Skip to content

Instantly share code, notes, and snippets.

@ansulev
Created July 12, 2018 14:24
Show Gist options
  • Save ansulev/40d330e5e002c093c19a17087ea2be1f to your computer and use it in GitHub Desktop.
Save ansulev/40d330e5e002c093c19a17087ea2be1f to your computer and use it in GitHub Desktop.
Default config for NGINX reverse proxy cache with Apache.
#fix 504 gateway timeouts, can go in nginx.conf
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
#set the location of the cached files, zone, name, size (100 MB) and how long to cache for 600 minutes
proxy_cache_path /var/run/proxy-cache levels=1:2 keys_zone=WORDPRESS:10m max_size=100m
inactive=600m;
proxy_cache_key $scheme$host$request_uri;
#prevent header too large errors
proxy_buffers 256 16k;
proxy_buffer_size 32k;
#httpoxy exploit protection
proxy_set_header Proxy "";
server {
listen 443 default;
ssl on;
ssl_certificate /srv/certificates/cert.crt;
ssl_certificate_key /srv/certificates/private.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/proxy-access.log;
error_log /var/log/nginx/proxy-error.log;
add_header X-Cache $upstream_cache_status;
set $do_not_cache '';
set $bypass '';
#security for bypass (put your external ip here)
if ($remote_addr ~ "^(127.0.0.1|XXX.XXX.XXX.XXX)$") {
set $bypass $http_secret_header;
}
if ($http_cookie ~* "comment_author_|wordpress_(?!test_cookie)|wp-postpass_" ) {
set $do_not_cache 1;
}
location / {
proxy_set_header Host $host;
proxy_redirect off;
proxy_cache WORDPRESS;
proxy_cache_revalidate on;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_cache_bypass $bypass $do_not_cache;
proxy_no_cache $do_not_cache;
proxy_cache_valid 200 301 302 500m;
proxy_cache_valid 404 1m;
#can rename PURGE to whatever you want, should restrict it to back-end server requests for security
#proxy_cache_purge PURGE from 127.0.0.1 XXX.XXX.XXX.XXX;
proxy_pass https://127.0.0.1:8443;
}
location ~ /purge(/.*) {
allow 127.0.0.1;
allow 130.211.71.194;
deny all;
#proxy_cache_purge WORDPRESS $scheme$host$1;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment