DaikiSuganuma/conf.d|01_hoge.conf

## conf.d|01_hoge.conf
server {
    listen       80;
    listen       [::]:80;
    server_name  dev.hoge.jp;
    return 301 https://dev.hoge.jp$request_uri;

    #root    /home/httpd/hoge/wordpress;

    # WordPress Setting
    #include conf.d/global/wordpress_restrictions.conf;
    #include conf.d/global/wordpress_dev.conf;
    #include conf.d/global/wordpress_live.conf;
}

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  .dev.hoge.jp;

    root /home/httpd/hoge/wordpress;

    # Gzip
    include conf.d/global/gzip.conf;

    # WordPress Setting
    include conf.d/global/wordpress_restrictions.conf;
    #include conf.d/global/wordpress_dev.conf;
    include conf.d/global/wordpress_live.conf;

    # SSL
    include conf.d/global/ssl.conf;
    ssl_certificate         /etc/letsencrypt/live/dev.hoge.jp/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/dev.hoge.jp/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/dev.hoge.jp/chain.pem;
}

## conf.d|global|fastcgi_php.conf
#
# PHP-FPM
#
if (!-f $document_root$fastcgi_script_name) {
    return 404;
}
# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)

include fastcgi_params;
fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
fastcgi_index index.php;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_intercept_errors on;

# Buffer size
proxy_buffer_size 32k;
proxy_buffers 30 32k;
client_body_buffer_size 64k;

## conf.d|global|gzip.conf
gzip         on;
gzip_vary    on;
gzip_proxied any;
gzip_types   text/plain
             text/xml
             text/css
             application/xml
             application/xhtml+xml
             application/rss+xml
             application/atom_xml
             application/javascript
             application/x-javascript
             application/x-httpd-php;
gzip_disable "MSIE [1-6]\.";
gzip_buffers 16 8k;

## conf.d|global|ssl.conf
#
# SSL
#
# "ssl on" is deprecated
#ssl on;

# Certificates
# ssl_certificate         /etc/letsencrypt/live/dev.example.com/fullchain.pem;
# ssl_certificate_key     /etc/letsencrypt/live/dev.example.com/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/dev.example.com/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/dhparam.pem;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;

## conf.d|global|wordpress_dev.conf
#
# WordPress single site rules.
# Designed to be included in any server {} block.
#

index   index.php;
charset utf-8;

# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
    try_files $uri $uri/ /index.php?$args;

    # Deny ?author= attack
    if ($args ~* author=) {
        return 403;
    }

    # Disable caching
    add_header X-Cache-Status $upstream_cache_status;
    add_header Cache-Control no-cache;
    expires off;
    sendfile off;

    # Pass all .php files onto a php-fpm/php-fcgi server.
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include conf.d/global/fastcgi_php.conf;
        client_max_body_size 5M;
    }

    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
}

## conf.d|global|wordpress_live.conf
#
# WordPress single site rules.
# Designed to be included in any server {} block.
#

index   index.php;
charset utf-8;


#
# fastcgi_cache start
# https://codex.wordpress.org/Nginx#Nginx_fastcgi_cache
set $no_cache 0;

# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
    set $no_cache 1;
}
if ($query_string != "") {
    set $no_cache 1;
}

# Don't cache uris containing the following segments
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
    set $no_cache 1;
}

# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
    set $no_cache 1;
}


# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
    try_files $uri $uri/ /index.php?$args;

    # Deny ?author= attack
    if ($args ~* author=) {
        return 403;
    }

    # Header
    add_header X-Cache $upstream_cache_status;

    # Pass all .php files onto a php-fpm/php-fcgi server.
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include conf.d/global/fastcgi_php.conf;

        client_max_body_size 5M;

        # Enable FastCGI cache
        fastcgi_cache_bypass $no_cache;
        fastcgi_no_cache $no_cache;

        fastcgi_cache WORDPRESS;
        fastcgi_cache_valid 200 60m;
    }

    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;

    # Directives to send expires headers and turn off 404 error logging.
    location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|webp)$ {
        access_log off; log_not_found off; expires max;
    }

    location ~* \.(js|css)$ {
        expires max;
        log_not_found off;
    }
}

## conf.d|global|wordpress_restrictions.conf
#
# Global Restrictions for WordPress site
# Designed to be included in any server {} block.</p>
#

location = /favicon.ico {
    log_not_found off;
    access_log off;
}

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
    deny all;
}

# Deny all xmlrpc.php access
location = /xmlrpc.php {
    #deny all;
    log_not_found off;
    access_log off;
    return 403;
}

# Deny all REST API access
location ^~ /wp-json/ {
    deny all;
    access_log off;
}

# Accept for Let's Encrypt(certbot)
location ^~ /.well-known/ {
    access_log           off;
    log_not_found        off;
    autoindex            off;
    try_files            $uri $uri/ =404;
}

# Deny less files
location ~* ^.+\.(less)$ {
    deny all;
    access_log off;
}

# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}

## nginx.conf
user  nginx www;
worker_processes  auto;

error_log  /var/log/nginx/error.log warn;
pid        /run/nginx.pid;

worker_rlimit_nofile 10240;

events {
    worker_connections  1024;
    multi_accept on;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$host" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    tcp_nopush     on;
    tcp_nodelay         on;

    keepalive_timeout  65;
    types_hash_max_size 2048;

    #gzip  on;

    # FastCGI Cache
    fastcgi_cache_path /var/cache/nginx/fastcgi_www levels=1:2 keys_zone=WORDPRESS:100m inactive=60m max_size=1g;
    fastcgi_cache_key "$scheme$request_method$host$request_uri";
    fastcgi_cache_use_stale error timeout invalid_header http_500;

    include /etc/nginx/conf.d/*.conf;
}

## ssl_2020.conf
#
# SSL
#
# @see https://ssl-config.mozilla.org/#server=nginx&version=1.16.1&config=intermediate&openssl=1.1.1c&guideline=5.4
#

# Certificates
#ssl_certificate         /etc/letsencrypt/live/dev.example.com/fullchain.pem;
#ssl_certificate_key     /etc/letsencrypt/live/dev.example.com/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/live/dev.example.com/chain.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/dhparam.pem;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;

## ssl_dev.conf
#
# SSL
#
# "ssl on" is deprecated
#ssl on;

# Certificates
#ssl_certificate         /etc/letsencrypt/live/dev.example.com/fullchain.pem;
#ssl_certificate_key     /etc/letsencrypt/live/dev.example.com/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/live/dev.example.com/chain.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/dhparam.pem;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
#ssl_stapling on;
#ssl_stapling_verify on;
#resolver 8.8.8.8 8.8.4.4;
	server {
	listen 80;
	listen [::]:80;
	server_name dev.hoge.jp;
	return 301 https://dev.hoge.jp$request_uri;

	#root /home/httpd/hoge/wordpress;

	# WordPress Setting
	#include conf.d/global/wordpress_restrictions.conf;
	#include conf.d/global/wordpress_dev.conf;
	#include conf.d/global/wordpress_live.conf;
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name .dev.hoge.jp;

	root /home/httpd/hoge/wordpress;

	# Gzip
	include conf.d/global/gzip.conf;

	# WordPress Setting
	include conf.d/global/wordpress_restrictions.conf;
	#include conf.d/global/wordpress_dev.conf;
	include conf.d/global/wordpress_live.conf;

	# SSL
	include conf.d/global/ssl.conf;
	ssl_certificate /etc/letsencrypt/live/dev.hoge.jp/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/dev.hoge.jp/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/dev.hoge.jp/chain.pem;
	}
	#
	# PHP-FPM
	#
	if (!-f $document_root$fastcgi_script_name) {
	return 404;
	}
	# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)

	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_index index.php;
	#fastcgi_pass 127.0.0.1:9000;
	fastcgi_pass unix:/run/php-fpm/www.sock;
	fastcgi_intercept_errors on;

	# Buffer size
	proxy_buffer_size 32k;
	proxy_buffers 30 32k;
	client_body_buffer_size 64k;
	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_types text/plain
	text/xml
	text/css
	application/xml
	application/xhtml+xml
	application/rss+xml
	application/atom_xml
	application/javascript
	application/x-javascript
	application/x-httpd-php;
	gzip_disable "MSIE [1-6]\.";
	gzip_buffers 16 8k;
	#
	# SSL
	#
	# "ssl on" is deprecated
	#ssl on;

	# Certificates
	# ssl_certificate /etc/letsencrypt/live/dev.example.com/fullchain.pem;
	# ssl_certificate_key /etc/letsencrypt/live/dev.example.com/privkey.pem;
	# ssl_trusted_certificate /etc/letsencrypt/live/dev.example.com/chain.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/ssl/dhparam.pem;

	# intermediate configuration. tweak to your needs.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling ---
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4;
	#
	# WordPress single site rules.
	# Designed to be included in any server {} block.
	#

	index index.php;
	charset utf-8;

	# This order might seem weird - this is attempted to match last if rules below fail.
	# http://wiki.nginx.org/HttpCoreModule
	location / {
	try_files $uri $uri/ /index.php?$args;

	# Deny ?author= attack
	if ($args ~* author=) {
	return 403;
	}

	# Disable caching
	add_header X-Cache-Status $upstream_cache_status;
	add_header Cache-Control no-cache;
	expires off;
	sendfile off;

	# Pass all .php files onto a php-fpm/php-fcgi server.
	location ~ [^/]\.php(/\|$) {
	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	include conf.d/global/fastcgi_php.conf;
	client_max_body_size 5M;
	}

	# Add trailing slash to */wp-admin requests.
	rewrite /wp-admin$ $scheme://$host$uri/ permanent;
	}
	#
	# Global Restrictions for WordPress site
	# Designed to be included in any server {} block.</p>
	#

	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~ /\. {
	deny all;
	}

	# Deny all xmlrpc.php access
	location = /xmlrpc.php {
	#deny all;
	log_not_found off;
	access_log off;
	return 403;
	}

	# Deny all REST API access
	location ^~ /wp-json/ {
	deny all;
	access_log off;
	}

	# Accept for Let's Encrypt(certbot)
	location ^~ /.well-known/ {
	access_log off;
	log_not_found off;
	autoindex off;
	try_files $uri $uri/ =404;
	}

	# Deny less files
	location ~* ^.+\.(less)$ {
	deny all;
	access_log off;
	}

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}
	user nginx www;
	worker_processes auto;

	error_log /var/log/nginx/error.log warn;
	pid /run/nginx.pid;

	worker_rlimit_nofile 10240;

	events {
	worker_connections 1024;
	multi_accept on;
	}


	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$host" "$http_x_forwarded_for"';

	access_log /var/log/nginx/access.log main;

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;

	keepalive_timeout 65;
	types_hash_max_size 2048;

	#gzip on;

	# FastCGI Cache
	fastcgi_cache_path /var/cache/nginx/fastcgi_www levels=1:2 keys_zone=WORDPRESS:100m inactive=60m max_size=1g;
	fastcgi_cache_key "$scheme$request_method$host$request_uri";
	fastcgi_cache_use_stale error timeout invalid_header http_500;

	include /etc/nginx/conf.d/*.conf;
	}
	#
	# SSL
	#
	# @see https://ssl-config.mozilla.org/#server=nginx&version=1.16.1&config=intermediate&openssl=1.1.1c&guideline=5.4
	#

	# Certificates
	#ssl_certificate /etc/letsencrypt/live/dev.example.com/fullchain.pem;
	#ssl_certificate_key /etc/letsencrypt/live/dev.example.com/privkey.pem;
	#ssl_trusted_certificate /etc/letsencrypt/live/dev.example.com/chain.pem;

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/ssl/dhparam.pem;

	# intermediate configuration. tweak to your needs.
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling ---
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4;