saleebm/domain.org.conf

## domain.org.conf
# Expires map
map $sent_http_content_type $expires {
    default off;
    text/html epoch;
    text/css 30d;
    application/javascript 30d;
    ~image/ max;
    font/woff2 max;
    font/woff max;
    image/x-icon max;
    application/font-woff2 max;
}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name domain.org www.domain.org;

    proxy_cookie_path / "/; secure; HttpOnly; SameSite=lax";
    proxy_set_header Authorization $http_authorization;
    proxy_pass_header Authorization;

    root /var/www/html/domain.org/web;

    index index.php index.html index.htm;

    expires $expires;

    http2_idle_timeout 5m;

    access_log /var/log/nginx/domain_access.log combined buffer=32k flush=60;
    error_log /var/log/nginx/domain_error.log error;

    # Rewrites for Bedrock
    rewrite /wp-admin$ $scheme://$host$uri/ last;
    rewrite ^/(wp-.*.php)$ /wp/$1 last;
    rewrite ^/(wp-(content|admin|includes).*) /wp/$1 last;

    location / {
        include snippets/headers.conf;
        try_files $uri $uri/ /wp$uri/ /wp/index.php?$query_string;
    }

    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # make sure you use your own PHP settings, it might be a different config than mine
    location ~ \.php$ {
        include fastcgi-php.conf;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    }

    ssl_certificate /etc/letsencrypt/live/domain.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain.org/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/domain.org/fullchain.pem; #managed by Coptix

    include snippets/general.conf;
    include snippets/wordpress.conf;
    # headers located in / location block, optionally place here for all locations
    # include snippets/headers.conf;
}
server {
    server_name domain.org www.domain.org;
    listen 80;
    listen [::]:80;
    root /var/www/html/bookstore/web;
    return 301 https://$host$request_uri;
}

## general.conf
# favicon.ico
location = /favicon.ico {
	try_files /favicon.ico =204;
	log_not_found off;
	access_log off;
}

# robots.txt
location = /robots.txt {
	log_not_found off;
	access_log off;
}

# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|webp|jpe?g|png|gif|ico|cur|heic|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
	expires 33d;
	access_log off;
	add_header Pragma "public";
	add_header Cache-Control "public";
	etag on;
	add_header Vary "Accept-Encoding, Cookie";
	gzip_static on;
}

# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?|webmanifest)$ {
	add_header Access-Control-Allow-Origin "*";
	expires 365d;
	add_header Pragma "public";
	add_header Cache-Control "public";
	access_log off;
	etag on;
	add_header Vary "Accept-Encoding, Cookie";
	gzip_static on;
}

gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_disable "msie6";

## headers.conf
add_header Access-Control-Allow-Origin $cors_origin_header;
add_header Access-Control-Allow-Credentials $cors_cred;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";

add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Expect-CT "enforce, max-age=1200, report-uri='https://domain.dev/'";
add_header Last-Modified $date_gmt;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

## nginx.conf
user www-data;
worker_processes 8; # or auto but set = cpu cores
worker_rlimit_nofile 65535;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
##/* needed to add this comment for syntax highlighting... */
events {
    multi_accept on;
    worker_connections 65535;
}
http {
    charset utf-8;
    # map for headers
    map $http_origin $cors_origin_header {
        hostnames;
        default "";
        "~(^|^https?:\/\/)(localhost$|localhost:[0-9]{1,4}$)" $http_origin;
        "~^https?://(www\.)?domain.build$" $http_origin;
        "~^https://(www\.)?domain.org$" $http_origin;
        "~^https://(www\.)?domain2.org$" $http_origin;
        "~^https://(www\.)?subdomain.domain.org$" $http_origin;
    }

    map $http_origin $cors_cred {
        hostnames;
        default "false";
        "~(^|^https?:\/\/)(localhost$|localhost:[0-9]{1,4}$)" "true";
        "~^https?://(www\.)?domain.build$" "true";
        "~^https://(www\.)?domain.org$" "true";
        "~^https://(www\.)?domain2.org$" "true";
        "~^https://(www\.)?subdomain.domain.org$" "true";
    }
    # Basic Settings
    ## ##
    sendfile on;
    server_tokens on;
    # SSL Settings
    ssl_session_cache shared:SSL:12m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam /etc/nginx/certs/dhparams.pem;
    ssl_prefer_server_ciphers on;
    ssl_buffer_size 4k;
    ssl_early_data on;
    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
    # Safe curves
    ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
    # Logging Settings
    ## ##
    access_log /var/log/nginx/access.log;
    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # google for DNS lookup
	  resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout 2s;
    server_names_hash_bucket_size 128;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 75;
    types_hash_max_size 8192;
    default_type application/octet-stream;
    error_log /var/log/nginx/error.log;
    ##
    # File metadata cache
    ##
    open_file_cache max=16536 inactive=8m;
    open_file_cache_valid 2m;
    open_file_cache_min_uses 1;
    open_file_cache_errors off;
    ##
    # Client request settings
    ##
    client_body_buffer_size 1m;
    client_header_buffer_size 4k;
    client_max_body_size 512M;
    reset_timedout_connection on;
    server_names_hash_max_size 8192;
    fastcgi_buffers 8 16k;
    fastcgi_buffer_size 32k;
    fastcgi_read_timeout 120;
    # DoS Protection set zone
    # opt to limit request in zone, see wordpress.conf
    # limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    #sites
    include /etc/nginx/mime.types;
    include /etc/nginx/sites-enabled/*;
}

## wordpress.conf
# WordPress: deny app nasty files
location ~* ^/app/.*\.(?:s?html?|php|js|swf|log)$ {
    deny all;
}
# WordPress: deny wp-content/uploads nasty stuff
location ~* ^/app/uploads/.*\.(?:s?html?|php|js|swf|log)$ {
    deny all;
}
# WordPress: deny plugins (except earlier rules)
location ~ ^/app/plugins {
    deny all;
}
# WordPress: deny general stuff
location ~* ^/wp/(?:wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
    deny all;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac) except for well-known
location ~ /\.(?!well-known\/) {
    deny all;
}
location ~ ^/wp/(wp-signup\.php) {
    return 301 https://domain.org/my-account;
}
location ~ ^/wp/wp-admin/includes { deny all; }
location ~ ^/wp/wp-includes/theme-compat/ { deny all; }
location ~ ^/wp/wp-includes/js/tinymce/langs/.*.php { deny all; }
location ~ ^/wp/wp-includes/ { internal; }
# throttle wp-admin requests
# location ~* /wp/wp-admin/ {
#     limit_req zone=one burst=3 nodelay;
#     limit_req_status 444;
#     include fastcgi_params;
#     include snippets/fastcgi-php.conf;
#     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#     fastcgi_pass unix:/run/php/php7.3-fpm.sock;
# }
location ~* ^(/.+)\.(jpg|jpeg|jpe|png|gif)$ {
    add_header Vary Accept;

    if ($http_accept ~* "webp"){
        set $imwebp A;
    }
    if (-f $request_filename.webp) {
        set $imwebp  "${imwebp}B";
    }
    if ($imwebp = AB) {
        rewrite ^(.*) $1.webp;
    }
}
	# Expires map
	map $sent_http_content_type $expires {
	default off;
	text/html epoch;
	text/css 30d;
	application/javascript 30d;
	~image/ max;
	font/woff2 max;
	font/woff max;
	image/x-icon max;
	application/font-woff2 max;
	}

	server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;
	server_name domain.org www.domain.org;

	proxy_cookie_path / "/; secure; HttpOnly; SameSite=lax";
	proxy_set_header Authorization $http_authorization;
	proxy_pass_header Authorization;

	root /var/www/html/domain.org/web;

	index index.php index.html index.htm;

	expires $expires;

	http2_idle_timeout 5m;

	access_log /var/log/nginx/domain_access.log combined buffer=32k flush=60;
	error_log /var/log/nginx/domain_error.log error;

	# Rewrites for Bedrock
	rewrite /wp-admin$ $scheme://$host$uri/ last;
	rewrite ^/(wp-.*.php)$ /wp/$1 last;
	rewrite ^/(wp-(content\|admin\|includes).*) /wp/$1 last;

	location / {
	include snippets/headers.conf;
	try_files $uri $uri/ /wp$uri/ /wp/index.php?$query_string;
	}

	location = /50x.html {
	root /usr/share/nginx/html;
	}

	# make sure you use your own PHP settings, it might be a different config than mine
	location ~ \.php$ {
	include fastcgi-php.conf;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
	}

	ssl_certificate /etc/letsencrypt/live/domain.org/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/domain.org/privkey.pem; # managed by Certbot
	ssl_trusted_certificate /etc/letsencrypt/live/domain.org/fullchain.pem; #managed by Coptix

	include snippets/general.conf;
	include snippets/wordpress.conf;
	# headers located in / location block, optionally place here for all locations
	# include snippets/headers.conf;
	}
	server {
	server_name domain.org www.domain.org;
	listen 80;
	listen [::]:80;
	root /var/www/html/bookstore/web;
	return 301 https://$host$request_uri;
	}
	# favicon.ico
	location = /favicon.ico {
	try_files /favicon.ico =204;
	log_not_found off;
	access_log off;
	}

	# robots.txt
	location = /robots.txt {
	log_not_found off;
	access_log off;
	}

	# assets, media
	location ~* \.(?:css(\.map)?\|js(\.map)?\|webp\|jpe?g\|png\|gif\|ico\|cur\|heic\|tiff?\|mp3\|m4a\|aac\|ogg\|midi?\|wav\|mp4\|mov\|webm\|mpe?g\|avi\|ogv\|flv\|wmv)$ {
	expires 33d;
	access_log off;
	add_header Pragma "public";
	add_header Cache-Control "public";
	etag on;
	add_header Vary "Accept-Encoding, Cookie";
	gzip_static on;
	}

	# svg, fonts
	location ~* \.(?:svgz?\|ttf\|ttc\|otf\|eot\|woff2?\|webmanifest)$ {
	add_header Access-Control-Allow-Origin "*";
	expires 365d;
	add_header Pragma "public";
	add_header Cache-Control "public";
	access_log off;
	etag on;
	add_header Vary "Accept-Encoding, Cookie";
	gzip_static on;
	}

	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_disable "msie6";
	add_header Access-Control-Allow-Origin $cors_origin_header;
	add_header Access-Control-Allow-Credentials $cors_cred;
	add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always;
	add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
	add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";

	add_header Referrer-Policy "no-referrer" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Frame-Options "sameorigin" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header Expect-CT "enforce, max-age=1200, report-uri='https://domain.dev/'";
	add_header Last-Modified $date_gmt;
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
	user www-data;
	worker_processes 8; # or auto but set = cpu cores
	worker_rlimit_nofile 65535;
	pid /run/nginx.pid;
	include /etc/nginx/modules-enabled/*.conf;
	##/* needed to add this comment for syntax highlighting... */
	events {
	multi_accept on;
	worker_connections 65535;
	}
	http {
	charset utf-8;
	# map for headers
	map $http_origin $cors_origin_header {
	hostnames;
	default "";
	"~(^\|^https?:\/\/)(localhost$\|localhost:[0-9]{1,4}$)" $http_origin;
	"~^https?://(www\.)?domain.build$" $http_origin;
	"~^https://(www\.)?domain.org$" $http_origin;
	"~^https://(www\.)?domain2.org$" $http_origin;
	"~^https://(www\.)?subdomain.domain.org$" $http_origin;
	}

	map $http_origin $cors_cred {
	hostnames;
	default "false";
	"~(^\|^https?:\/\/)(localhost$\|localhost:[0-9]{1,4}$)" "true";
	"~^https?://(www\.)?domain.build$" "true";
	"~^https://(www\.)?domain.org$" "true";
	"~^https://(www\.)?domain2.org$" "true";
	"~^https://(www\.)?subdomain.domain.org$" "true";
	}
	# Basic Settings
	## ##
	sendfile on;
	server_tokens on;
	# SSL Settings
	ssl_session_cache shared:SSL:12m;
	ssl_session_timeout 1440m;
	ssl_session_tickets off;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_dhparam /etc/nginx/certs/dhparams.pem;
	ssl_prefer_server_ciphers on;
	ssl_buffer_size 4k;
	ssl_early_data on;
	ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
	# Safe curves
	ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
	# Logging Settings
	## ##
	access_log /var/log/nginx/access.log;
	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	# google for DNS lookup
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;
	server_names_hash_bucket_size 128;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 75;
	types_hash_max_size 8192;
	default_type application/octet-stream;
	error_log /var/log/nginx/error.log;
	##
	# File metadata cache
	##
	open_file_cache max=16536 inactive=8m;
	open_file_cache_valid 2m;
	open_file_cache_min_uses 1;
	open_file_cache_errors off;
	##
	# Client request settings
	##
	client_body_buffer_size 1m;
	client_header_buffer_size 4k;
	client_max_body_size 512M;
	reset_timedout_connection on;
	server_names_hash_max_size 8192;
	fastcgi_buffers 8 16k;
	fastcgi_buffer_size 32k;
	fastcgi_read_timeout 120;
	# DoS Protection set zone
	# opt to limit request in zone, see wordpress.conf
	# limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
	#sites
	include /etc/nginx/mime.types;
	include /etc/nginx/sites-enabled/*;
	}
	# WordPress: deny app nasty files
	location ~* ^/app/.*\.(?:s?html?\|php\|js\|swf\|log)$ {
	deny all;
	}
	# WordPress: deny wp-content/uploads nasty stuff
	location ~* ^/app/uploads/.*\.(?:s?html?\|php\|js\|swf\|log)$ {
	deny all;
	}
	# WordPress: deny plugins (except earlier rules)
	location ~ ^/app/plugins {
	deny all;
	}
	# WordPress: deny general stuff
	location ~* ^/wp/(?:wp-links-opml\.php\|wp-config\.php\|wp-config-sample\.php\|wp-comments-post\.php\|readme\.html\|license\.txt)$ {
	deny all;
	}
	# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac) except for well-known
	location ~ /\.(?!well-known\/) {
	deny all;
	}
	location ~ ^/wp/(wp-signup\.php) {
	return 301 https://domain.org/my-account;
	}
	location ~ ^/wp/wp-admin/includes { deny all; }
	location ~ ^/wp/wp-includes/theme-compat/ { deny all; }
	location ~ ^/wp/wp-includes/js/tinymce/langs/.*.php { deny all; }
	location ~ ^/wp/wp-includes/ { internal; }
	# throttle wp-admin requests
	# location ~* /wp/wp-admin/ {
	# limit_req zone=one burst=3 nodelay;
	# limit_req_status 444;
	# include fastcgi_params;
	# include snippets/fastcgi-php.conf;
	# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	# fastcgi_pass unix:/run/php/php7.3-fpm.sock;
	# }
	location ~* ^(/.+)\.(jpg\|jpeg\|jpe\|png\|gif)$ {
	add_header Vary Accept;

	if ($http_accept ~* "webp"){
	set $imwebp A;
	}
	if (-f $request_filename.webp) {
	set $imwebp "${imwebp}B";
	}
	if ($imwebp = AB) {
	rewrite ^(.*) $1.webp;
	}
	}