Skip to content

Commit

Permalink
Version 3.1 - multiple small fixes and tiny improvements
Browse files Browse the repository at this point in the history
  • Loading branch information
pothi committed Jul 27, 2018
1 parent 7127028 commit 770fa0c
Show file tree
Hide file tree
Showing 9 changed files with 127 additions and 11 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ Tested with the following servers...

Test with the following Nginx versions...
+ Stable verisons 1.12.x and 1.14.x
+ Mainline versions 1.13.x
+ Mainline versions 1.13.x, 1.15.x

For RPM based distros (Fedora, Redhat, CentOS and Amazon Linux AMI), the configuration mentioned in the repo should work. Additional steps may be needed, though. See below for some details!

Expand Down
7 changes: 7 additions & 0 deletions conf.d/common.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@ proxy_buffers 8 32k;
proxy_buffer_size 64k;
# -------------------------------------------------------------------

# for time-consuming operations (such as WP import or file upload)
# https://nginx.org/r/fastcgi_read_timeout
# default 60 seconds
fastcgi_read_timeout 5m;

# -------------------------------------------------------------------

### To enable large uploads
# Please make sure the corresponding PHP values are increased as well
# post_max_size = 8M (default)
Expand Down
2 changes: 1 addition & 1 deletion conf.d/ssl-common.conf
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,5 @@ ssl_protocols TLSv1.1 TLSv1.2;
# directly from https://weakdh.org/sysadmin.html
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

# run "openssl dhparam -out /etc/nginx/dhparam.pem 4096" before uncommenting the following option
# run "openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096" before uncommenting the following option
# ssl_dhparam /etc/nginx/dhparam.pem;
70 changes: 70 additions & 0 deletions globals/cache-enabler.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# To improve the perf, we may use open_file_cache
# ref: https://nginx.org/r/open_file_cache
# open_file_cache max=1000;
# open_file_cache_valid 60s;
# open_file_cache_min_uses 2;
# open_file_cache_errors off;

location / {
# requires server support
# gzip_static on;

error_page 418 = @cachemiss;
error_page 419 = @mobileaccess;
recursive_error_pages on;

# bypass POST requests
if ($request_method = POST) { return 418; }

# uncommenting the following degrades the performance on certain sites. YMMV
# if ($query_string != "") { return 418; }

# bypass cache for common query strings
if ($arg_s != "") { return 418; } # search query
if ($arg_p != "") { return 418; } # request a post / page by ID
if ($arg_amp != "") { return 418; } # amp test
if ($arg_preview = "true") { return 418; } # preview post / page
if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin

if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
if ($http_cookie ~* "comment_author_") { return 418; }
if ($http_cookie ~* "wp_postpass_") { return 418; }

# if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }

# uncomment the following if deemed fit
# if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }

try_files "/wp-content/cache/cache-enabler/$host${uri}index.html" $uri $uri/ /index.php$is_args$args;

#--> all the following would apply, only if the request hits the cache

add_header "X-Cache" "HIT - Cache Enabler";
# include "globals/hsts.conf";

# expires modified 30m;
expires 30m;
add_header "Cache-Control" "must-revalidate";

# For proxies
# add_header "Cache-Control" "s-maxage=3600";
}

location @mobileaccess {
# try_files $uri $uri/ /index.php$is_args$args;
try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args;

add_header "X-Cache" "HIT - Mobile - Cache Enabler";
# include "globals/hsts.conf";

# expires modified 30m;
expires 30m;
add_header "Cache-Control" "must-revalidate";

# For proxies
# add_header "Cache-Control" "s-maxage=3600";
}

location @cachemiss {
try_files $uri $uri/ /index.php$is_args$args;
}
4 changes: 4 additions & 0 deletions globals/cloudflare.conf
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# make sure you set up a cron to run update-cloudflare-ip-list.sh regularly

include '/etc/nginx/globals/cloudflare-ip-list.conf';

# use any of the following two options (but not both)
real_ip_header CF-Connecting-IP;
# real_ip_header X-Forwarded-For;

real_ip_recursive on;
8 changes: 6 additions & 2 deletions sites-available/default.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,12 @@ server {
listen 80 default_server;
listen [::]:80 default_server;

listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
# create dummy certificates, if you'd like to enable the following...
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;

# ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
# ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";

# to catch all domains not hosted here!
server_name _;
Expand Down
3 changes: 2 additions & 1 deletion sites-available/example.com.conf
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ server {
### Enaable only one of the following lines
include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
# include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support
# include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support
# include "globals/wp-fastest-cache.conf"; # WP Fastest Cache plugin support
# include "globals/cache-enabler.conf"; # Cache Enabler plugin support
# location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache

}
21 changes: 18 additions & 3 deletions sites-available/pma.example.com.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,25 @@
### Ref: http://serverfault.com/questions/246300/running-phpmyadmin-on-nginx-port-8080-passed-to-varnish-not-working-well
### Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1340187&group_id=23067&atid=377409

# http => https
server {
listen 80;
listen [::]:80; # IPv6 support
server_name pma.example.com;
return 301 https://$host$request_uri;

# Replace the path with the actual path to WordPress core files
root /home/username/sites/pma.example.com/public;

# for LetsEncrypt
location ^~ /.well-known/acme-challenge {
auth_basic off;
try_files $uri =404;
expires -1;
}

location / {
return 301 https://$host$request_uri;
}
}

server {
Expand All @@ -23,8 +38,8 @@ server {
access_log /var/log/nginx/pma.example.com-access.log combined buffer=64k flush=5m if=$loggable; # $loggable is defined in conf.d/common.conf
error_log /var/log/nginx/pma.example.com-error.log;

ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
ssl_certificate "/etc/letsencrypt/live/pma.example.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/pma.example.com/privkey.pem";

include globals/restrictions.conf;
include globals/assets.conf;
Expand Down
21 changes: 18 additions & 3 deletions sites-available/ssl-example.com.conf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,20 @@ server {
listen 80;
listen [::]:80; # IPv6 support
server_name example.com www.example.com;
return 301 https://$host$request_uri;

# Replace the path with the actual path to WordPress core files
root /home/username/sites/example.com/public;

# for LetsEncrypt
location ^~ /.well-known/acme-challenge {
auth_basic off;
try_files $uri =404;
expires -1;
}

location / {
return 301 https://$host$request_uri;
}
}

# www.example.com => example.com (server-level)
Expand All @@ -29,7 +42,7 @@ server {
index index.php;

# Replace the path with the actual path to WordPress core files
root /home/username/sites/ssl-example.com/public;
root /home/username/sites/example.com/public;

ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
Expand All @@ -46,6 +59,7 @@ server {

include globals/restrictions.conf;
include globals/assets.conf;
include globals/auto-versioning-support.conf;

location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
Expand All @@ -63,6 +77,7 @@ server {
### Enaable only one of the following lines
include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
# include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support
# include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support
# include "globals/wp-fastest-cache.conf"; # WP Fastest Cache plugin support
# include "globals/cache-enabler.conf"; # Cache Enabler plugin support
# location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache
}

0 comments on commit 770fa0c

Please sign in to comment.