From 770fa0cab21b20db24732e978124c14c77f5ba6d Mon Sep 17 00:00:00 2001 From: Pothi Kalimuthu <1254302+pothi@users.noreply.github.com> Date: Fri, 27 Jul 2018 10:02:05 +0530 Subject: [PATCH] Version 3.1 - multiple small fixes and tiny improvements --- README.md | 2 +- conf.d/common.conf | 7 +++ conf.d/ssl-common.conf | 2 +- globals/cache-enabler.conf | 70 ++++++++++++++++++++++++++++ globals/cloudflare.conf | 4 ++ sites-available/default.conf | 8 +++- sites-available/example.com.conf | 3 +- sites-available/pma.example.com.conf | 21 +++++++-- sites-available/ssl-example.com.conf | 21 +++++++-- 9 files changed, 127 insertions(+), 11 deletions(-) create mode 100644 globals/cache-enabler.conf diff --git a/README.md b/README.md index 67bf1c4..0593587 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ Tested with the following servers... Test with the following Nginx versions... + Stable verisons 1.12.x and 1.14.x -+ Mainline versions 1.13.x ++ Mainline versions 1.13.x, 1.15.x For RPM based distros (Fedora, Redhat, CentOS and Amazon Linux AMI), the configuration mentioned in the repo should work. Additional steps may be needed, though. See below for some details! diff --git a/conf.d/common.conf b/conf.d/common.conf index 9d419c0..465356e 100644 --- a/conf.d/common.conf +++ b/conf.d/common.conf @@ -10,6 +10,13 @@ proxy_buffers 8 32k; proxy_buffer_size 64k; # ------------------------------------------------------------------- +# for time-consuming operations (such as WP import or file upload) +# https://nginx.org/r/fastcgi_read_timeout +# default 60 seconds +fastcgi_read_timeout 5m; + +# ------------------------------------------------------------------- + ### To enable large uploads # Please make sure the corresponding PHP values are increased as well # post_max_size = 8M (default) diff --git a/conf.d/ssl-common.conf b/conf.d/ssl-common.conf index deb1599..b1fc16a 100644 --- a/conf.d/ssl-common.conf +++ b/conf.d/ssl-common.conf @@ -8,5 +8,5 @@ ssl_protocols TLSv1.1 TLSv1.2; # directly from https://weakdh.org/sysadmin.html ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; -# run "openssl dhparam -out /etc/nginx/dhparam.pem 4096" before uncommenting the following option +# run "openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096" before uncommenting the following option # ssl_dhparam /etc/nginx/dhparam.pem; diff --git a/globals/cache-enabler.conf b/globals/cache-enabler.conf new file mode 100644 index 0000000..57385f0 --- /dev/null +++ b/globals/cache-enabler.conf @@ -0,0 +1,70 @@ +# To improve the perf, we may use open_file_cache +# ref: https://nginx.org/r/open_file_cache +# open_file_cache max=1000; +# open_file_cache_valid 60s; +# open_file_cache_min_uses 2; +# open_file_cache_errors off; + +location / { + # requires server support + # gzip_static on; + + error_page 418 = @cachemiss; + error_page 419 = @mobileaccess; + recursive_error_pages on; + + # bypass POST requests + if ($request_method = POST) { return 418; } + + # uncommenting the following degrades the performance on certain sites. YMMV + # if ($query_string != "") { return 418; } + + # bypass cache for common query strings + if ($arg_s != "") { return 418; } # search query + if ($arg_p != "") { return 418; } # request a post / page by ID + if ($arg_amp != "") { return 418; } # amp test + if ($arg_preview = "true") { return 418; } # preview post / page + if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin + + if ($http_cookie ~* "wordpress_logged_in_") { return 418; } + if ($http_cookie ~* "comment_author_") { return 418; } + if ($http_cookie ~* "wp_postpass_") { return 418; } + + # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; } + + # uncomment the following if deemed fit + # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; } + + try_files "/wp-content/cache/cache-enabler/$host${uri}index.html" $uri $uri/ /index.php$is_args$args; + + #--> all the following would apply, only if the request hits the cache + + add_header "X-Cache" "HIT - Cache Enabler"; + # include "globals/hsts.conf"; + + # expires modified 30m; + expires 30m; + add_header "Cache-Control" "must-revalidate"; + + # For proxies + # add_header "Cache-Control" "s-maxage=3600"; +} + +location @mobileaccess { + # try_files $uri $uri/ /index.php$is_args$args; + try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args; + + add_header "X-Cache" "HIT - Mobile - Cache Enabler"; + # include "globals/hsts.conf"; + + # expires modified 30m; + expires 30m; + add_header "Cache-Control" "must-revalidate"; + + # For proxies + # add_header "Cache-Control" "s-maxage=3600"; +} + +location @cachemiss { + try_files $uri $uri/ /index.php$is_args$args; +} diff --git a/globals/cloudflare.conf b/globals/cloudflare.conf index a8f49f1..df2eb26 100644 --- a/globals/cloudflare.conf +++ b/globals/cloudflare.conf @@ -1,5 +1,9 @@ # make sure you set up a cron to run update-cloudflare-ip-list.sh regularly include '/etc/nginx/globals/cloudflare-ip-list.conf'; + +# use any of the following two options (but not both) real_ip_header CF-Connecting-IP; +# real_ip_header X-Forwarded-For; + real_ip_recursive on; diff --git a/sites-available/default.conf b/sites-available/default.conf index 953d31a..6c06559 100644 --- a/sites-available/default.conf +++ b/sites-available/default.conf @@ -2,8 +2,12 @@ server { listen 80 default_server; listen [::]:80 default_server; - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; + # create dummy certificates, if you'd like to enable the following... + # listen 443 ssl http2 default_server; + # listen [::]:443 ssl http2 default_server; + + # ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; + # ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; # to catch all domains not hosted here! server_name _; diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf index e1ff8df..63011ba 100644 --- a/sites-available/example.com.conf +++ b/sites-available/example.com.conf @@ -58,7 +58,8 @@ server { ### Enaable only one of the following lines include "globals/wp-super-cache.conf"; # WP Super Cache plugin support # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support - # include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support + # include "globals/wp-fastest-cache.conf"; # WP Fastest Cache plugin support + # include "globals/cache-enabler.conf"; # Cache Enabler plugin support # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache } diff --git a/sites-available/pma.example.com.conf b/sites-available/pma.example.com.conf index 5b466a6..c948164 100644 --- a/sites-available/pma.example.com.conf +++ b/sites-available/pma.example.com.conf @@ -6,10 +6,25 @@ ### Ref: http://serverfault.com/questions/246300/running-phpmyadmin-on-nginx-port-8080-passed-to-varnish-not-working-well ### Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1340187&group_id=23067&atid=377409 +# http => https server { listen 80; + listen [::]:80; # IPv6 support server_name pma.example.com; - return 301 https://$host$request_uri; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/pma.example.com/public; + + # for LetsEncrypt + location ^~ /.well-known/acme-challenge { + auth_basic off; + try_files $uri =404; + expires -1; + } + + location / { + return 301 https://$host$request_uri; + } } server { @@ -23,8 +38,8 @@ server { access_log /var/log/nginx/pma.example.com-access.log combined buffer=64k flush=5m if=$loggable; # $loggable is defined in conf.d/common.conf error_log /var/log/nginx/pma.example.com-error.log; - ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; - ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; + ssl_certificate "/etc/letsencrypt/live/pma.example.com/fullchain.pem"; + ssl_certificate_key "/etc/letsencrypt/live/pma.example.com/privkey.pem"; include globals/restrictions.conf; include globals/assets.conf; diff --git a/sites-available/ssl-example.com.conf b/sites-available/ssl-example.com.conf index 74a82d7..c423d00 100644 --- a/sites-available/ssl-example.com.conf +++ b/sites-available/ssl-example.com.conf @@ -3,7 +3,20 @@ server { listen 80; listen [::]:80; # IPv6 support server_name example.com www.example.com; - return 301 https://$host$request_uri; + + # Replace the path with the actual path to WordPress core files + root /home/username/sites/example.com/public; + + # for LetsEncrypt + location ^~ /.well-known/acme-challenge { + auth_basic off; + try_files $uri =404; + expires -1; + } + + location / { + return 301 https://$host$request_uri; + } } # www.example.com => example.com (server-level) @@ -29,7 +42,7 @@ server { index index.php; # Replace the path with the actual path to WordPress core files - root /home/username/sites/ssl-example.com/public; + root /home/username/sites/example.com/public; ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; @@ -46,6 +59,7 @@ server { include globals/restrictions.conf; include globals/assets.conf; + include globals/auto-versioning-support.conf; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.*)$; @@ -63,6 +77,7 @@ server { ### Enaable only one of the following lines include "globals/wp-super-cache.conf"; # WP Super Cache plugin support # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support - # include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support + # include "globals/wp-fastest-cache.conf"; # WP Fastest Cache plugin support + # include "globals/cache-enabler.conf"; # Cache Enabler plugin support # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache }