GhazanfarMir/configurations.conf

## configurations.conf
# WordPress Configuration recommended by WordPress Community
# https://codex.wordpress.org/Nginx

# SSL is encrypted by Lets Encrypt
# https://letsencrypt.org/

# Additional help taken from tutorial
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7
# Description: You may skip steps you think are not relevant to you e.g I seek help from this tutorial
# to find location of the certificates and then tweaked configuration to what works in my situation.


## nginx.conf

# Generic startup file.
user nginx nginx;

#usually equal to number of CPUs you have. run command "grep processor /proc/cpuinfo | wc -l" to find it
worker_processes  2;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

# Keeps the logs free of messages about not being able to bind().
#daemon     off;

events {
	worker_connections  1024;
}

http {
	# rewrite_log on;
	include mime.types;
	default_type       application/octet-stream;
	access_log         /var/log/nginx/access.log;
	sendfile           on;
	# tcp_nopush         on;
	keepalive_timeout  3;
	# tcp_nodelay        on;
	# gzip               on;

    # php max upload limit cannot be larger than this
	client_max_body_size 13m;
	index	index.php index.html index.htm;

	# Upstream to abstract backend connection(s) for PHP.
	upstream php {
        # this should match value of "listen" directive in php-fpm pool
		server unix:/run/php-fpm/php-fpm.sock;
	}

	include conf.d/*;
	include sites-enabled/*;
}

## wordpress.conf

# Redirect everything to the main site. We use a separate server statement and NOT an if statement - see http://wiki.nginx.org/IfIsEvil

server {
    server_name  _;
    return 302 $scheme://ghazanfarmir.info$request_uri;
}

server {

	# indicate the server name
    server_name ghazanfarmir.info *.ghazanfarmir.info;
	root /var/www/sites/wordpress;
	index index.php;

	# listens both on IPv4 and IPv6 on 443 and enables HTTPS and HTTP/2 support.
    # HTTP/2 is available in nginx 1.9.5 and above.
    listen 443 ssl;
    listen [::]:443 ssl;

    # indicate locations of SSL key files.
    ssl_certificate /etc/letsencrypt/live/ghazanfarmir.info/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ghazanfarmir.info/privkey.pem;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score as of Sept 2015.
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';

	# include restrictions
	include global/restrictions.conf;

	# WordPress single site rules.
	# Designed to be included in any server {} block.

	# This order might seem weird - this is attempted to match last if rules below fail.
	# http://wiki.nginx.org/HttpCoreModule

	location / {
		try_files $uri $uri/ /index.php?$args;
	}

	# Add trailing slash to */wp-admin requests.
	rewrite /wp-admin$ $scheme://$host$uri/ permanent;

	# Directives to send expires headers and turn off 404 error logging.
	location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
		   access_log off; log_not_found off; expires max;
	}

	# Uncomment one of the lines below for the appropriate caching plugin (if used).
	#include global/wordpress-wp-super-cache.conf;
	#include global/wordpress-w3-total-cache.conf;

	# Pass all .php files onto a php-fpm/php-fcgi server.
	location ~ [^/]\.php(/|$) {
		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
		if (!-f $document_root$fastcgi_script_name) {
			return 404;
		}
		# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)
		include fastcgi_params;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	#	fastcgi_intercept_errors on;
		fastcgi_pass php;
	}


	# Additional rules go here.
	# Only include one of the files below.
	# include global/wordpress.conf;
	# include global/wordpress-ms-subdir.conf;
	# include global/wordpress-ms-subdomain.conf;
}

## restrictions

# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
	log_not_found off;
	access_log off;
}

location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
	deny all;
}

# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
	deny all;
}
	# WordPress Configuration recommended by WordPress Community
	# https://codex.wordpress.org/Nginx

	# SSL is encrypted by Lets Encrypt
	# https://letsencrypt.org/

	# Additional help taken from tutorial
	# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7
	# Description: You may skip steps you think are not relevant to you e.g I seek help from this tutorial
	# to find location of the certificates and then tweaked configuration to what works in my situation.


	## nginx.conf

	# Generic startup file.
	user nginx nginx;

	#usually equal to number of CPUs you have. run command "grep processor /proc/cpuinfo \| wc -l" to find it
	worker_processes 2;

	error_log /var/log/nginx/error.log;
	pid /var/run/nginx.pid;

	# Keeps the logs free of messages about not being able to bind().
	#daemon off;

	events {
	worker_connections 1024;
	}

	http {
	# rewrite_log on;
	include mime.types;
	default_type application/octet-stream;
	access_log /var/log/nginx/access.log;
	sendfile on;
	# tcp_nopush on;
	keepalive_timeout 3;
	# tcp_nodelay on;
	# gzip on;

	# php max upload limit cannot be larger than this
	client_max_body_size 13m;
	index index.php index.html index.htm;

	# Upstream to abstract backend connection(s) for PHP.
	upstream php {
	# this should match value of "listen" directive in php-fpm pool
	server unix:/run/php-fpm/php-fpm.sock;
	}

	include conf.d/*;
	include sites-enabled/*;
	}

	## wordpress.conf

	# Redirect everything to the main site. We use a separate server statement and NOT an if statement - see http://wiki.nginx.org/IfIsEvil

	server {
	server_name _;
	return 302 $scheme://ghazanfarmir.info$request_uri;
	}

	server {

	# indicate the server name
	server_name ghazanfarmir.info *.ghazanfarmir.info;
	root /var/www/sites/wordpress;
	index index.php;

	# listens both on IPv4 and IPv6 on 443 and enables HTTPS and HTTP/2 support.
	# HTTP/2 is available in nginx 1.9.5 and above.
	listen 443 ssl;
	listen [::]:443 ssl;

	# indicate locations of SSL key files.
	ssl_certificate /etc/letsencrypt/live/ghazanfarmir.info/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/ghazanfarmir.info/privkey.pem;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	# Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

	# Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score as of Sept 2015.
	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';

	# include restrictions
	include global/restrictions.conf;

	# WordPress single site rules.
	# Designed to be included in any server {} block.

	# This order might seem weird - this is attempted to match last if rules below fail.
	# http://wiki.nginx.org/HttpCoreModule

	location / {
	try_files $uri $uri/ /index.php?$args;
	}

	# Add trailing slash to */wp-admin requests.
	rewrite /wp-admin$ $scheme://$host$uri/ permanent;

	# Directives to send expires headers and turn off 404 error logging.
	location ~* ^.+\.(ogg\|ogv\|svg\|svgz\|eot\|otf\|woff\|mp4\|ttf\|rss\|atom\|jpg\|jpeg\|gif\|png\|ico\|zip\|tgz\|gz\|rar\|bz2\|doc\|xls\|exe\|ppt\|tar\|mid\|midi\|wav\|bmp\|rtf)$ {
	access_log off; log_not_found off; expires max;
	}

	# Uncomment one of the lines below for the appropriate caching plugin (if used).
	#include global/wordpress-wp-super-cache.conf;
	#include global/wordpress-w3-total-cache.conf;

	# Pass all .php files onto a php-fpm/php-fcgi server.
	location ~ [^/]\.php(/\|$) {
	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	if (!-f $document_root$fastcgi_script_name) {
	return 404;
	}
	# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)
	include fastcgi_params;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	# fastcgi_intercept_errors on;
	fastcgi_pass php;
	}


	# Additional rules go here.
	# Only include one of the files below.
	# include global/wordpress.conf;
	# include global/wordpress-ms-subdir.conf;
	# include global/wordpress-ms-subdomain.conf;
	}

	## restrictions

	# Global restrictions configuration file.
	# Designed to be included in any server {} block.
	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~ /\. {
	deny all;
	}

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}