http { # memcached servers, generated according to wp-ffpc config upstream memcached-servers { MEMCACHED_SERVERS } # PHP-FPM upstream; change it accordingly to your local config! upstream php-fpm { server 127.0.0.1:9000; } server { ## Listen ports listen 80; listen [::]:80; # use _ if you want to accept everything, or replace _ with domain server_name _; # root of WordPress root SERVERROOT; # set up logging access_log /var/log/nginx/SERVERLOG.access.log; error_log /var/log/nginx/SERVERLOG.error.log; # a bit of security; uncomment if you're using any WAF ## Block SQL injections location ~union.*select.*\( { deny all; } location ~union.*all.*select.* { deny all; } location ~concat.*\( { deny all; } ## Block common exploits location ~ (<|%3C).*script.*(>|%3E) { deny all; } location ~ base64_(en|de)code\(.*\) { deny all; } location ~ (\[|\]|\(|\)|<|>|ê|"|\;) { deny all; } location ~ (%24&x) { deny all; } location ~ (%0|%A|%B|%C|%D|%E|%F|127\.0) { deny all; } location ~ \.\.\/ { deny all; } location ~ ~$ { deny all; } location ~ proc/self/environ { deny all; } location ~ /\.(htaccess|htpasswd) { log_not_found off; deny all; } ## Block file injections location ~ [a-zA-Z0-9_]=http:// { deny all; } location ~ [a-zA-Z0-9_]=(\.\.//?)+ { deny all; } location ~ [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { deny all; } ## wordpress security location ~* wp-config.php { deny all; } location ~* wp-admin/includes { deny all; } location ~* wp-app\.log { deny all; } location ~ (licence|readme|license)\.(html|txt) { deny all; } location ~ \.(css|js|jpg|jpeg|png|gif)$ { expires 7d; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; add_header "Vary" "Accept-Encoding"; } ## PHP5-FPM location ~ (\.php) { # these settings are usually in fastcgi_params fastcgi_index index.php; fastcgi_connect_timeout 10; fastcgi_send_timeout 180; fastcgi_read_timeout 180; fastcgi_buffer_size 512k; fastcgi_buffers 4 256k; fastcgi_busy_buffers_size 512k; fastcgi_temp_file_write_size 512k; fastcgi_intercept_errors on; fastcgi_split_path_info ^(.+\.php)(/.*)$; fastcgi_keep_conn on; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; fastcgi_param REDIRECT_STATUS 200; # uncomment these for HTTPS usage #fastcgi_param HTTPS $https if_not_empty; #fastcgi_param SSL_PROTOCOL $ssl_protocol if_not_empty; #fastcgi_param SSL_CIPHER $ssl_cipher if_not_empty; #fastcgi_param SSL_SESSION_ID $ssl_session_id if_not_empty; #fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify if_not_empty; fastcgi_pass php-fpm; } location / { try_files $uri $uri/ @memcached; } # try to get result from memcached location @memcached { default_type text/html; set $memcached_key DATAPREFIX$scheme://$host$request_uri; set $memcached_request 1; # exceptions # avoid cache serve of POST requests if ($request_method = POST ) { set $memcached_request 0; } # avoid cache serve of wp-admin-like pages, starting with "wp-" if ( $uri ~ "/wp-" ) { set $memcached_request 0; } LOGGEDIN_EXCEPTION if ( $memcached_request = 1) { memcached_pass memcached-servers; error_page 404 = @rewrites; } if ( $memcached_request = 0) { rewrite ^ /index.php?$args last; } } ## rewrite rules location @rewrites { rewrite ^ /index.php?$args last; } } }