2013-03-19 10:16:59 +00:00
|
|
|
http {
|
2013-04-04 11:15:47 +01:00
|
|
|
|
|
|
|
# memcached servers, generated according to wp-ffpc config
|
2013-03-19 10:16:59 +00:00
|
|
|
upstream memcached-servers {
|
|
|
|
MEMCACHED_SERVERS
|
|
|
|
}
|
2013-04-04 11:15:47 +01:00
|
|
|
|
|
|
|
# PHP-FPM upstream; change it accordingly to your local config!
|
|
|
|
upstream php-fpm {
|
|
|
|
server 127.0.0.1:9000;
|
|
|
|
}
|
|
|
|
|
2013-03-19 10:16:59 +00:00
|
|
|
server {
|
2013-04-04 11:15:47 +01:00
|
|
|
## Listen ports
|
|
|
|
listen 80;
|
|
|
|
listen [::]:80;
|
|
|
|
|
|
|
|
# use _ if you want to accept everything, or replace _ with domain
|
|
|
|
server_name _;
|
|
|
|
|
|
|
|
# root of WordPress
|
|
|
|
root SERVERROOT;
|
|
|
|
|
|
|
|
# set up logging
|
|
|
|
access_log /var/log/nginx/SERVERLOG.access.log;
|
|
|
|
error_log /var/log/nginx/SERVERLOG.error.log;
|
|
|
|
|
|
|
|
# a bit of security; uncomment if you're using any WAF
|
|
|
|
## Block SQL injections
|
|
|
|
location ~union.*select.*\( { deny all; }
|
|
|
|
location ~union.*all.*select.* { deny all; }
|
|
|
|
location ~concat.*\( { deny all; }
|
|
|
|
|
|
|
|
## Block common exploits
|
|
|
|
location ~ (<|%3C).*script.*(>|%3E) { deny all; }
|
|
|
|
location ~ base64_(en|de)code\(.*\) { deny all; }
|
|
|
|
location ~ (\[|\]|\(|\)|<|>|ê|"|\;) { deny all; }
|
|
|
|
location ~ (%24&x) { deny all; }
|
|
|
|
location ~ (%0|%A|%B|%C|%D|%E|%F|127\.0) { deny all; }
|
|
|
|
location ~ \.\.\/ { deny all; }
|
|
|
|
location ~ ~$ { deny all; }
|
|
|
|
location ~ proc/self/environ { deny all; }
|
|
|
|
location ~ /\.(htaccess|htpasswd) { log_not_found off; deny all; }
|
|
|
|
|
|
|
|
## Block file injections
|
|
|
|
location ~ [a-zA-Z0-9_]=http:// { deny all; }
|
|
|
|
location ~ [a-zA-Z0-9_]=(\.\.//?)+ { deny all; }
|
|
|
|
location ~ [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { deny all; }
|
|
|
|
|
|
|
|
## wordpress security
|
|
|
|
location ~* wp-config.php { deny all; }
|
|
|
|
location ~* wp-admin/includes { deny all; }
|
|
|
|
location ~* wp-app\.log { deny all; }
|
|
|
|
location ~ (licence|readme|license)\.(html|txt) { deny all; }
|
|
|
|
|
|
|
|
location ~ \.(css|js|jpg|jpeg|png|gif)$ {
|
|
|
|
expires 7d;
|
|
|
|
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
|
|
|
|
add_header "Vary" "Accept-Encoding";
|
|
|
|
}
|
|
|
|
|
|
|
|
## PHP5-FPM
|
|
|
|
location ~ (\.php) {
|
|
|
|
# these settings are usually in fastcgi_params
|
|
|
|
|
|
|
|
fastcgi_index index.php;
|
|
|
|
fastcgi_connect_timeout 10;
|
|
|
|
fastcgi_send_timeout 180;
|
|
|
|
fastcgi_read_timeout 180;
|
|
|
|
fastcgi_buffer_size 512k;
|
|
|
|
fastcgi_buffers 4 256k;
|
|
|
|
fastcgi_busy_buffers_size 512k;
|
|
|
|
fastcgi_temp_file_write_size 512k;
|
|
|
|
fastcgi_intercept_errors on;
|
|
|
|
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
|
|
|
fastcgi_keep_conn on;
|
|
|
