Nginx Config

fpm.template

[kho]
user = $pool
group = $pool

listen = /run/php/fpm.$pool.sock
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660

;listen.allowed_clients = 127.0.0.1

; process.priority = -19
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.process_idle_timeout = 30s
pm.max_requests = 512
slowlog = /var/log/php/$pool.log.slow
request_slowlog_timeout = 1m
request_slowlog_trace_depth = 20
request_terminate_timeout = 2m

;chroot =
;chdir = /var/www
security.limit_extensions = .php .php3 .php4 .php5 .php7

general.conf

index index.php index.html index.htm index.nginx-debian.html;

# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;

# . files
location ~ /\. {
        deny all;
}

gzip.conf

gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;

nginx.conf

user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 4096;
        multi_accept on;
}

http {
        ##
        # Basic Settings
        ##
        charset utf-8;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 60;
        keepalive_requests 10240;
        types_hash_max_size 2048;
        client_max_body_size 64M;
        client_body_timeout 30;
        reset_timedout_connection on;
        send_timeout 30;

        server_tokens off;
        log_not_found off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        access_log off;
        error_log /var/log/nginx/error.log;

        open_file_cache max=200000 inactive=20s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors on;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

php.conf

location / {
        try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
        fastcgi_pass                    unix:/var/run/php/fpm.$vuser.sock;
        fastcgi_index                   index.php;
        #fastcgi_split_path_info         ^(.+\.php)(/.+)$;
        fastcgi_intercept_errors        off;
        fastcgi_buffer_size             128k;
        fastcgi_buffers                 256 16k;
        fastcgi_busy_buffers_size       256k;
        fastcgi_temp_file_write_size    256k;

        fastcgi_param  PHP_ADMIN_VALUE    open_basedir=$vroot/:/usr/lib/php/:/tmp/;

        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_param  QUERY_STRING       $query_string;
        fastcgi_param  REQUEST_METHOD     $request_method;
        fastcgi_param  CONTENT_TYPE       $content_type;
        fastcgi_param  CONTENT_LENGTH     $content_length;

        fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
        fastcgi_param  REQUEST_URI        $request_uri;
        fastcgi_param  DOCUMENT_URI       $document_uri;
        fastcgi_param  DOCUMENT_ROOT      $document_root;
        fastcgi_param  SERVER_PROTOCOL    $server_protocol;
        fastcgi_param  REQUEST_SCHEME     $scheme;
        fastcgi_param  HTTPS              $https if_not_empty;

        fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
        fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

        fastcgi_param  REMOTE_ADDR        $remote_addr;
        fastcgi_param  REMOTE_PORT        $remote_port;
        fastcgi_param  SERVER_ADDR        $server_addr;
        fastcgi_param  SERVER_PORT        $server_port;
        fastcgi_param  SERVER_NAME        $server_name;

        fastcgi_param  REDIRECT_STATUS    200;
}

sites-available.conf

server {
        listen 80;
        listen [::]:80;

        server_name _;

        set $vuser user;
        set $vroot /home/$vuser;
        root $vroot/public;

        include vhost.d/gzip.conf;
        include vhost.d/general.conf;
        include vhost.d/static.conf;
        include vhost.d/php.conf;
}

static.conf

# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
       expires 7d;
       access_log off;
}

# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        expires 7d;
        access_log off;
}

wordpress.conf

# WordPress: allow TinyMCE
location = /wp-includes/js/tinymce/wp-tinymce.php {
        include nginxconfig.io/php_fastcgi.conf;
}

# WordPress: deny wp-content, wp-includes php files
location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
        deny all;
}

# WordPress: deny wp-content/uploads nasty stuff
location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
        deny all;
}

# WordPress: deny wp-content/plugins (except earlier rules)
location ~ ^/wp-content/plugins {
        deny all;
}

# WordPress: deny scripts and styles concat
location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
        deny all;
}

# WordPress: deny general stuff
location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
        deny all;
}