Update infra

Signed-off-by: Bensuperpc <bensuperpc@gmail.com>

.gitignore

@@ -1 +1,2 @@
 *.env
+**/*.env

Makefile

@@ -7,9 +7,9 @@
 #//                             |_|             |_|          //
 #//////////////////////////////////////////////////////////////
 #//                                                          //
-#//  Infrastructur, 2022                                     //
+#//  Script, 2022                                            //
 #//  Created: 14, April, 2022                                //
-#//  Modified: 10, April, 2023                               //
+#//  Modified: 17, March, 2023                               //
 #//  file: -                                                 //
 #//  -                                                       //
 #//  Source:                                                 //
@@ -20,7 +20,7 @@
 
 DOCKER := docker
 
-PROFILES := webserver database wordpress
+PROFILES := wp_db wordpress webserver certbot phpmyadmin qbittorrent jellyfin
 PROFILE_CMD := $(addprefix --profile ,$(PROFILES))
 
 
@@ -68,7 +68,6 @@ state:
 
 .PHONY: update
 update:
-	git submodule update --init --recursive --remote
 	git pull --recurse-submodules --all --progress
 	docker compose $(COMPOSE_FILES) $(PROFILES_CMD) pull
 

README.md

@@ -2,24 +2,23 @@
 
 _My personal infrastructure for my servers and services._
 
-**I moved to caddy inetead of nginx, you can find the old version before this commit:**b98fca7af8954770feec0cd962d35f47bde0d5d2**
-
 ## About
 
 This is my infrastructure. It's a collection of scripts and configuration files that I use to manage my servers and services.
-It uses ~~Nginx ~~ caddy and docker-compose to run my services (And many other things).
+It uses Nginx and docker-compose to run my services (And many other things).
 It's a **work in progress**, and I'm still learning a lot about it.
 If you have any **questions** or **suggestions**, feel free to open an issue or a pull request.
 
 ## Features
 
-- [x] caddy 2 reverse proxy
+- [x] Nginx reverse proxy
 - [x] Docker / docker-compose
-- [x] ~~Letsencrypt / Certbot~~ (Caddy)
+- [x] Letsencrypt / Certbot
-- [x] Wordpress (Via FASTCGI/caddy)
+- [x] Wordpress (Via FASTCGI/NGINX)
 - [x] PHPMyAdmin (MariaDB)
-- [ ] Qbittorrent
+- [x] PGAdmin (PostgreSQL)
-- [ ] Jellyfin
+- [x] Qbittorrent
+- [x] Jellyfin
 - [ ] Gitea
 - [ ] Mastodon
 - [ ] Minecraft server (Hyperworld v2)
@@ -59,18 +58,94 @@ For all **bensuperpc.org**, you need to replace it with your domain, example: **
 find . \( -type d -name .git -prune \) -o -type f -print0 | xargs -0 sed -i 's/bensuperpc.org/bensuperpc.com/g'
 ```
 
-And then, caddy will generate the certificate for you and renew it automatically :D (It's easier than certbot and nginx)
+Keep original config file
-
-### Configure the infrastructure
-
-You must create a file named `.env` with the following content:
 
 ```sh
-MARIADB_ROOT_PASSWORD=<your_root_password>
+cp -r nginx/conf.d nginx/conf.d-original
-MARIADB_USER=<your_user>
-MARIADB_PASSWORD=<your_password>
 ```
 
+Remove the old config file
+
+```sh
+rm -fr nginx/nginx-conf
+```
+
+Copy _nginx-conf-cert_ to _nginx-conf_, for temporary use to get the SSL certificate
+
+```sh
+cp -r nginx/conf.d-cert nginx/conf.d
+```
+
+Replace certbot commands in _docker-compose.yml_, and replace _bensuperpc.org_ by your domain
+
+```yaml
+    command: >
+      certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --keep-until-expiring --webroot 
+      --webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
+      --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
+```
+
+With to get the SSL certificate
+
+```yaml
+    command: >
+      certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --staging --webroot
+      --webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
+      --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org 
+```
+
+Run the docker-compose and exit with CTRL+C and when you have the SSL certificate
+
+```sh
+make start-at
+```
+
+Replace certbot commands in _docker-compose.yml_ to update and renew the SSL certificate
+
+```sh
+    command: >
+      certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --force-renewal --webroot
+      --webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
+      --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org 
+```
+
+Run the docker-compose to update and renew the SSL certificate and exit with CTRL+C when you have the SSL certificate
+
+```sh
+make start-at
+```
+
+Now you can replace the certbot commands in _docker-compose.yml_ with the original one
+
+```yaml
+    command: >
+      certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --keep-until-expiring --webroot 
+      --webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
+      --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
+```
+
+Remove the cert config file
+
+```sh
+rm -fr nginx/conf.d
+```
+
+Copy _nginx-conf-original_ to _nginx-conf_, for definitive use
+
+```sh
+cp -r nginx/conf.d-original nginx/conf.d
+```
+
+Now you start services
+
+```sh
+make start-at
+```
+
+### Flask website
+
+You can follow the [README.md](bensuperpc_website/README.md) to install the Flask website.
+
 ### Wordpress website
 
 For the Wordpress website, you can configure in GUI when you go to the website.
@@ -94,6 +169,9 @@ make stop
 You can access to the website with:
 
 - [bensuperpc.org](https://bensuperpc.org) and [www.bensuperpc.org](https://www.bensuperpc.org) (Wordpress for now)
+- [phpmyadmin.bensuperpc.org](http://phpmyadmin.bensuperpc.org) and [www.phpmyadmin.bensuperpc.org](http://www.phpmyadmin.bensuperpc.org) (PHPMyAdmin for MariaDB)
+- [pgadmin.bensuperpc.org](http://pgadmin.bensuperpc.org) and [www.pgadmin.bensuperpc.org](http://www.pgadmin.bensuperpc.org) (PGAdmin for PostgreSQL)
+- [qbittorrent.bensuperpc.org](http://qbittorrent.bensuperpc.org) and [www.qbittorrent.bensuperpc.org](http://www.qbittorrent.bensuperpc.org) (Qbittorrent)
 
 ## Build with
 
@@ -104,8 +182,8 @@ You can access to the website with:
 - [Docker](https://www.docker.com/)
 - [Docker Compose](https://docs.docker.com/compose/)
 - [Docker Hub](https://hub.docker.com/)
-- [How To Start WordPress with Caddy using Docker Compose](https://minhcung.me/how-to-start-wordpress-with-caddy-using-docker-compose-3d31bb9ef88b)
+- [Digital Ocean](https://www.digitalocean.com/)
-- [Digital Ocean - How To Install WordPress with Docker Compose (nginx)](https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-docker-compose)
+- [Digital Ocean - How To Install WordPress with Docker Compose](https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-docker-compose)
 - [PGAmin](https://www.pgadmin.org/)
 - [Qbittorrent](https://www.qbittorrent.org/)
 - [Jellyfin](https://jellyfin.org/)

caddy/Caddyfile

@@ -1,3 +0,0 @@
-#import /path/to/*.caddy
-
-import wordpress/Caddyfile

caddy/wordpress/Caddyfile

@@ -1,40 +0,0 @@
-bensuperpc.org {
-	# push
-
-	root * /var/www/html
-	php_fastcgi wordpress:9000
-
-	file_server
-	encode zstd gzip
-
-	metrics /metrics
-
-	@disallowed {
-		path /xmlrpc.php
-		path *.sql
-		path /wp-content/uploads/*.php
-	}
-	rewrite @disallowed '/index.php'
-
-	respond /uploads/*.php 404
-
-	header {
-		-Server
-		Content-Security-Policy default-src 'self' *.bensuperpc.org
-		X-XSS-Protection 1; mode=block
-		Strict-Transport-Security max-age=31536000; includeSubDomains; preload
-		X-Frame-Options DENY
-		X-Frame-Options: SAMEORIGIN
-		X-Content-Type-Options nosniff
-		Referrer-Policy no-referrer-when-downgrade
-	}
-
-	log {
-		output stdout
-		format console
-	}
-}
-
-www.bensuperpc.com {
-	redir https://bensuperpc.org{uri}
-}

docker-compose.certbot.yml

@@ -4,7 +4,7 @@ services:
   certbot:
     depends_on:
       - webserver
-    image: certbot/certbot:v1.32.0
+    image: certbot/certbot:v2.5.0
     container_name: certbot
     profiles:
       - certbot
@@ -20,7 +20,7 @@ services:
     #command: >
     #  certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --force-renewal --webroot
     #  --webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
-    #  --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org 
+    #  --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
 
     command: >
       certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --keep-until-expiring --webroot 

docker-compose.divers.yml

@@ -44,3 +44,5 @@ services:
     restart: unless-stopped
     networks:
       - app-network
+    security_opt:
+      - no-new-privileges:true

docker-compose.nginx.yml

@@ -4,7 +4,7 @@ services:
   webserver:
     depends_on:
       - wordpress
-    image: nginx:1.23
+    image: nginx:1.24.0
     container_name: webserver
     profiles:
       - webserver
@@ -21,12 +21,4 @@ services:
     networks:
       - app-network
     security_opt:
-      - "no-new-privileges:true"
+      - no-new-privileges:true
-    cap_drop:
-      - "ALL"
-    cap_add:
-      - "NET_RAW"
-      - "NET_BIND_SERVICE"
-      - "CAP_CHOWN"
-      - "SETGID"
-      - "SETUID"

docker-compose.wordpress.yml

@@ -2,7 +2,7 @@ version: "3.9"
 
 services:
   wp_db:
-    image: mariadb:10.10.2
+    image: mariadb:10.10.3
     container_name: wp_db
     profiles:
       - wp_db
@@ -13,33 +13,34 @@ services:
       - dbdata:/var/lib/mysql
     networks:
       - app-network
+    security_opt:
+      - no-new-privileges:true
 
   wordpress:
     depends_on: 
       - wp_db
-    image: wordpress:6.1.1-php8.1-fpm
+    image: wordpress:6.2.0-fpm
     container_name: wordpress
     profiles:
       - wordpress
     restart: unless-stopped
     env_file: 
       - env/wordpress.env
-#    environment:
-#      - WORDPRESS_DB_HOST=wp_db:3306
     volumes:
       - wordpress:/var/www/html
     networks:
       - app-network
     security_opt:
-      - "no-new-privileges:true"
+      - no-new-privileges:true
-    cap_drop:
+#    cap_drop:
-      - "ALL"
+#        - ALL
-    cap_add:
+#    cap_add:
-      - "NET_RAW"
+#      - SETUID
-      - "CAP_CHOWN"
+#      - SETGID
-      - "SETGID"
+#      - DAC_OVERRIDE
-      - "SETUID"
+#      - NET_BIND_SERVICE
-
+#      - NET_RAW
+#      - CAP_CHOWN
   phpmyadmin:
     image: phpmyadmin:5.2.0
     container_name: phpmyadmin
@@ -48,12 +49,12 @@ services:
     restart: unless-stopped
     env_file: 
       - env/phpmyadmin.env
-#    ports:
-#      - 8080:80
     depends_on:
       - wp_db
     networks:
       - app-network
+    security_opt:
+      - no-new-privileges:true
 
 volumes:
   wordpress:

docker-compose.yml

@@ -1,88 +0,0 @@
-version: '3.7'
-# https://minhcung.me/how-to-start-wordpress-with-caddy-using-docker-compose-3d31bb9ef88b
-services:
-  database:
-    image: mariadb:latest
-    container_name: database
-    profiles:
-      - database
-    volumes:
-      - database:/var/lib/mysql:rw
-    restart: always
-    env_file:
-      - env/mariadb.env
-    environment:
-      MYSQL_DATABASE: blog_wp
-    command: '--default-authentication-plugin=mysql_native_password'
-    networks:
-      - blog-network
-  # Wordpress
-  wordpress:
-    depends_on:
-      - database
-    image: wordpress:6.2-fpm-alpine
-    container_name: wordpress
-    profiles:
-      - wordpress
-    restart: always
-    env_file:
-      - env/wordpress.env
-    volumes:
-      - ./php.ini:/usr/local/etc/php/conf.d/custom.ini:ro
-      - wordpress:/var/www/html:rw
-    networks:
-      - blog-network
-  # Webserver
-  caddy:
-    image: caddy:alpine
-    container_name: webserver
-    profiles:
-      - webserver
-    ports:
-      - 80:80/tcp
-      - 80:80/udp
-      - 443:443/tcp
-      - 443:443/udp
-    volumes:
-      - wordpress:/var/www/html:rw
-      - caddy_data:/data:rw
-      - caddy_config:/config:rw
-      - ./caddy:/etc/caddy:ro
-    networks:
-      - blog-network
-#  phpmyadmin:
-#    image: phpmyadmin:5.2.0
-#    container_name: phpmyadmin
-#    profiles:
-#      - phpmyadmin
-#    restart: always
-#    env_file: 
-#      - env/phpmyadmin.env
-#    ports:
-#      - 8080:80
-#    depends_on:
-#      - database
-#    networks:
-#      - blog-network
-#    security_opt:
-#      - no-new-privileges:true
-#      - seccomp:unconfined
-#      - apparmor:unconfined
-#    cap_drop:
-#      - ALL
-#    cap_add:
-#      - CHOWN
-networks:
-  blog-network:
-    driver: bridge
-    name: blog-network
-
-volumes:
-  database:
-    name: database
-  wordpress:
-    name: wordpress
-  caddy_data:
-    name: caddy_data
-  caddy_config:
-    name: caddy_config

nginx/conf.d/jellyfin.conf

@@ -1,7 +1,4 @@
-proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=3g inactive=30d use_temp_path=off;
+proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=2g inactive=30d use_temp_path=off;
-proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=3g;
-map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
-map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
 
 upstream jellyfin_server {
         # ip_hash;
@@ -14,6 +11,8 @@ server {
         listen 80;
         listen [::]:80;
 
+        root /var/www/jellyfin;
+
         server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;
 
         location ~ /.well-known/acme-challenge {
@@ -31,29 +30,42 @@ server {
         listen [::]:443 ssl http2;
         server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;
 
-        #client_max_body_size 20M;
+        ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
-        set $jellyfin jellyfin;
+        client_max_body_size 20M;
-        resolver 8.8.8.8 valid=30;
 
         # All things related to SSL
         ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;
         ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem;
         ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem;
-        #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-        #add_header Strict-Transport-Security "max-age=31536000" always;
 
         include /etc/nginx/conf.d/sub/options-ssl-nginx.conf;
 
+        # Logging
+        access_log /var/log/nginx/wordpress.access.log;
+        error_log  /var/log/nginx/wordpress.error.log;
+
+        # Security
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "no-referrer-when-downgrade" always;
+        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
+
         # Security / XSS Mitigation Headers
         # NOTE: X-Frame-Options may cause issues with the webOS app
         add_header X-Frame-Options "SAMEORIGIN";
         add_header X-XSS-Protection "1; mode=block";
         add_header X-Content-Type-Options "nosniff";
-        #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
+
+        # Content Security Policy
+        # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+        # Enforces https content and restricts JS/CSS to origin
+        # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+        # NOTE: The default CSP headers may cause issues with the webOS app
+        add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
 
         location = / {
-                return 302 http://$host/web/;
+                return 302 https://$host/web/;
-                #return 302 https://$host/web/;
         }
 
         location / {
@@ -70,6 +82,7 @@ server {
                 proxy_buffering off;
         }
 
+        # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
         location = /web/ {
                 # Proxy main Jellyfin traffic
                 proxy_pass http://jellyfin_server/web/index.html;
@@ -95,10 +108,9 @@ server {
                 proxy_set_header X-Forwarded-Host $http_host;
         }
 
-        # Cache images
+        # Cache images (inside server block)
         location ~ /Items/(.*)/Images {
-                #proxy_pass http://127.0.0.1:8096;
+                proxy_pass http://127.0.0.1:8096;
-                proxy_pass http://jellyfin_server;
                 proxy_set_header Host $host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -112,30 +124,7 @@ server {
                 add_header X-Cache-Status $upstream_cache_status; # This is only to check if cache is working
         }
 
-        # Cache videos
+        resolver 8.8.8.8;
-        location ~* ^/Videos/(.*)/(?!live)
-        {
-                slice 2m;
-
-                proxy_cache jellyfin-videos;
-                proxy_cache_valid 200 206 301 302 30d;
-                proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
-                proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
-                proxy_connect_timeout 15s;
-                proxy_http_version 1.1;
-                proxy_set_header Connection "";
-                # Transmit slice range to the backend
-                proxy_set_header Range $slice_range;
-
-                proxy_cache_lock on;
-                proxy_cache_lock_age 60s;
-
-                #proxy_pass http://$jellyfin:8096;
-                proxy_pass http://jellyfin_server;
-                proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=$slice_range";
-
-                add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache
-        }
 }
 
-# All configuration options are documented at https://jellyfin.org/docs/general/networking/nginx/
+# All configuration options are documented at https://jellyfin.org/docs/general/networking/nginx/

nginx/conf.d/phpmyadmin.conf

@@ -1,5 +1,3 @@
-#include /etc/nginx/conf.d/sub/cache-proxy.conf;
-
 upstream phpmyadmin_server {
         # ip_hash;
         server phpmyadmin:80;
@@ -15,8 +13,6 @@ server {
 
         server_name phpmyadmin.bensuperpc.org www.phpmyadmin.bensuperpc.org;
 
-        include /etc/nginx/conf.d/sub/gzip.conf;
-
         location / {
                 proxy_pass http://phpmyadmin_server;
                 proxy_redirect off;
@@ -24,5 +20,5 @@ server {
                 proxy_set_header X-Forwarded-For  $remote_addr;
         }
 
-        # resolver 8.8.8.8;
+        resolver 8.8.8.8;
 }

nginx/conf.d/qbittorrent.conf

@@ -13,8 +13,6 @@ server {
 
         server_name qbittorrent.bensuperpc.org www.qbittorrent.bensuperpc.org;
 
-        include /etc/nginx/conf.d/sub/gzip.conf;
-
         location / {
                 proxy_pass http://qbittorrent_server;
                 proxy_redirect off;
@@ -22,5 +20,5 @@ server {
                 proxy_set_header X-Forwarded-For  $remote_addr;
         }
 
-        # resolver 8.8.8.8;
+        resolver 8.8.8.8;
 }

nginx/conf.d/stream/minecraft.conf

@@ -0,0 +1,6 @@
+#server {
+    # Port number the reverse proxy is listening on
+#    listen  25565;
+    # The original Minecraft server address
+#    proxy_pass  server.example.com:25565;
+#}

nginx/conf.d/sub/cache-fastcgi.conf

@@ -19,5 +19,10 @@ fastcgi_cache_valid 1d;
 # Don't use the following headers to define the cache variables
 fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
 
+fastcgi_buffer_size 128k;
+fastcgi_buffers 256 16k;
+fastcgi_busy_buffers_size 256k;
+fastcgi_temp_file_write_size 256k;
+
 # Some parts of this file are from
 # https://gist.github.com/TrafeX/6d582b6d040702088722

nginx/conf.d/sub/cache-proxy.conf

@@ -18,3 +18,8 @@ proxy_cache_valid 1d;
 
 # Don't use the following headers to define the cache variables
 proxy_ignore_headers Cache-Control Expires Set-Cookie;
+
+# Increase proxy buffers for large requests
+proxy_buffer_size 128k;
+proxy_buffers 4 256k;
+proxy_busy_buffers_size 256k;

nginx/conf.d/sub/options-ssl-nginx.conf

@@ -8,6 +8,8 @@ ssl_session_tickets off;
 ssl_protocols TLSv1.3;
 ssl_prefer_server_ciphers off;
 
+add_header Strict-Transport-Security "max-age=63072000" always;
+
 # OCSP stapling
 ssl_stapling on;
 ssl_stapling_verify on;

nginx/conf.d/wordpress.conf

@@ -14,43 +14,11 @@ server {
 
         server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;
 
-        location ~ /.well-known/acme-challenge {
-                allow all;
-                root /var/www/wordpress;
-        }
-
-        location / {
-                return 301 https://$host$request_uri;
-        }
-}
-
-# Main server wordpress_server
-server {
-        listen 443 ssl http2;
-        listen [::]:443 ssl http2;
-        server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;
-
         root /var/www/wordpress;
         index index.php index.html index.htm;
 
-        # Keepalive for 70 seconds
-        keepalive_timeout 70;
-
-        # Number of requests per connection
-        keepalive_requests 100;
-
         reset_timedout_connection on;
 
-        # Increase proxy buffers for large requests
-        proxy_buffer_size 128k;
-        proxy_buffers 4 256k;
-        proxy_busy_buffers_size 256k;
-
-        fastcgi_buffer_size 128k;
-        fastcgi_buffers 256 16k;
-        fastcgi_busy_buffers_size 256k;
-        fastcgi_temp_file_write_size 256k;
-
         # Upload limit
         client_max_body_size 50m;
         client_body_buffer_size 128k;
@@ -78,7 +46,121 @@ server {
 
         server_tokens off;
 
-        include /etc/nginx/conf.d/sub/gzip.conf;
+        location ~ /.well-knownwell-known/acme-challenge {
+                allow all;
+                root /var/www/wordpress;
+        }
+
+        location / {
+                try_files $uri $uri/ /index.php$is_args$args;
+        }
+
+        location ~ \.php$ {
+                try_files $uri =404;
+                fastcgi_split_path_info ^(.+\.php)(/.+)$;
+                fastcgi_pass wordpress_server;
+                fastcgi_index index.php;
+                include fastcgi_params;
+
+                # Necessary to avoid 404 error when changing the wordpress path
+                #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
+
+                fastcgi_param PATH_INFO $fastcgi_path_info;
+                
+                fastcgi_intercept_errors on;
+
+                # Don't cache when $skip_cache is true
+                fastcgi_cache_bypass $skip_cache;
+                fastcgi_no_cache $skip_cache;
+
+                # Use the WORDPRESS zone
+                fastcgi_cache WORDPRESS;
+
+                fastcgi_connect_timeout 600;
+                fastcgi_send_timeout 600;
+                fastcgi_read_timeout 600;
+        }
+
+        # Don't write to accesslog for these files
+        location = /favicon.ico {
+                log_not_found off;
+                access_log off;
+        }
+        location = /robots.txt {
+                allow all;
+                log_not_found off;
+                access_log off;
+        }
+
+        # Media files with one of these extensions should be cached by the browser
+        location ~* \.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
+                expires max;
+                log_not_found off;
+        }
+
+        # Deny access to .* files
+        location ~ /\. {
+                deny all;
+                access_log off;
+                log_not_found off;
+        }
+        
+        # Add cache status header for easy debugging
+        add_header X-cache $upstream_cache_status;
+
+        # From cat /etc/resolv.conf
+        resolver 8.8.8.8;
+
+        # Some parts of this file are from
+        # https://gist.github.com/TrafeX/6d582b6d040702088722
+
+        #location / {
+        #        return 301 https://$host$request_uri;
+        #}
+}
+
+# Main server wordpress_server
+server {
+        listen 443 ssl http2;
+        #listen 443 http3 reuseport;
+
+        listen [::]:443 ssl http2;
+
+
+        server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;
+
+        root /var/www/wordpress;
+        index index.php index.html index.htm;
+
+        reset_timedout_connection on;
+
+        # Upload limit
+        client_max_body_size 50m;
+        client_body_buffer_size 128k;
+
+        # Initialize the variable that specified to skip the cache
+        set $skip_cache 0;
+
+        # POST requests and url's with a query string should always skip cache
+        if ($request_method = POST) {
+                set $skip_cache 1;
+        }
+        if ($query_string != "") {
+                set $skip_cache 1;
+        }
+
+        # Don't cache url's containing the following segments
+        if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
+                set $skip_cache 1;
+        }
+
+        # Don't use the cache for logged in users or recent commenters
+        if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
+                set $skip_cache 1;
+        }
+
+        server_tokens off;
         
         # All things related to SSL
         ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;
@@ -91,12 +173,12 @@ server {
         access_log /var/log/nginx/wordpress.access.log;
         error_log  /var/log/nginx/wordpress.error.log;
 
+        # Security
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-XSS-Protection "1; mode=block" always;
         add_header X-Content-Type-Options "nosniff" always;
         add_header Referrer-Policy "no-referrer-when-downgrade" always;
         add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
         location / {
                 try_files $uri $uri/ /index.php$is_args$args;

nginx/nginx.conf

@@ -24,9 +24,17 @@ http {
     sendfile        on;
     #tcp_nopush     on;
 
-    keepalive_timeout  65;
+    # Keepalive for 70 seconds
+    keepalive_timeout 70;
 
-    #gzip  on;
+    # Number of requests per connection
+    keepalive_requests 100;
+
+    include /etc/nginx/conf.d/sub/gzip.conf;
 
     include /etc/nginx/conf.d/*.conf;
 }
+
+stream {
+    include /etc/nginx/conf.d/stream/*.conf;
+}

old_enginx/nginx/conf.d/minecraft.conf

@@ -1,12 +0,0 @@
-#upstream minecraft {
-#    server minecraft:25565;
-#}
-#
-#server {
-#    listen 25566;
-#    server_name minecraft.bensuperpc.org www.minecraft.bensuperpc.org;
-#    location / {
-#        proxy_pass minecraft;
-#    }
-#}
-

php.ini

@@ -1,3 +0,0 @@
-memory_limit = 512M
-upload_max_filesize = 128M
-post_max_size = 128M