include /etc/nginx/conf.d/sub/cache-fastcgi.conf; # All upstream serveur upstream wordpress_server { # ip_hash; server wordpress:9000; # server wordpress:9000 weight=1 max_fails=3 fail_timeout=30s; } # Redirect all http requests to the main server wordpress_server server { listen 80; listen [::]:80; server_name bensuperpc.org www.bensuperpc.org wordpress.bensuperpc.org www.wordpress.bensuperpc.org; location ~ /.well-known/acme-challenge { allow all; root /var/www/html; } location / { return 301 https://$host$request_uri; } } # Main server wordpress_server server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name bensuperpc.org www.bensuperpc.org wordpress.bensuperpc.org www.wordpress.bensuperpc.org; root /var/www/html; index index.php index.html index.htm; # Keepalive for 70 seconds keepalive_timeout 70; # Number of requests per connection keepalive_requests 100; reset_timedout_connection on; # Increase proxy buffers for large requests proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; fastcgi_buffer_size 128k; fastcgi_buffers 256 16k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; # Upload limit client_max_body_size 50m; client_body_buffer_size 128k; # Initialize the variable that specified to skip the cache set $skip_cache 0; # POST requests and url's with a query string should always skip cache if ($request_method = POST) { set $skip_cache 1; } if ($query_string != "") { set $skip_cache 1; } # Don't cache url's containing the following segments if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { set $skip_cache 1; } # Don't use the cache for logged in users or recent commenters if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { set $skip_cache 1; } server_tokens off; include /etc/nginx/conf.d/sub/gzip.conf; # All things related to SSL ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem; include /etc/nginx/conf.d/sub/options-ssl-nginx.conf; # Logging access_log /var/log/nginx/wordpress.access.log; error_log /var/log/nginx/wordpress.error.log; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; location / { try_files $uri $uri/ /index.php$is_args$args; # try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass wordpress_server; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_intercept_errors on; # Don't cache when $skip_cache is true fastcgi_cache_bypass $skip_cache; fastcgi_no_cache $skip_cache; # Use the WORDPRESS zone fastcgi_cache WORDPRESS; } # Don't write to accesslog for these files location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Media files with one of these extensions should be cached by the browser location ~* \.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { expires max; log_not_found off; } # Deny access to .* files location ~ /\. { deny all; access_log off; log_not_found off; } # Add cache status header for easy debugging add_header X-cache $upstream_cache_status; # From cat /etc/resolv.conf resolver 8.8.8.8; # Some parts of this file are from # https://gist.github.com/TrafeX/6d582b6d040702088722 }