danielpotthast/20-https.conf

## 20-https.conf
# Varnish Upstream with NGINX Fallback
upstream wordpress-varnish {
  server 127.0.0.1:6081 weight=5 max_fails=1 fail_timeout=5s;
  server 127.0.0.1:8080 backup;
}

# HTTPS Server
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name www.sitename.tld;

  # SSL Configuration
  ssl_certificate /etc/letsencrypt/live/www.sitename.tld/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.sitename.tld/privkey.pem;

  # Whitelist
  location ~ /wp-admin/admin-ajax\.php$ {
    include snippets/proxy.conf;

    proxy_set_header X-Forwarded-Proto https;
    proxy_pass http://wordpress-varnish;
  }

  # Append trailing slash
  location ~ ^/wp-admin$ {
    rewrite ^([^.]*[^/])$ $1/ permanent;
  }

  # Password Protection
  location ~ /wp-login\.php$|^/wp-admin|^/install|/readme\.html|/liesmich\.html|/license\.txt|/wp-activate\.php$|/wp-config\.php$|/wp-cron\.php$|/wp-login\.php$|/wp-settings\.php$|/wp-signup\.php$ {
    auth_basic "Bitte anmelden";
    auth_basic_user_file /var/www/htpasswd/www.sitename.tld/.htpasswd;

    include snippets/proxy.conf;

    proxy_set_header X-Forwarded-Proto https;
    proxy_pass http://wordpress-varnish;
  }

  location / {
    include snippets/cache.conf;
    include snippets/proxy.conf;

    proxy_set_header X-Forwarded-Proto https;
    proxy_pass http://wordpress-varnish;
  }
}

# Varnish Server
server {
  listen 8080;
  listen [::]:8080;
  server_name www.sitename.tld;

  root /var/www/www.sitename.tld;
  index index.php;

  access_log off;
  log_not_found off;

  autoindex off;
  error_page 403 =404;

  gzip off;

  location / {
    try_files $uri $uri/ /index.php$is_args$args;
  }

  # PHP
  location ~ \.php(/.*)?$ {
    try_files $uri /index.php$is_args$args;
    include snippets/fastcgi-php.conf;
  }

  # Avoid php readfile()
  location ^~ /uploads {
    internal;
    alias /var/www/www.sitename.tld/wp-content/uploads ;
    access_log off;
    log_not_found off;
    expires max;
  }
}
	# Varnish Upstream with NGINX Fallback
	upstream wordpress-varnish {
	server 127.0.0.1:6081 weight=5 max_fails=1 fail_timeout=5s;
	server 127.0.0.1:8080 backup;
	}

	# HTTPS Server
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name www.sitename.tld;

	# SSL Configuration
	ssl_certificate /etc/letsencrypt/live/www.sitename.tld/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/www.sitename.tld/privkey.pem;

	# Whitelist
	location ~ /wp-admin/admin-ajax\.php$ {
	include snippets/proxy.conf;

	proxy_set_header X-Forwarded-Proto https;
	proxy_pass http://wordpress-varnish;
	}

	# Append trailing slash
	location ~ ^/wp-admin$ {
	rewrite ^([^.]*[^/])$ $1/ permanent;
	}

	# Password Protection
	location ~ /wp-login\.php$\|^/wp-admin\|^/install\|/readme\.html\|/liesmich\.html\|/license\.txt\|/wp-activate\.php$\|/wp-config\.php$\|/wp-cron\.php$\|/wp-login\.php$\|/wp-settings\.php$\|/wp-signup\.php$ {
	auth_basic "Bitte anmelden";
	auth_basic_user_file /var/www/htpasswd/www.sitename.tld/.htpasswd;

	include snippets/proxy.conf;

	proxy_set_header X-Forwarded-Proto https;
	proxy_pass http://wordpress-varnish;
	}

	location / {
	include snippets/cache.conf;
	include snippets/proxy.conf;

	proxy_set_header X-Forwarded-Proto https;
	proxy_pass http://wordpress-varnish;
	}
	}

	# Varnish Server
	server {
	listen 8080;
	listen [::]:8080;
	server_name www.sitename.tld;

	root /var/www/www.sitename.tld;
	index index.php;

	access_log off;
	log_not_found off;

	autoindex off;
	error_page 403 =404;

	gzip off;

	location / {
	try_files $uri $uri/ /index.php$is_args$args;
	}

	# PHP
	location ~ \.php(/.*)?$ {
	try_files $uri /index.php$is_args$args;
	include snippets/fastcgi-php.conf;
	}

	# Avoid php readfile()
	location ^~ /uploads {
	internal;
	alias /var/www/www.sitename.tld/wp-content/uploads ;
	access_log off;
	log_not_found off;
	expires max;
	}
	}