|
|
|
|
|
fastcgi_param QUERY_STRING $query_string;
|
|
|
|
fastcgi_param REQUEST_METHOD $request_method;
|
|
|
|
fastcgi_param CONTENT_TYPE $content_type;
|
|
|
|
fastcgi_param CONTENT_LENGTH $content_length;
|
|
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
|
|
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
|
|
|
fastcgi_param REQUEST_URI $request_uri;
|
|
|
|
fastcgi_param DOCUMENT_URI $document_uri;
|
|
|
|
fastcgi_param DOCUMENT_ROOT $document_root;
|
|
|
|
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
|
|
|
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
|
|
|
fastcgi_param SERVER_SOFTWARE nginx;
|
|
|
|
fastcgi_param REMOTE_ADDR $remote_addr;
|
|
|
|
fastcgi_param REMOTE_PORT $remote_port;
|
|
|
|
fastcgi_param SERVER_ADDR $server_addr;
|
|
|
|
fastcgi_param SERVER_PORT $server_port;
|
|
|
|
fastcgi_param SERVER_NAME $server_name;
|
|
|
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
|
|
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
|
|
|
|
fastcgi_param REDIRECT_STATUS 200;
|
|
|
|
|
|
|
|
# uncomment these for HTTPS usage
|
|
|
|
#fastcgi_param HTTPS $https if_not_empty;
|
|
|
|
#fastcgi_param SSL_PROTOCOL $ssl_protocol if_not_empty;
|
|
|
|
#fastcgi_param SSL_CIPHER $ssl_cipher if_not_empty;
|
|
|
|
#fastcgi_param SSL_SESSION_ID $ssl_session_id if_not_empty;
|
|
|
|
#fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify if_not_empty;
|
|
|
|
|
|
|
|
fastcgi_pass php-fpm;
|
|
|
|
}
|
|
|
|
|
|
|
|
location / {
|
|
|
|
try_files $uri $uri/ @memcached;
|
|
|
|
}
|
2013-03-19 10:16:59 +00:00
|
|
|
|
|
|
|
# try to get result from memcached
|
|
|
|
location @memcached {
|
|
|
|
default_type text/html;
|
|
|
|
set $memcached_key DATAPREFIX$scheme://$host$request_uri;
|
|
|
|
set $memcached_request 1;
|
|
|
|
|
|
|
|
# exceptions
|
|
|
|
# avoid cache serve of POST requests
|
|
|
|
if ($request_method = POST ) {
|
|
|
|
set $memcached_request 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
# avoid cache serve of wp-admin-like pages, starting with "wp-"
|
|
|
|
if ( $uri ~ "/wp-" ) {
|
|
|
|
set $memcached_request 0;
|
|
|
|
}
|
|
|
|
|
2013-07-10 18:35:54 +01:00
|
|
|
# don't serve cached pages if user is logged in
|
|
|
|
if ($http_cookie ~* "wordpress_logged_in_" ) {
|
|
|
|
set $memcached_request 0;
|
|
|
|
}
|
2013-03-19 10:16:59 +00:00
|
|
|
|
|
|
|
if ( $memcached_request = 1) {
|
|
|
|
memcached_pass memcached-servers;
|
|
|
|
error_page 404 = @rewrites;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ( $memcached_request = 0) {
|
2013-04-04 11:15:47 +01:00
|
|
|
rewrite ^ /index.php?$args last;
|
2013-03-19 10:16:59 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
## rewrite rules
|
|
|
|
location @rewrites {
|
2013-04-04 11:15:47 +01:00
|
|
|
rewrite ^ /index.php?$args last;
|
2013-03-19 10:16:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|