Last active
April 29, 2017 19:25
-
-
Save GhazanfarMir/52653c0e9d8ca091983ec5eea08c8633 to your computer and use it in GitHub Desktop.
CentOS 7, Nginx, WordPress & SSL Setup over Digital Ocean Droplet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# WordPress Configuration recommended by WordPress Community | |
# https://codex.wordpress.org/Nginx | |
# SSL is encrypted by Lets Encrypt | |
# https://letsencrypt.org/ | |
# Additional help taken from tutorial | |
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7 | |
# Description: You may skip steps you think are not relevant to you e.g I seek help from this tutorial | |
# to find location of the certificates and then tweaked configuration to what works in my situation. | |
## nginx.conf | |
# Generic startup file. | |
user nginx nginx; | |
#usually equal to number of CPUs you have. run command "grep processor /proc/cpuinfo | wc -l" to find it | |
worker_processes 2; | |
error_log /var/log/nginx/error.log; | |
pid /var/run/nginx.pid; | |
# Keeps the logs free of messages about not being able to bind(). | |
#daemon off; | |
events { | |
worker_connections 1024; | |
} | |
http { | |
# rewrite_log on; | |
include mime.types; | |
default_type application/octet-stream; | |
access_log /var/log/nginx/access.log; | |
sendfile on; | |
# tcp_nopush on; | |
keepalive_timeout 3; | |
# tcp_nodelay on; | |
# gzip on; | |
# php max upload limit cannot be larger than this | |
client_max_body_size 13m; | |
index index.php index.html index.htm; | |
# Upstream to abstract backend connection(s) for PHP. | |
upstream php { | |
# this should match value of "listen" directive in php-fpm pool | |
server unix:/run/php-fpm/php-fpm.sock; | |
} | |
include conf.d/*; | |
include sites-enabled/*; | |
} | |
## wordpress.conf | |
# Redirect everything to the main site. We use a separate server statement and NOT an if statement - see http://wiki.nginx.org/IfIsEvil | |
server { | |
server_name _; | |
return 302 $scheme://ghazanfarmir.info$request_uri; | |
} | |
server { | |
# indicate the server name | |
server_name ghazanfarmir.info *.ghazanfarmir.info; | |
root /var/www/sites/wordpress; | |
index index.php; | |
# listens both on IPv4 and IPv6 on 443 and enables HTTPS and HTTP/2 support. | |
# HTTP/2 is available in nginx 1.9.5 and above. | |
listen 443 ssl; | |
listen [::]:443 ssl; | |
# indicate locations of SSL key files. | |
ssl_certificate /etc/letsencrypt/live/ghazanfarmir.info/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/ghazanfarmir.info/privkey.pem; | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
# Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional. | |
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; | |
# Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score as of Sept 2015. | |
ssl_session_cache shared:SSL:20m; | |
ssl_session_timeout 10m; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5'; | |
# include restrictions | |
include global/restrictions.conf; | |
# WordPress single site rules. | |
# Designed to be included in any server {} block. | |
# This order might seem weird - this is attempted to match last if rules below fail. | |
# http://wiki.nginx.org/HttpCoreModule | |
location / { | |
try_files $uri $uri/ /index.php?$args; | |
} | |
# Add trailing slash to */wp-admin requests. | |
rewrite /wp-admin$ $scheme://$host$uri/ permanent; | |
# Directives to send expires headers and turn off 404 error logging. | |
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { | |
access_log off; log_not_found off; expires max; | |
} | |
# Uncomment one of the lines below for the appropriate caching plugin (if used). | |
#include global/wordpress-wp-super-cache.conf; | |
#include global/wordpress-w3-total-cache.conf; | |
# Pass all .php files onto a php-fpm/php-fcgi server. | |
location ~ [^/]\.php(/|$) { | |
fastcgi_split_path_info ^(.+?\.php)(/.*)$; | |
if (!-f $document_root$fastcgi_script_name) { | |
return 404; | |
} | |
# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default) | |
include fastcgi_params; | |
fastcgi_index index.php; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
# fastcgi_intercept_errors on; | |
fastcgi_pass php; | |
} | |
# Additional rules go here. | |
# Only include one of the files below. | |
# include global/wordpress.conf; | |
# include global/wordpress-ms-subdir.conf; | |
# include global/wordpress-ms-subdomain.conf; | |
} | |
## restrictions | |
# Global restrictions configuration file. | |
# Designed to be included in any server {} block. | |
location = /favicon.ico { | |
log_not_found off; | |
access_log off; | |
} | |
location = /robots.txt { | |
allow all; | |
log_not_found off; | |
access_log off; | |
} | |
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). | |
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) | |
location ~ /\. { | |
deny all; | |
} | |
# Deny access to any files with a .php extension in the uploads directory | |
# Works in sub-directory installs and also in multisite network | |
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) | |
location ~* /(?:uploads|files)/.*\.php$ { | |
deny all; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment