Update with Caddy

Signed-off-by: Bensuperpc <bensuperpc@gmail.com>
This commit is contained in:
Bensuperpc 2023-11-25 10:03:44 +01:00
parent 1e912164a6
commit 1babc4f57b
31 changed files with 34 additions and 823 deletions

View File

@ -20,7 +20,7 @@
DOCKER := docker DOCKER := docker
PROFILES := webserver database wordpress PROFILES := webserver database wordpress adminer
PROFILE_CMD := $(addprefix --profile ,$(PROFILES)) PROFILE_CMD := $(addprefix --profile ,$(PROFILES))

View File

@ -63,12 +63,15 @@ And then, caddy will generate the certificate for you and renew it automatically
### Configure the infrastructure ### Configure the infrastructure
You must create a file named `.env` with the following content: You must create a folder named `env` with the following content:
file named `.env` with the following content:
```sh ```sh
MARIADB_ROOT_PASSWORD=<your_root_password> MARIADB_ROOT_PASSWORD=7L1Ncbquax0B2TCOmrjaQl9n5mnY88bQ
MARIADB_USER=<your_user> MARIADB_USER=bensuperpc
MARIADB_PASSWORD=<your_password> MARIADB_PASSWORD=lEOEf8cndnDjp84O4Uv5D9zJLJDFatLw
MARIADB_DATABASE=wordpress
``` ```
### Wordpress website ### Wordpress website

View File

@ -1,3 +1 @@
#import /path/to/*.caddy
import wordpress/Caddyfile import wordpress/Caddyfile

View File

@ -1,4 +1,4 @@
bensuperpc.org { www.bensuperpc.org {
# push # push
root * /var/www/html root * /var/www/html
@ -14,27 +14,21 @@ bensuperpc.org {
path *.sql path *.sql
path /wp-content/uploads/*.php path /wp-content/uploads/*.php
} }
rewrite @disallowed '/index.php' rewrite @disallowed '/index.php'
respond /uploads/*.php 404 respond /uploads/*.php 404
header {
-Server
Content-Security-Policy default-src 'self' *.bensuperpc.org
X-XSS-Protection 1; mode=block
Strict-Transport-Security max-age=31536000; includeSubDomains; preload
X-Frame-Options DENY
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options nosniff
Referrer-Policy no-referrer-when-downgrade
}
log { log {
output stdout output stdout
format console format console
} }
} }
www.bensuperpc.com { bensuperpc.org {
redir https://bensuperpc.org{uri} redir https://www.bensuperpc.org{uri} permanent
}
adminer.bensuperpc.org {
reverse_proxy adminer:7777
} }

View File

@ -20,7 +20,7 @@ services:
wordpress: wordpress:
depends_on: depends_on:
- database - database
image: wordpress:6.2-fpm-alpine image: wordpress:fpm
container_name: wordpress container_name: wordpress
profiles: profiles:
- wordpress - wordpress
@ -38,6 +38,7 @@ services:
container_name: webserver container_name: webserver
profiles: profiles:
- webserver - webserver
restart: always
ports: ports:
- 80:80/tcp - 80:80/tcp
- 80:80/udp - 80:80/udp
@ -50,20 +51,18 @@ services:
- ./caddy:/etc/caddy:ro - ./caddy:/etc/caddy:ro
networks: networks:
- blog-network - blog-network
# phpmyadmin: adminer:
# image: phpmyadmin:5.2.0 image: adminer:latest
# container_name: phpmyadmin container_name: adminer
# profiles: profiles:
# - phpmyadmin - adminer
# restart: always restart: always
# env_file: env_file:
# - env/phpmyadmin.env - env/adminer.env
# ports: depends_on:
# - 8080:80 - database
# depends_on: networks:
# - database - blog-network
# networks:
# - blog-network
# security_opt: # security_opt:
# - no-new-privileges:true # - no-new-privileges:true
# - seccomp:unconfined # - seccomp:unconfined

View File

@ -1,4 +0,0 @@
POSTGRES_HOST_AUTH_METHOD=trust
POSTGRES_USER=bensuperpc
POSTGRES_PASSWORD=nPRh270dKH3hz%6HS2$X%8F3fqoQ*Fex
POSTGRES_DB=website

View File

@ -1,7 +0,0 @@
FLASK_DEBUG=1
# Acces to the database
POSTGRES_URL=flask_db:5432
POSTGRES_USER=bensuperpc
POSTGRES_PW=nPRh270dKH3hz%6HS2$X%8F3fqoQ*Fex
POSTGRES_DB=website

3
env/pgadmin.env vendored
View File

@ -1,3 +0,0 @@
PGADMIN_DEFAULT_EMAIL=bensuperpc@bensuperpc.org
PGADMIN_DEFAULT_PASSWORD=LmRVf9DY291ez7B^^%2RntHcsCrJ5fQ!
#PGADMIN_ENABLE_TLS

4
env/phpmyadmin.env vendored
View File

@ -1,4 +0,0 @@
MYSQL_ROOT_PASSWORD=g1qQWxTXyFXIKpAfbE0h5bxn&prr4zfd
MYSQL_USER=bensuperpc
MYSQL_PASSWORD=4Xnc7FB7902%*w9PW4y9&anQ5&hQdTzt
PMA_HOST=db

4
env/wordpress.env vendored
View File

@ -1,4 +1,4 @@
WORDPRESS_DB_USER=bensuperpc WORDPRESS_DB_USER=bensuperpc
WORDPRESS_DB_PASSWORD=4Xnc7FB7902%*w9PW4y9&anQ5&hQdTzt WORDPRESS_DB_PASSWORD=lEOEf8cndnDjp84O4Uv5D9zJLJDFatLw
WORDPRESS_DB_NAME=wordpress WORDPRESS_DB_NAME=wordpress
WORDPRESS_DB_HOST=wp_db:3306 WORDPRESS_DB_HOST=database:3306

4
env/wp_database.env vendored
View File

@ -1,4 +0,0 @@
MARIADB_ROOT_PASSWORD=g1qQWxTXyFXIKpAfbE0h5bxn&prr4zfd
MARIADB_USER=bensuperpc
MARIADB_PASSWORD=4Xnc7FB7902%*w9PW4y9&anQ5&hQdTzt
MARIADB_DATABASE=wordpress

View File

@ -1,32 +0,0 @@
version: "3.9"
services:
certbot:
depends_on:
- webserver
image: certbot/certbot:v1.32.0
container_name: certbot
profiles:
- certbot
volumes:
- certbot-cert:/etc/letsencrypt
- wordpress:/var/www/wordpress
- jellyfin:/var/www/jellyfin
#command: >
# certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --staging --webroot
# --webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
# --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
#command: >
# certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --force-renewal --webroot
# --webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
# --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
command: >
certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --keep-until-expiring --webroot
--webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
--webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
volumes:
certbot-cert:
name: certbot-cert

View File

@ -1,46 +0,0 @@
version: "3.9"
services:
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
container_name: qbittorrent
profiles:
- qbittorrent
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
- WEBUI_PORT=8080
volumes:
- qbittorrent-conf:/config
- qbittorrent-downloads:/downloads
#ports:
# - 8080:8080
# - 6881:6881
# - 6881:6881/udp
restart: unless-stopped
networks:
- app-network
jellyfin:
image: lscr.io/linuxserver/jellyfin:latest
container_name: jellyfin
profiles:
- jellyfin
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
- JELLYFIN_PublishedServerUrl=192.168.0.5 #optional
volumes:
- jellyfin-config:/config
- jellyfin-tvseries:/data/tvshows
- jellyfin-movies:/data/movies
- jellyfin:/var/www/html
#ports:
# - 8096:8096
# - 8920:8920 #optional
# - 7359:7359/udp #optional
# - 1900:1900/udp #optional
restart: unless-stopped
networks:
- app-network

View File

@ -1,6 +0,0 @@
version: "3.9"
networks:
app-network:
driver: bridge
name: app-network

View File

@ -1,32 +0,0 @@
version: "3.9"
services:
webserver:
depends_on:
- wordpress
image: nginx:1.23
container_name: webserver
profiles:
- webserver
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- wordpress:/var/www/wordpress
- jellyfin:/var/www/jellyfin
- ./nginx/conf.d:/etc/nginx/conf.d:ro
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- certbot-cert:/etc/letsencrypt:ro
networks:
- app-network
security_opt:
- "no-new-privileges:true"
cap_drop:
- "ALL"
cap_add:
- "NET_RAW"
- "NET_BIND_SERVICE"
- "CAP_CHOWN"
- "SETGID"
- "SETUID"

View File

@ -1,15 +0,0 @@
version: "3.9"
volumes:
qbittorrent-downloads:
name: qbittorrent-downloads
qbittorrent-conf:
name: qbittorrent-conf
jellyfin-config:
name: jellyfin-config
jellyfin-tvseries:
name: jellyfin-tvseries
jellyfin-movies:
name: jellyfin-movies
jellyfin:
name: jellyfin

View File

@ -1,62 +0,0 @@
version: "3.9"
services:
wp_db:
image: mariadb:10.10.2
container_name: wp_db
profiles:
- wp_db
restart: unless-stopped
env_file:
- env/wp_database.env
volumes:
- dbdata:/var/lib/mysql
networks:
- app-network
wordpress:
depends_on:
- wp_db
image: wordpress:6.1.1-php8.1-fpm
container_name: wordpress
profiles:
- wordpress
restart: unless-stopped
env_file:
- env/wordpress.env
# environment:
# - WORDPRESS_DB_HOST=wp_db:3306
volumes:
- wordpress:/var/www/html
networks:
- app-network
security_opt:
- "no-new-privileges:true"
cap_drop:
- "ALL"
cap_add:
- "NET_RAW"
- "CAP_CHOWN"
- "SETGID"
- "SETUID"
phpmyadmin:
image: phpmyadmin:5.2.0
container_name: phpmyadmin
profiles:
- phpmyadmin
restart: unless-stopped
env_file:
- env/phpmyadmin.env
# ports:
# - 8080:80
depends_on:
- wp_db
networks:
- app-network
volumes:
wordpress:
name: wordpress
dbdata:
name: dbdata

View File

@ -1,29 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;
root /var/www/jellyfin;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/jellyfin;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
resolver 8.8.8.8;
}

View File

@ -1,50 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name bensuperpc.org www.bensuperpc.org;
index index.php index.html index.htm;
root /var/www/wordpress;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/wordpress;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
# Necessary to avoid 404 error when changing the wordpress path
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
resolver 8.8.8.8;
}

View File

@ -1,141 +0,0 @@
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=3g inactive=30d use_temp_path=off;
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=3g;
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
upstream jellyfin_server {
# ip_hash;
server jellyfin:8096;
# server jellyfin:8096 weight=1 max_fails=3 fail_timeout=30s;
}
# Redirect all http requests to the main server wordpress_server
server {
listen 80;
listen [::]:80;
server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/jellyfin;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;
#client_max_body_size 20M;
set $jellyfin jellyfin;
resolver 8.8.8.8 valid=30;
# All things related to SSL
ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
#add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/conf.d/sub/options-ssl-nginx.conf;
# Security / XSS Mitigation Headers
# NOTE: X-Frame-Options may cause issues with the webOS app
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
location = / {
return 302 http://$host/web/;
#return 302 https://$host/web/;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin_server/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location /socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://jellyfin_server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
# Cache images
location ~ /Items/(.*)/Images {
#proxy_pass http://127.0.0.1:8096;
proxy_pass http://jellyfin_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_cache jellyfin;
proxy_cache_revalidate on;
proxy_cache_lock on;
add_header X-Cache-Status $upstream_cache_status; # This is only to check if cache is working
}
# Cache videos
location ~* ^/Videos/(.*)/(?!live)
{
slice 2m;
proxy_cache jellyfin-videos;
proxy_cache_valid 200 206 301 302 30d;
proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_connect_timeout 15s;
proxy_http_version 1.1;
proxy_set_header Connection "";
# Transmit slice range to the backend
proxy_set_header Range $slice_range;
proxy_cache_lock on;
proxy_cache_lock_age 60s;
#proxy_pass http://$jellyfin:8096;
proxy_pass http://jellyfin_server;
proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=$slice_range";
add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache
}
}
# All configuration options are documented at https://jellyfin.org/docs/general/networking/nginx/

View File

@ -1,12 +0,0 @@
#upstream minecraft {
# server minecraft:25565;
#}
#
#server {
# listen 25566;
# server_name minecraft.bensuperpc.org www.minecraft.bensuperpc.org;
# location / {
# proxy_pass minecraft;
# }
#}

View File

@ -1,28 +0,0 @@
#include /etc/nginx/conf.d/sub/cache-proxy.conf;
upstream phpmyadmin_server {
# ip_hash;
server phpmyadmin:80;
# server phpmyadmin:80 weight=1 max_fails=3 fail_timeout=30s;
}
# PHPmyadmin
server {
listen 80;
listen [::]:80;
#listen 443;
#listen [::]:443;
server_name phpmyadmin.bensuperpc.org www.phpmyadmin.bensuperpc.org;
include /etc/nginx/conf.d/sub/gzip.conf;
location / {
proxy_pass http://phpmyadmin_server;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
}
# resolver 8.8.8.8;
}

View File

@ -1,26 +0,0 @@
upstream qbittorrent_server {
# ip_hash;
server qbittorrent:8080;
# server qbittorrent:8080 weight=1 max_fails=3 fail_timeout=30s;
}
# PHPmyadmin
server {
listen 80;
listen [::]:80;
#listen 443;
#listen [::]:443;
server_name qbittorrent.bensuperpc.org www.qbittorrent.bensuperpc.org;
include /etc/nginx/conf.d/sub/gzip.conf;
location / {
proxy_pass http://qbittorrent_server;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
}
# resolver 8.8.8.8;
}

View File

@ -1,23 +0,0 @@
# The path to store the cache files, limit the folder to 100MB
fastcgi_cache_path /var/run/nginx-cache-fastcgi levels=1:2 keys_zone=WORDPRESS:100m inactive=120m max_size=1g use_temp_path=off;
# A unique request is defined by this cache key
fastcgi_cache_key "$scheme$request_method$host$request_uri";
# Show the cached version if upstream gives a timeout or a HTTP 500 error
fastcgi_cache_use_stale error timeout invalid_header http_500;
# Revalidate items in the cache if they are update
fastcgi_cache_revalidate on;
# Minimum time to store an item in the cache
fastcgi_cache_min_uses 3;
# Cache everything for 1 day
fastcgi_cache_valid 1d;
# Don't use the following headers to define the cache variables
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
# Some parts of this file are from
# https://gist.github.com/TrafeX/6d582b6d040702088722

View File

@ -1,20 +0,0 @@
# The path to store the cache files, limit the folder to 100MB
proxy_cache_path /var/run/nginx-cache-proxy levels=1:2 keys_zone=PROXY:100m inactive=120m max_size=1g use_temp_path=off;
# A unique request is defined by this cache key
proxy_cache_key "$scheme$request_method$host$request_uri";
# Show the cached version if upstream gives a timeout or a HTTP 500 error
proxy_cache_use_stale error timeout invalid_header http_500;
# Revalidate items in the cache if they are update
proxy_cache_revalidate on;
# Minimum time to store an item in the cache
proxy_cache_min_uses 3;
# Cache everything for 1 day
proxy_cache_valid 1d;
# Don't use the following headers to define the cache variables
proxy_ignore_headers Cache-Control Expires Set-Cookie;

View File

@ -1,20 +0,0 @@
# The path to store the cache files, limit the folder to 100MB
uwsgi_cache_path /var/run/nginx-cache-uwsgi levels=1:2 keys_zone=UWSGI:100m inactive=120m max_size=1g use_temp_path=off;
# A unique request is defined by this cache key
uwsgi_cache_key "$scheme$request_method$host$request_uri";
# Show the cached version if upstream gives a timeout or a HTTP 500 error
uwsgi_cache_use_stale error timeout invalid_header http_500;
# Revalidate items in the cache if they are update
uwsgi_cache_revalidate on;
# Minimum time to store an item in the cache
uwsgi_cache_min_uses 3;
# Cache everything for 1 day
uwsgi_cache_valid 1d;
# Don't use the following headers to define the cache variables
uwsgi_ignore_headers Cache-Control Expires Set-Cookie;

View File

@ -1,13 +0,0 @@
# Compression config
gzip on;
gunzip on;
gzip_static on;
gzip_min_length 1000;
gzip_buffers 4 32k;
# gzip_http_version 1.1;
gzip_proxied any;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/xml text/css;
gzip_vary on;
gzip_comp_level 6;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";

View File

@ -1,13 +0,0 @@
# generated 2022-11-23, Mozilla Guideline v5.6, nginx 1.23, OpenSSL 1.1.1k, modern configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.23&config=modern&openssl=1.1.1k&guideline=5.6
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

View File

@ -1,161 +0,0 @@
include /etc/nginx/conf.d/sub/cache-fastcgi.conf;
# All upstream serveur
upstream wordpress_server {
# ip_hash;
server wordpress:9000;
# server wordpress:9000 weight=1 max_fails=3 fail_timeout=30s;
}
# Redirect all http requests to the main server wordpress_server
server {
listen 80;
listen [::]:80;
server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/wordpress;
}
location / {
return 301 https://$host$request_uri;
}
}
# Main server wordpress_server
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;
root /var/www/wordpress;
index index.php index.html index.htm;
# Keepalive for 70 seconds
keepalive_timeout 70;
# Number of requests per connection
keepalive_requests 100;
reset_timedout_connection on;
# Increase proxy buffers for large requests
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
# Upload limit
client_max_body_size 50m;
client_body_buffer_size 128k;
# Initialize the variable that specified to skip the cache
set $skip_cache 0;
# POST requests and url's with a query string should always skip cache
if ($request_method = POST) {
set $skip_cache 1;
}
if ($query_string != "") {
set $skip_cache 1;
}
# Don't cache url's containing the following segments
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
set $skip_cache 1;
}
# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}
server_tokens off;
include /etc/nginx/conf.d/sub/gzip.conf;
# All things related to SSL
ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem;
include /etc/nginx/conf.d/sub/options-ssl-nginx.conf;
# Logging
access_log /var/log/nginx/wordpress.access.log;
error_log /var/log/nginx/wordpress.error.log;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
location / {
try_files $uri $uri/ /index.php$is_args$args;
# try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress_server;
fastcgi_index index.php;
include fastcgi_params;
# Necessary to avoid 404 error when changing the wordpress path
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_intercept_errors on;
# Don't cache when $skip_cache is true
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
# Use the WORDPRESS zone
fastcgi_cache WORDPRESS;
}
# Don't write to accesslog for these files
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Media files with one of these extensions should be cached by the browser
location ~* \.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
expires max;
log_not_found off;
}
# Deny access to .* files
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Add cache status header for easy debugging
add_header X-cache $upstream_cache_status;
# From cat /etc/resolv.conf
resolver 8.8.8.8;
# Some parts of this file are from
# https://gist.github.com/TrafeX/6d582b6d040702088722
}

View File

@ -1,32 +0,0 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}

View File

@ -1,3 +1,3 @@
memory_limit = 512M memory_limit = 1024M
upload_max_filesize = 128M upload_max_filesize = 128M
post_max_size = 128M post_max_size = 128M