mirror of
https://github.com/bensuperpc/infrastructure.git
synced 2024-12-22 08:44:28 +01:00
Update nginx
Signed-off-by: Bensuperpc <bensuperpc@gmail.com>
This commit is contained in:
parent
c2f8075fd7
commit
20fe33f7d5
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
.env
|
||||
*.env
|
||||
|
@ -20,7 +20,7 @@ services:
|
||||
#command: >
|
||||
# certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --force-renewal --webroot
|
||||
# --webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
|
||||
# --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
|
||||
# --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
|
||||
|
||||
command: >
|
||||
certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --keep-until-expiring --webroot
|
||||
|
@ -4,7 +4,7 @@ services:
|
||||
webserver:
|
||||
depends_on:
|
||||
- wordpress
|
||||
image: nginx:1.23
|
||||
image: nginx:1.24.0
|
||||
container_name: webserver
|
||||
profiles:
|
||||
- webserver
|
||||
@ -22,11 +22,3 @@ services:
|
||||
- app-network
|
||||
security_opt:
|
||||
- "no-new-privileges:true"
|
||||
cap_drop:
|
||||
- "ALL"
|
||||
cap_add:
|
||||
- "NET_RAW"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "CAP_CHOWN"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
@ -2,7 +2,7 @@ version: "3.9"
|
||||
|
||||
services:
|
||||
wp_db:
|
||||
image: mariadb:10.10.2
|
||||
image: mariadb:10.10.3
|
||||
container_name: wp_db
|
||||
profiles:
|
||||
- wp_db
|
||||
@ -17,28 +17,19 @@ services:
|
||||
wordpress:
|
||||
depends_on:
|
||||
- wp_db
|
||||
image: wordpress:6.1.1-php8.1-fpm
|
||||
image: wordpress:6.2.0-fpm
|
||||
container_name: wordpress
|
||||
profiles:
|
||||
- wordpress
|
||||
restart: unless-stopped
|
||||
env_file:
|
||||
- env/wordpress.env
|
||||
# environment:
|
||||
# - WORDPRESS_DB_HOST=wp_db:3306
|
||||
volumes:
|
||||
- wordpress:/var/www/html
|
||||
networks:
|
||||
- app-network
|
||||
security_opt:
|
||||
- "no-new-privileges:true"
|
||||
cap_drop:
|
||||
- "ALL"
|
||||
cap_add:
|
||||
- "NET_RAW"
|
||||
- "CAP_CHOWN"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
|
||||
phpmyadmin:
|
||||
image: phpmyadmin:5.2.0
|
||||
|
@ -14,6 +14,8 @@ server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
root /var/www/jellyfin;
|
||||
|
||||
server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;
|
||||
|
||||
location ~ /.well-known/acme-challenge {
|
||||
@ -39,11 +41,12 @@ server {
|
||||
ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem;
|
||||
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
#add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
|
||||
include /etc/nginx/conf.d/sub/options-ssl-nginx.conf;
|
||||
|
||||
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
#add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
# NOTE: X-Frame-Options may cause issues with the webOS app
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
|
@ -17,11 +17,11 @@ server {
|
||||
|
||||
include /etc/nginx/conf.d/sub/gzip.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://phpmyadmin_server;
|
||||
proxy_redirect off;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass phpmyadmin_server;
|
||||
fastcgi_index index.php;
|
||||
}
|
||||
|
||||
# resolver 8.8.8.8;
|
||||
|
@ -19,5 +19,10 @@ fastcgi_cache_valid 1d;
|
||||
# Don't use the following headers to define the cache variables
|
||||
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
|
||||
|
||||
fastcgi_buffer_size 128k;
|
||||
fastcgi_buffers 256 16k;
|
||||
fastcgi_busy_buffers_size 256k;
|
||||
fastcgi_temp_file_write_size 256k;
|
||||
|
||||
# Some parts of this file are from
|
||||
# https://gist.github.com/TrafeX/6d582b6d040702088722
|
||||
|
@ -18,3 +18,8 @@ proxy_cache_valid 1d;
|
||||
|
||||
# Don't use the following headers to define the cache variables
|
||||
proxy_ignore_headers Cache-Control Expires Set-Cookie;
|
||||
|
||||
# Increase proxy buffers for large requests
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
|
@ -14,14 +14,114 @@ server {
|
||||
|
||||
server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;
|
||||
|
||||
root /var/www/wordpress;
|
||||
index index.php index.html index.htm;
|
||||
|
||||
# Keepalive for 70 seconds
|
||||
keepalive_timeout 70;
|
||||
|
||||
# Number of requests per connection
|
||||
keepalive_requests 100;
|
||||
|
||||
reset_timedout_connection on;
|
||||
|
||||
# Upload limit
|
||||
client_max_body_size 50m;
|
||||
client_body_buffer_size 128k;
|
||||
|
||||
# Initialize the variable that specified to skip the cache
|
||||
set $skip_cache 0;
|
||||
|
||||
# POST requests and url's with a query string should always skip cache
|
||||
if ($request_method = POST) {
|
||||
set $skip_cache 1;
|
||||
}
|
||||
if ($query_string != "") {
|
||||
set $skip_cache 1;
|
||||
}
|
||||
|
||||
# Don't cache url's containing the following segments
|
||||
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
|
||||
set $skip_cache 1;
|
||||
}
|
||||
|
||||
# Don't use the cache for logged in users or recent commenters
|
||||
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
|
||||
set $skip_cache 1;
|
||||
}
|
||||
|
||||
server_tokens off;
|
||||
|
||||
include /etc/nginx/conf.d/sub/gzip.conf;
|
||||
|
||||
location ~ /.well-known/acme-challenge {
|
||||
allow all;
|
||||
root /var/www/wordpress;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
try_files $uri $uri/ /index.php$is_args$args;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass wordpress_server;
|
||||
fastcgi_index index.php;
|
||||
include fastcgi_params;
|
||||
|
||||
# Necessary to avoid 404 error when changing the wordpress path
|
||||
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
|
||||
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
|
||||
fastcgi_intercept_errors on;
|
||||
|
||||
# Don't cache when $skip_cache is true
|
||||
fastcgi_cache_bypass $skip_cache;
|
||||
fastcgi_no_cache $skip_cache;
|
||||
|
||||
# Use the WORDPRESS zone
|
||||
fastcgi_cache WORDPRESS;
|
||||
}
|
||||
|
||||
# Don't write to accesslog for these files
|
||||
location = /favicon.ico {
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
location = /robots.txt {
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Media files with one of these extensions should be cached by the browser
|
||||
location ~* \.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
|
||||
expires max;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
# Deny access to .* files
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
# Add cache status header for easy debugging
|
||||
add_header X-cache $upstream_cache_status;
|
||||
|
||||
# From cat /etc/resolv.conf
|
||||
resolver 8.8.8.8;
|
||||
|
||||
# Some parts of this file are from
|
||||
# https://gist.github.com/TrafeX/6d582b6d040702088722
|
||||
|
||||
#location / {
|
||||
# return 301 https://$host$request_uri;
|
||||
#}
|
||||
}
|
||||
|
||||
# Main server wordpress_server
|
||||
@ -41,16 +141,6 @@ server {
|
||||
|
||||
reset_timedout_connection on;
|
||||
|
||||
# Increase proxy buffers for large requests
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
|
||||
fastcgi_buffer_size 128k;
|
||||
fastcgi_buffers 256 16k;
|
||||
fastcgi_busy_buffers_size 256k;
|
||||
fastcgi_temp_file_write_size 256k;
|
||||
|
||||
# Upload limit
|
||||
client_max_body_size 50m;
|
||||
client_body_buffer_size 128k;
|
||||
@ -91,6 +181,7 @@ server {
|
||||
access_log /var/log/nginx/wordpress.access.log;
|
||||
error_log /var/log/nginx/wordpress.error.log;
|
||||
|
||||
# Security
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
|
Loading…
Reference in New Issue
Block a user