all repos — wp-ffpc @ 6b10505d7ccdcf4ecfc2209189d72e4907af7f51

wp-ffpc-nginx-sample.conf (view raw)

 1
 2
 3
 4
 5
 6
 7
 8
 9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
 100
 101
 102
 103
 104
 105
 106
 107
 108
 109
 110
 111
 112
 113
 114
 115
 116
 117
 118
 119
 120
 121
 122
 123
 124
 125
 126
 127
 128
 129
 130
 131
 132
 133
 134
 135
 136
 137
 138
 139
 140
 141
 142
 143
 144
 145
 146
 147
 148
 149
 150
 151
 152
 153
 154
 155
 156
 157
 158
 159
 160
 161
 162
 163
 
http {

	# memcached servers, generated according to wp-ffpc config
	upstream memcached-servers {
MEMCACHED_SERVERS
	}

	# PHP-FPM upstream; change it accordingly to your local config!
	upstream php-fpm {
		server 127.0.0.1:9000;
	}

	server {
		## Listen ports
		listen 80;
		listen [::]:80;

		# use _ if you want to accept everything, or replace _ with domain
		server_name _;

		# root of WordPress
		root SERVERROOT;

		# set up logging
		access_log /var/log/nginx/SERVERLOG.access.log;
		error_log /var/log/nginx/SERVERLOG.error.log;

		# a bit of security; uncomment if you're using any WAF
		## Block SQL injections
		location ~union.*select.*\( { deny all; }
		location ~union.*all.*select.* { deny all; }
		location ~concat.*\( { deny all; }

		## Block common exploits
		location ~ (<|%3C).*script.*(>|%3E) { deny all; }
		location ~ base64_(en|de)code\(.*\) { deny all; }
		location ~ (\[|\]|\(|\)|<|>|ê|"|\;) { deny all; }
		location ~ (%24&x) { deny all; }
		location ~ (%0|%A|%B|%C|%D|%E|%F|127\.0) { deny all; }
		location ~ \.\.\/  { deny all; }
		location ~ ~$ { deny all; }
		location ~ proc/self/environ { deny all; }
		location ~ /\.(htaccess|htpasswd) { log_not_found off; deny all; }

		## Block file injections
		location ~ [a-zA-Z0-9_]=http:// { deny all; }
		location ~ [a-zA-Z0-9_]=(\.\.//?)+ { deny all; }
		location ~ [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { deny all; }

		## Disable Akeeba Remote Control 2.5 and earlier
		if ($http_user_agent ~ "Indy Library") { return 403; }

		## Common bandwidth hoggers and hacking tools.
		if ($http_user_agent ~ "libwww-perl") { return 403; }
		if ($http_user_agent ~ "GetRight") { return 403; }
		if ($http_user_agent ~ "GetWeb!") { return 403; }
		if ($http_user_agent ~ "Go!Zilla") { return 403; }
		if ($http_user_agent ~ "Download Demon") { return 403; }
		if ($http_user_agent ~ "Go-Ahead-Got-It") { return 403; }
		if ($http_user_agent ~ "TurnitinBot") { return 403; }
		if ($http_user_agent ~ "GrabNet") { return 403; }

		## wordpress security
		location ~* wp-config.php { deny all; }
		location ~* wp-admin/includes { deny all; }
		location ~* wp-app\.log { deny all; }
		location ~* wp-includes/.*\.php$ { deny all; }
		location ~ /wp-content/plugins/akismet/readme\.txt { deny all; }
		location ~ (licence|readme|license)\.(html|txt) { deny all; }

		location ~ \.(css|js|jpg|jpeg|png|gif)$ {
			expires 7d;
			add_header Cache-Control "public, must-revalidate, proxy-revalidate";
			add_header "Vary" "Accept-Encoding";
		}

		## PHP5-FPM
		location ~ (\.php) {
			# these settings are usually in fastcgi_params

			fastcgi_index                           index.php;
			fastcgi_connect_timeout                 10;
			fastcgi_send_timeout                    180;
			fastcgi_read_timeout                    180;
			fastcgi_buffer_size                     512k;
			fastcgi_buffers                         4       256k;
			fastcgi_busy_buffers_size               512k;
			fastcgi_temp_file_write_size            512k;
			fastcgi_intercept_errors                on;
			fastcgi_split_path_info ^(.+\.php)(/.*)$;
			fastcgi_keep_conn			on;

			fastcgi_param	QUERY_STRING			$query_string;
			fastcgi_param	REQUEST_METHOD			$request_method;
			fastcgi_param	CONTENT_TYPE			$content_type;
			fastcgi_param	CONTENT_LENGTH			$content_length;
			fastcgi_param	SCRIPT_FILENAME			$document_root$fastcgi_script_name;
			fastcgi_param	SCRIPT_NAME				$fastcgi_script_name;
			fastcgi_param	REQUEST_URI				$request_uri;
			fastcgi_param	DOCUMENT_URI			$document_uri;
			fastcgi_param	DOCUMENT_ROOT			$document_root;
			fastcgi_param	SERVER_PROTOCOL			$server_protocol;
			fastcgi_param	GATEWAY_INTERFACE		CGI/1.1;
			fastcgi_param	SERVER_SOFTWARE			nginx;
			fastcgi_param	REMOTE_ADDR				$remote_addr;
			fastcgi_param	REMOTE_PORT				$remote_port;
			fastcgi_param	SERVER_ADDR				$server_addr;
			fastcgi_param	SERVER_PORT				$server_port;
			fastcgi_param	SERVER_NAME				$server_name;
			fastcgi_param	PATH_INFO				$fastcgi_path_info;
			fastcgi_param	PATH_TRANSLATED			$document_root$fastcgi_path_info;
			fastcgi_param	REDIRECT_STATUS			200;

			# uncomment these for HTTPS usage
			#fastcgi_param	HTTPS					$https if_not_empty;
			#fastcgi_param	SSL_PROTOCOL			$ssl_protocol if_not_empty;
			#fastcgi_param	SSL_CIPHER				$ssl_cipher if_not_empty;
			#fastcgi_param	SSL_SESSION_ID			$ssl_session_id if_not_empty;
			#fastcgi_param	SSL_CLIENT_VERIFY		$ssl_client_verify if_not_empty;

			fastcgi_pass php-fpm;
		}

		location / {
			try_files $uri $uri/ @memcached;
		}

		# try to get result from memcached
		location @memcached {
				default_type text/html;
				set $memcached_key DATAPREFIX$scheme://$host$request_uri;
				set $memcached_request 1;

				# exceptions
				# avoid cache serve of POST requests
				if ($request_method = POST ) {
						set $memcached_request 0;
				}

				# avoid cache serve of wp-admin-like pages, starting with "wp-"
				if ( $uri ~ "/wp-" ) {
						set $memcached_request 0;
				}

				LOGGEDIN_EXCEPTION

				if ( $memcached_request = 1) {
						memcached_pass memcached-servers;
						error_page 404 = @rewrites;
				}

				if ( $memcached_request = 0) {
						rewrite ^ /index.php?$args last;
				}
		}

		## rewrite rules
		location @rewrites {
				rewrite ^ /index.php?$args last;
		}

	}
}