors 'self'";
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
proxy_pass http://127.0.0.1:10080;
|
|
}
|
|
|
|
}
|