wp-ffpc-nginx-sample.conf (view raw)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 |
http {
# memcached servers, generated according to wp-ffpc config
upstream memcached-servers {
MEMCACHED_SERVERS
}
# PHP-FPM upstream; change it accordingly to your local config!
upstream php-fpm {
server 127.0.0.1:9000;
}
server {
## Listen ports
listen 80;
listen [::]:80;
# use _ if you want to accept everything, or replace _ with domain
server_name _;
# root of WordPress
root SERVERROOT;
# set up logging
access_log /var/log/nginx/SERVERLOG.access.log;
error_log /var/log/nginx/SERVERLOG.error.log;
# a bit of security; uncomment if you're using any WAF
## Block SQL injections
location ~union.*select.*\( { deny all; }
location ~union.*all.*select.* { deny all; }
location ~concat.*\( { deny all; }
## Block common exploits
location ~ (<|%3C).*script.*(>|%3E) { deny all; }
location ~ base64_(en|de)code\(.*\) { deny all; }
location ~ (\[|\]|\(|\)|<|>|ê|"|\;) { deny all; }
location ~ (%24&x) { deny all; }
location ~ (%0|%A|%B|%C|%D|%E|%F|127\.0) { deny all; }
location ~ \.\.\/ { deny all; }
location ~ ~$ { deny all; }
location ~ proc/self/environ { deny all; }
location ~ /\.(htaccess|htpasswd) { log_not_found off; deny all; }
## Block file injections
location ~ [a-zA-Z0-9_]=http:// { deny all; }
location ~ [a-zA-Z0-9_]=(\.\.//?)+ { deny all; }
location ~ [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { deny all; }
## Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") { return 403; }
## Common bandwidth hoggers and hacking tools.
if ($http_user_agent ~ "libwww-perl") { return 403; }
if ($http_user_agent ~ "GetRight") { return 403; }
if ($http_user_agent ~ "GetWeb!") { return 403; }
if ($http_user_agent ~ "Go!Zilla") { return 403; }
if ($http_user_agent ~ "Download Demon") { return 403; }
if ($http_user_agent ~ "Go-Ahead-Got-It") { return 403; }
if ($http_user_agent ~ "TurnitinBot") { return 403; }
if ($http_user_agent ~ "GrabNet") { return 403; }
## wordpress security
location ~* wp-config.php { deny all; }
location ~* wp-admin/includes { deny all; }
location ~* wp-app\.log { deny all; }
location ~* wp-includes/.*\.php$ { deny all; }
location ~ /wp-content/plugins/akismet/readme\.txt { deny all; }
location ~ (licence|readme|license)\.(html|txt) { deny all; }
location ~ \.(css|js|jpg|jpeg|png|gif)$ {
expires 7d;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
add_header "Vary" "Accept-Encoding";
}
## PHP5-FPM
location ~ (\.php) {
# these settings are usually in fastcgi_params
fastcgi_index index.php;
fastcgi_connect_timeout 10;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 512k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 512k;
fastcgi_temp_file_write_size 512k;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_keep_conn on;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param REDIRECT_STATUS 200;
# uncomment these for HTTPS usage
#fastcgi_param HTTPS $https if_not_empty;
#fastcgi_param SSL_PROTOCOL $ssl_protocol if_not_empty;
#fastcgi_param SSL_CIPHER $ssl_cipher if_not_empty;
#fastcgi_param SSL_SESSION_ID $ssl_session_id if_not_empty;
#fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify if_not_empty;
fastcgi_pass php-fpm;
}
location / {
try_files $uri $uri/ @memcached;
}
# try to get result from memcached
location @memcached {
default_type text/html;
set $memcached_key DATAPREFIX$scheme://$host$request_uri;
set $memcached_request 1;
# exceptions
# avoid cache serve of POST requests
if ($request_method = POST ) {
set $memcached_request 0;
}
# avoid cache serve of wp-admin-like pages, starting with "wp-"
if ( $uri ~ "/wp-" ) {
set $memcached_request 0;
}
LOGGEDIN_EXCEPTION
COOKIES_EXCEPTION
if ( $memcached_request = 1) {
RESPONSE_HEADER
memcached_pass memcached-servers;
error_page 404 = @rewrites;
}
if ( $memcached_request = 0) {
rewrite ^ /index.php?$args last;
}
}
## rewrite rules
location @rewrites {
add_header X-Cache-Engine "";
rewrite ^ /index.php?$args last;
}
}
}
|