nalakawula/blog.sumarsono.com.conf

## blog.sumarsono.com.conf
# /etc/nginx/conf.d/blog.sumarsono.com.conf
server {
    server_name  blog.sumarsono.com;
    root /var/www/html/blog;
    index index.php index.html index.htm;

    client_max_body_size 100M;

    include /etc/nginx/default.d/global_wordpress.conf;

    location / {
        #try_files $uri $uri/ /index.php;
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/blog.sumarsono.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/blog.sumarsono.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = blog.sumarsono.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen	 80;
    server_name  blog.sumarsono.com;
    return 404; # managed by Certbot


}

## global_wordpress.conf
# /etc/nginx/default.d/global_wordpress.conf
# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
	log_not_found off;
	access_log off;
}

# robots.txt fallback to index.php
location = /robots.txt {
# Some WordPress plugin gererate robots.txt file
    allow all;
    try_files $uri $uri/ /index.php?$args @robots;
    access_log off;
    log_not_found off;
}

# additional fallback if robots.txt doesn't exist
location @robots {
   return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac) excepted .well-known directory.
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\.(?!well-known\/) {
    deny all;
}

# Deny access to any files with a .php extension in the uploads directory for the single site
location /wp-content/uploads {
    location ~ \.php$ {
        deny all;
    }
}

# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
	deny all;
}

##########
location = /wp-login.php {
        ## prevent brute force attacks (must enable in nginx.conf)
        limit_req zone=one burst=1 nodelay;
        ## re-include basic FCGI settings for PHP files
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        ## older nginx versions use: include fastcgi_params
        include fastcgi.conf;
}
## block any attempted access to dotfiles
location ~ /\. {
    deny all;
    log_not_found off;
    access_log off;
}

## block any attempted XMLRPC attacks
location = /xmlrpc.php {
    deny all;
}
## comment this until WP is properly setup (blocks access)
location = /wp-config.php {
    deny all;
}

## block access to hackers checking WP version
location ~* (licence|readme|license)\.(html|txt) {
    deny all;
}

## deny access to PHP files in various directories
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
    deny all;
}

## avoid any font problems in Firefox and IE
location ~ \.(eot|ttf|ttc|otf|woff|woff2|svg|css|js)$ {
    add_header Access-Control-Allow-Origin "*";
}

## set maximum expiry times for static files
location ~* \.(js|css|png|jpg|jpeg|gif|ico|mp4|svg|svgz|ogg|ogv|webm|htc)$ {
    log_not_found off;
    access_log off;
}

## define error pages in the web directory
error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
}
	# /etc/nginx/conf.d/blog.sumarsono.com.conf
	server {
	server_name blog.sumarsono.com;
	root /var/www/html/blog;
	index index.php index.html index.htm;

	client_max_body_size 100M;

	include /etc/nginx/default.d/global_wordpress.conf;

	location / {
	#try_files $uri $uri/ /index.php;
	try_files $uri $uri/ /index.php?$args;
	}

	location ~ \.php$ {
	try_files $uri =404;
	fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	}

	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/blog.sumarsono.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/blog.sumarsono.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
	}

	server {
	if ($host = blog.sumarsono.com) {
	return 301 https://$host$request_uri;
	} # managed by Certbot


	listen 80;
	server_name blog.sumarsono.com;
	return 404; # managed by Certbot


	}
	# /etc/nginx/default.d/global_wordpress.conf
	# Global restrictions configuration file.
	# Designed to be included in any server {} block.
	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	# robots.txt fallback to index.php
	location = /robots.txt {
	# Some WordPress plugin gererate robots.txt file
	allow all;
	try_files $uri $uri/ /index.php?$args @robots;
	access_log off;
	log_not_found off;
	}

	# additional fallback if robots.txt doesn't exist
	location @robots {
	return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
	}

	# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac) excepted .well-known directory.
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~ /\.(?!well-known\/) {
	deny all;
	}

	# Deny access to any files with a .php extension in the uploads directory for the single site
	location /wp-content/uploads {
	location ~ \.php$ {
	deny all;
	}
	}

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}

	##########
	location = /wp-login.php {
	## prevent brute force attacks (must enable in nginx.conf)
	limit_req zone=one burst=1 nodelay;
	## re-include basic FCGI settings for PHP files
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
	fastcgi_index index.php;
	## older nginx versions use: include fastcgi_params
	include fastcgi.conf;
	}
	## block any attempted access to dotfiles
	location ~ /\. {
	deny all;
	log_not_found off;
	access_log off;
	}

	## block any attempted XMLRPC attacks
	location = /xmlrpc.php {
	deny all;
	}
	## comment this until WP is properly setup (blocks access)
	location = /wp-config.php {
	deny all;
	}

	## block access to hackers checking WP version
	location ~* (licence\|readme\|license)\.(html\|txt) {
	deny all;
	}

	## deny access to PHP files in various directories
	location ~* /(?:uploads\|files\|wp-content\|wp-includes)/.*\.php$ {
	deny all;
	}

	## avoid any font problems in Firefox and IE
	location ~ \.(eot\|ttf\|ttc\|otf\|woff\|woff2\|svg\|css\|js)$ {
	add_header Access-Control-Allow-Origin "*";
	}

	## set maximum expiry times for static files
	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico\|mp4\|svg\|svgz\|ogg\|ogv\|webm\|htc)$ {
	log_not_found off;
	access_log off;
	}

	## define error pages in the web directory
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root /usr/share/nginx/html;
	}