Created
May 24, 2016 15:18
-
-
Save kworthington/f5a2b271070c0dbb5ddc06494480099c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# example WordPress configuration for Nginx as used on kevinworthington.com. | |
# Ubuntu 14.04.4, PHP 5.5.9, MySQL 5.5.49, Nginx 1.10.0. Last updated 24 May 2016 - Kevin Worthington | |
server { | |
# Default server block blacklisting all unconfigured access | |
#listen 8080 default_server; | |
listen 80 default_server; | |
server_name _; | |
return 444; | |
} | |
# For NGINX AMPLIFY: | |
server { | |
listen 127.0.0.1:80 default_server; | |
server_name 127.0.0.1; | |
location /nginx_status { | |
stub_status on; | |
allow 127.0.0.1; | |
deny all; | |
} | |
} | |
server { | |
listen 80; | |
server_name kevinworthington.com www.kevinworthington.com; | |
return 301 https://$host$request_uri; | |
} | |
server { | |
# 'http2' requires nginx 1.9.5+. If using older nginx, replace with 'spdy'. | |
listen 443 ssl http2 reuseport default_server; | |
server_name kevinworthington.com 107.170.152.203; | |
# If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version: | |
add_header Strict-Transport-Security 'max-age=31536000'; | |
ssl_prefer_server_ciphers on; | |
# This requires strong forward secrecy (ECDHE) for all connections. | |
# However, it blocks IE8+XP and Android 2.3. | |
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; | |
# Uncomment to require strong forward secrecy (ECDHE) in most clients, with a | |
# non-FS exception (DES-CBC3-SHA) for IE8/XP, and plain DHE for Android 2.3 users. | |
# ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; | |
# Allows all modern and legacy clients to connect over TLS. | |
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; | |
# Uncomment for only the latest TLS, if you can drop IE8-IE10 and Android 4.3. | |
# ssl_protocols TLSv1.2; | |
# Turn on session resumption, using a 10 min cache shared across nginx processes, | |
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
keepalive_timeout 70; | |
# OCSP stapling: nginx will poll the CA for signed OCSP responses, and | |
# send them to clients so clients don't make their own OCSP calls. | |
# | |
# The ssl_trusted_certificate is a chain of intermediates *including* the | |
# root certificate, and *excluding* the cert for your domain. | |
# | |
# See https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=86400; | |
resolver_timeout 10; | |
ssl_certificate /etc/letsencrypt/live/kevinworthington.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/kevinworthington.com/privkey.pem; | |
ssl_trusted_certificate /etc/letsencrypt/live/kevinworthington.com/unified.pem; | |
server_tokens off; | |
autoindex off; | |
client_max_body_size 15m; | |
client_body_buffer_size 128k; | |
# WordPress needs to be in the webroot of /var/www/kevinworthington.com in this case | |
root /var/www/kevinworthington.com; | |
index index.html index.htm index.php; | |
try_files $uri $uri/ /index.php?q=$uri&$args; | |
# Define default caching of 24h | |
expires 86400s; | |
add_header Pragma public; | |
add_header Cache-Control "max-age=86400, public, must-revalidate, proxy-revalidate"; | |
# Deliver 404 instead of 403 "Forbidden" | |
error_page 403 = 404; | |
# Do not allow access to files giving away your WordPress version | |
location ~ /(\.|wp-config.php|readme.html|licence.txt) { | |
return 404; | |
} | |
# Add trailing slash to */wp-admin requests. | |
rewrite /wp-admin$ $scheme://$host$uri/ permanent; | |
# Don't log robots.txt requests | |
location = /robots.txt { | |
allow all; | |
log_not_found off; | |
access_log off; | |
} | |
# Rewrite for versioned CSS+JS via filemtime | |
location ~* ^.+\.(css|js)$ { | |
rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last; | |
expires 31536000s; | |
access_log off; | |
log_not_found off; | |
add_header Pragma public; | |
add_header Cache-Control "max-age=31536000, public"; | |
} | |
# Aggressive caching for static files | |
# If you alter static files often, please use | |
# add_header Cache-Control "max-age=31536000, public, must-revalidate, proxy-revalidate"; | |
location ~* \.(avi|doc|docx|eot|exe|gif|gz|gzip|jpg|jpeg|jpe|mdb|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)$ { | |
expires 31536000s; | |
access_log off; | |
log_not_found off; | |
add_header Pragma public; | |
add_header Cache-Control "max-age=31536000, public"; | |
} | |
# pass PHP scripts to Fastcgi listening on Unix socket | |
# Do not process them if inside WP uploads directory | |
# If using Multisite or a custom uploads directory, | |
# please set the */uploads/* directory in the regex below | |
location ~* (^(?!(?:(?!(php|inc)).)*/uploads/).*?(php)) { | |
try_files $uri = 404; | |
fastcgi_split_path_info ^(.+.php)(.*)$; | |
# /var/run/php5-fpm.sock | |
# old PHP 5: | |
fastcgi_pass unix:/var/run/php5-fpm.sock; | |
# PHP 7.0 (buggy?) fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; | |
fastcgi_index index.php; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
include fastcgi_params; | |
fastcgi_intercept_errors on; | |
fastcgi_ignore_client_abort off; | |
fastcgi_connect_timeout 60; | |
fastcgi_send_timeout 180; | |
fastcgi_read_timeout 180; | |
fastcgi_buffer_size 128k; | |
fastcgi_buffers 4 256k; | |
fastcgi_busy_buffers_size 256k; | |
fastcgi_temp_file_write_size 256k; | |
} | |
# Block PHP files in uploads directory. | |
location ~* /(?:uploads|files)/.*\.php$ { | |
deny all; | |
} | |
# Block PHP files in content directory. | |
location ~* /wp-content/.*\.php$ { | |
deny all; | |
} | |
# Block PHP files in includes directory. | |
location ~* /wp-includes/.*\.php$ { | |
deny all; | |
} | |
# Block PHP files in uploads, content, and includes directory. | |
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ { | |
deny all; | |
} | |
# Deny access to hidden files | |
location ~ /\. { | |
deny all; | |
access_log off; | |
log_not_found off; | |
} | |
location /server-status { | |
# copied from http://blog.kovyrin.net/2006/04/29/monitoring-nginx-with-rrdtool/ | |
stub_status on; | |
access_log off; | |
#allow SOME.IP.ADD.RESS; | |
#deny all; | |
} | |
} | |
# Redirect all www. queries to non-www | |
# Change in case your site is to be available at "www.kevinworthington.com" | |
server { | |
listen 443 ssl http2; | |
server_name www.kevinworthington.com; | |
rewrite ^ $scheme://kevinworthington.com$request_uri? permanent; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment