Created
August 12, 2014 12:16
-
-
Save julienbourdeau/a39acf5862600318bdd0 to your computer and use it in GitHub Desktop.
Nginx Server Configuration - WordPress
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| server_name _DOMAIN_; | |
| root /home/_USER_/www/_DOMAIN_; | |
| index index.php; | |
| rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last; | |
| rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last; | |
| charset utf-8; | |
| rewrite ^/favicon.png$ /favicon.ico last; | |
| location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { | |
| expires max; | |
| add_header Pragma public; | |
| add_header Cache-Control "public, max-age, must-revalidate, proxy-revalidate"; | |
| } | |
| location = /robots.txt { | |
| allow all; | |
| log_not_found off; | |
| access_log off; | |
| } | |
| location ~ /\. { | |
| deny all; | |
| } | |
| location / { | |
| try_files $uri $uri/ /index.php?$args; | |
| } | |
| # No Cache | |
| rewrite /wp-admin$ $scheme://$host$uri/ permanent; | |
| # LOGS | |
| location = /favicon.ico { | |
| log_not_found off; | |
| access_log off; | |
| } | |
| location ~ /\. { | |
| access_log off; | |
| log_not_found off; | |
| } | |
| access_log /var/log/nginx/_USER_.access.log; | |
| error_log /var/log/nginx/_USER_.error.log; | |
| location ~ \.php$ { | |
| try_files $uri = 404; | |
| include fastcgi_params; | |
| fastcgi_pass unix:/var/run/php5-fpm._USER_.sock; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| } | |
| # SECURITY | |
| ## nocgi | |
| location ~* \.(pl|cgi|py|sh|lua)\$ { | |
| return 444; | |
| } | |
| ## Deny some files | |
| location ~ /(\.|wp-config.php|readme.html|license.txt) { | |
| deny all; | |
| } | |
| # http://blog.bigdinosaur.org/wordpress-on-nginx/ | |
| # Common deny or internal locations, to help prevent access to not-public areas | |
| location ~* wp-admin/includes { deny all; } | |
| location ~* wp-includes/theme-compat/ { deny all; } | |
| location ~* wp-includes/js/tinymce/langs/.*\.php { deny all; } | |
| location /wp-content/ { internal; } | |
| location /wp-includes/ { internal; } | |
| location ~* wp-config.php { deny all; } | |
| # Prevent any potentially-executable files in the uploads directory from being executed | |
| # by forcing their MIME type to text/plain | |
| location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ { | |
| types { } | |
| default_type text/plain; | |
| } | |
| # Redirect 403 errors to 404 error to fool attackers | |
| error_page 403 = 404; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
nice script, using part of it.
One questions
First you pass php to fpm
location ~ \.php$ { try_files $uri = 404; include fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm._USER_.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; }After this you restrict
# Prevent any potentially-executable files in the uploads directory from being executed # by forcing their MIME type to text/plain location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ { types { } default_type text/plain; }Correct me if i'm wrong, but second command will not block php from runing?