Created
January 11, 2020 21:51
-
-
Save saleebm/4361704635fc9443c8f64bd37115af4d to your computer and use it in GitHub Desktop.
headless wordpress w/Nginx and Bedrocks setup (many thanks to https://www.digitalocean.com/community/tools/nginx)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Expires map | |
map $sent_http_content_type $expires { | |
default off; | |
text/html epoch; | |
text/css 30d; | |
application/javascript 30d; | |
~image/ max; | |
font/woff2 max; | |
font/woff max; | |
image/x-icon max; | |
application/font-woff2 max; | |
} | |
server { | |
listen 443 ssl http2 default_server; | |
listen [::]:443 ssl http2 default_server; | |
server_name domain.org www.domain.org; | |
proxy_cookie_path / "/; secure; HttpOnly; SameSite=lax"; | |
proxy_set_header Authorization $http_authorization; | |
proxy_pass_header Authorization; | |
root /var/www/html/domain.org/web; | |
index index.php index.html index.htm; | |
expires $expires; | |
http2_idle_timeout 5m; | |
access_log /var/log/nginx/domain_access.log combined buffer=32k flush=60; | |
error_log /var/log/nginx/domain_error.log error; | |
# Rewrites for Bedrock | |
rewrite /wp-admin$ $scheme://$host$uri/ last; | |
rewrite ^/(wp-.*.php)$ /wp/$1 last; | |
rewrite ^/(wp-(content|admin|includes).*) /wp/$1 last; | |
location / { | |
include snippets/headers.conf; | |
try_files $uri $uri/ /wp$uri/ /wp/index.php?$query_string; | |
} | |
location = /50x.html { | |
root /usr/share/nginx/html; | |
} | |
# make sure you use your own PHP settings, it might be a different config than mine | |
location ~ \.php$ { | |
include fastcgi-php.conf; | |
include fastcgi_params; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
fastcgi_pass unix:/run/php/php7.4-fpm.sock; | |
} | |
ssl_certificate /etc/letsencrypt/live/domain.org/fullchain.pem; # managed by Certbot | |
ssl_certificate_key /etc/letsencrypt/live/domain.org/privkey.pem; # managed by Certbot | |
ssl_trusted_certificate /etc/letsencrypt/live/domain.org/fullchain.pem; #managed by Coptix | |
include snippets/general.conf; | |
include snippets/wordpress.conf; | |
# headers located in / location block, optionally place here for all locations | |
# include snippets/headers.conf; | |
} | |
server { | |
server_name domain.org www.domain.org; | |
listen 80; | |
listen [::]:80; | |
root /var/www/html/bookstore/web; | |
return 301 https://$host$request_uri; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# favicon.ico | |
location = /favicon.ico { | |
try_files /favicon.ico =204; | |
log_not_found off; | |
access_log off; | |
} | |
# robots.txt | |
location = /robots.txt { | |
log_not_found off; | |
access_log off; | |
} | |
# assets, media | |
location ~* \.(?:css(\.map)?|js(\.map)?|webp|jpe?g|png|gif|ico|cur|heic|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { | |
expires 33d; | |
access_log off; | |
add_header Pragma "public"; | |
add_header Cache-Control "public"; | |
etag on; | |
add_header Vary "Accept-Encoding, Cookie"; | |
gzip_static on; | |
} | |
# svg, fonts | |
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?|webmanifest)$ { | |
add_header Access-Control-Allow-Origin "*"; | |
expires 365d; | |
add_header Pragma "public"; | |
add_header Cache-Control "public"; | |
access_log off; | |
etag on; | |
add_header Vary "Accept-Encoding, Cookie"; | |
gzip_static on; | |
} | |
gzip on; | |
gzip_vary on; | |
gzip_proxied any; | |
gzip_comp_level 6; | |
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; | |
gzip_buffers 16 8k; | |
gzip_http_version 1.1; | |
gzip_disable "msie6"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
add_header Access-Control-Allow-Origin $cors_origin_header; | |
add_header Access-Control-Allow-Credentials $cors_cred; | |
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always; | |
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; | |
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept"; | |
add_header Referrer-Policy "no-referrer" always; | |
add_header X-Content-Type-Options "nosniff" always; | |
add_header X-Frame-Options "sameorigin" always; | |
add_header X-XSS-Protection "1; mode=block" always; | |
add_header Expect-CT "enforce, max-age=1200, report-uri='https://domain.dev/'"; | |
add_header Last-Modified $date_gmt; | |
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user www-data; | |
worker_processes 8; # or auto but set = cpu cores | |
worker_rlimit_nofile 65535; | |
pid /run/nginx.pid; | |
include /etc/nginx/modules-enabled/*.conf; | |
##/* needed to add this comment for syntax highlighting... */ | |
events { | |
multi_accept on; | |
worker_connections 65535; | |
} | |
http { | |
charset utf-8; | |
# map for headers | |
map $http_origin $cors_origin_header { | |
hostnames; | |
default ""; | |
"~(^|^https?:\/\/)(localhost$|localhost:[0-9]{1,4}$)" $http_origin; | |
"~^https?://(www\.)?domain.build$" $http_origin; | |
"~^https://(www\.)?domain.org$" $http_origin; | |
"~^https://(www\.)?domain2.org$" $http_origin; | |
"~^https://(www\.)?subdomain.domain.org$" $http_origin; | |
} | |
map $http_origin $cors_cred { | |
hostnames; | |
default "false"; | |
"~(^|^https?:\/\/)(localhost$|localhost:[0-9]{1,4}$)" "true"; | |
"~^https?://(www\.)?domain.build$" "true"; | |
"~^https://(www\.)?domain.org$" "true"; | |
"~^https://(www\.)?domain2.org$" "true"; | |
"~^https://(www\.)?subdomain.domain.org$" "true"; | |
} | |
# Basic Settings | |
## ## | |
sendfile on; | |
server_tokens on; | |
# SSL Settings | |
ssl_session_cache shared:SSL:12m; | |
ssl_session_timeout 1440m; | |
ssl_session_tickets off; | |
ssl_protocols TLSv1.2 TLSv1.3; | |
ssl_dhparam /etc/nginx/certs/dhparams.pem; | |
ssl_prefer_server_ciphers on; | |
ssl_buffer_size 4k; | |
ssl_early_data on; | |
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; | |
# Safe curves | |
ssl_ecdh_curve secp521r1:secp384r1:prime256v1; | |
# Logging Settings | |
## ## | |
access_log /var/log/nginx/access.log; | |
# OCSP Stapling | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
# google for DNS lookup | |
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s; | |
resolver_timeout 2s; | |
server_names_hash_bucket_size 128; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 75; | |
types_hash_max_size 8192; | |
default_type application/octet-stream; | |
error_log /var/log/nginx/error.log; | |
## | |
# File metadata cache | |
## | |
open_file_cache max=16536 inactive=8m; | |
open_file_cache_valid 2m; | |
open_file_cache_min_uses 1; | |
open_file_cache_errors off; | |
## | |
# Client request settings | |
## | |
client_body_buffer_size 1m; | |
client_header_buffer_size 4k; | |
client_max_body_size 512M; | |
reset_timedout_connection on; | |
server_names_hash_max_size 8192; | |
fastcgi_buffers 8 16k; | |
fastcgi_buffer_size 32k; | |
fastcgi_read_timeout 120; | |
# DoS Protection set zone | |
# opt to limit request in zone, see wordpress.conf | |
# limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; | |
#sites | |
include /etc/nginx/mime.types; | |
include /etc/nginx/sites-enabled/*; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# WordPress: deny app nasty files | |
location ~* ^/app/.*\.(?:s?html?|php|js|swf|log)$ { | |
deny all; | |
} | |
# WordPress: deny wp-content/uploads nasty stuff | |
location ~* ^/app/uploads/.*\.(?:s?html?|php|js|swf|log)$ { | |
deny all; | |
} | |
# WordPress: deny plugins (except earlier rules) | |
location ~ ^/app/plugins { | |
deny all; | |
} | |
# WordPress: deny general stuff | |
location ~* ^/wp/(?:wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ { | |
deny all; | |
} | |
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac) except for well-known | |
location ~ /\.(?!well-known\/) { | |
deny all; | |
} | |
location ~ ^/wp/(wp-signup\.php) { | |
return 301 https://domain.org/my-account; | |
} | |
location ~ ^/wp/wp-admin/includes { deny all; } | |
location ~ ^/wp/wp-includes/theme-compat/ { deny all; } | |
location ~ ^/wp/wp-includes/js/tinymce/langs/.*.php { deny all; } | |
location ~ ^/wp/wp-includes/ { internal; } | |
# throttle wp-admin requests | |
# location ~* /wp/wp-admin/ { | |
# limit_req zone=one burst=3 nodelay; | |
# limit_req_status 444; | |
# include fastcgi_params; | |
# include snippets/fastcgi-php.conf; | |
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
# fastcgi_pass unix:/run/php/php7.3-fpm.sock; | |
# } | |
location ~* ^(/.+)\.(jpg|jpeg|jpe|png|gif)$ { | |
add_header Vary Accept; | |
if ($http_accept ~* "webp"){ | |
set $imwebp A; | |
} | |
if (-f $request_filename.webp) { | |
set $imwebp "${imwebp}B"; | |
} | |
if ($imwebp = AB) { | |
rewrite ^(.*) $1.webp; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment