Skip to content

Commit

Permalink
Rename files, add cloudflare and webp support
Browse files Browse the repository at this point in the history
  • Loading branch information
pothi committed May 9, 2018
1 parent c8e8705 commit fb8366d
Show file tree
Hide file tree
Showing 15 changed files with 157 additions and 39 deletions.
16 changes: 10 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,15 @@ There are multiplpe advantages of using this repo as your go-to nginx configurat
+ Multisite support.
+ Contains ready-to-use sample vhost entries.
+ Continuously updated sample configurations with best practices.
+ Ansible friendly (coming soon)
+ IPv6 is supported out of the box.
+ Cloudflare support.
+ [WebP](https://developers.google.com/speed/webp/) support.

## Available templates / vhost entries

+ WP Super Cache plugin (with support for SSL and separate mobile cache)
+ WP Rocket cache plugin (SSL / mobile supported out of the box)
+ WP Rocket cache plugin (SSL and / or mobile supported out of the box)
+ WP Fastest Cache plugin (SSL and / or mobile supported out of the box)
+ Multisite (sub-domain and sub-directory)
+ Varnish with Nginx for SSL termination.
+ Custom error pages.
Expand All @@ -43,10 +46,11 @@ There are multiplpe advantages of using this repo as your go-to nginx configurat

Tested with the following servers...
+ Debian Debian 9 (Stretch)
+ Ubuntu 16.04 LTS (Xenial)
+ Ubuntu 16.04 LTS (Xenial Xerus)
+ Ubuntu 18.04 LTS (Bionic Beaver)

Test with the following Nginx versions...
+ Stable verisons 1.12.x
+ Stable verisons 1.12.x and 1.14.x
+ Mainline versions 1.13.x

For RPM based distros (Fedora, Redhat, CentOS and Amazon Linux AMI), the configuration mentioned in the repo should work. Additional steps may be needed, though. See below for some details!
Expand All @@ -57,7 +61,7 @@ For all the steps mentioned below, you need __sudo__ or __root__ privileges!

Step #1 - Install Nginx

You may use the official Nginx repo or just use the Nginx package that comes with the OS. Both would work fine! I will leave the decision to you. Since, the installation process varies across Operating Systems, please refer the official installation docs to complete this step.
You may use the official Nginx repo or just use the Nginx package that comes with the OS. Both would work fine! I will leave the decision to you. Since, the installation process varies across Operating Systems, please refer the official installation guide to complete this step.

Step #2 - Please backup your existing configuration files. Probably, have /etc under version control!

Expand Down Expand Up @@ -90,7 +94,7 @@ sudo ln -s ../sites-available/$WP_DOMAIN.conf
sudo nginx -t && sudo systemctl restart nginx
```

### Changes on CentOS
### Changes on CentOS (and on rpm based distros in general)

CentOS has a different file naming convention, yet simple directory structure, when compared to Debian derivatives. Let me describe them and I'd let you decide upon how you'd want to structure your files and name those files.

Expand Down
14 changes: 14 additions & 0 deletions changelog.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,17 @@
v3.0
- Released on May 9, 2018
- Rename wprocket.conf to wp-rocket.conf
- Rename wpsupercache.conf to wp-super-cache.conf
- Added Cloudflare support.
- IPv6 support added.
- WebP support.
- Other minor changes.

v2.0
- released on Dec 20, 2017
- changed filename globals/common-locations.conf to globals/assets.conf
- other minor changes

v1.0
- released on April 23, 2017
- uniform naming scheme for domain names
Expand Down
28 changes: 22 additions & 6 deletions conf.d/common.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,6 @@

index index.html index.php;

# include globals/pagespeed.conf;
# include globals/hide-headers.conf;
# include globals/varnish-as-front-end-compatibility.conf;

# Ref: https://gist.github.com/magnetikonline/11312172
fastcgi_buffers 32 32k;
fastcgi_buffer_size 32k;
Expand All @@ -29,8 +25,8 @@ server_names_hash_bucket_size 128;

# -------------------------------------------------------------------

# For SSL - WP Super Cache Compatibility
map $scheme $wpsc_https { default ''; https '-https'; }
# For SSL Compatibility - WP Super Cache and WP Rocket depend on this
map $scheme $https_suffix { default ''; https '-https'; }

# -------------------------------------------------------------------

Expand All @@ -52,3 +48,23 @@ charset $charset;
charset_types *;

# -------------------------------------------------------------------

# if you'd like to hide some header info, uncomment this
# include globals/hide-headers.conf;

# -------------------------------------------------------------------
#
# if you'd like to hide some header info, uncomment this
# include globals/cloudflare.conf;

# -------------------------------------------------------------------

# webp support
# see: https://docs.ewww.io/article/16-ewww-io-and-webp-images

map $http_accept $webp_suffix {
default "";
"~*webp" ".webp";
}

# -------------------------------------------------------------------
15 changes: 14 additions & 1 deletion globals/assets.conf
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ location ~ \.(?:ttf|ttc|eot|woff|woff2|otf|svg)$ {
}

# Referers for images
location ~ \.(?:jpg|jpeg|gif|png|ico)$ {
location ~ \.(?:gif|ico|webp)$ {
### Please change the domainname before uncommenting the following
# valid_referers none blocked www.example.com example.com;
# if ($invalid_referer) { return 403; }
Expand All @@ -39,6 +39,19 @@ location ~ \.(?:jpg|jpeg|gif|png|ico)$ {
access_log off;
}

location ~* ^.+\.(png|jpe?g)$ {
### Please change the domainname before uncommenting the following
# valid_referers none blocked www.example.com example.com;
# if ($invalid_referer) { return 403; }

# add_header Vary Accept;
# see https://docs.ewww.io/article/16-ewww-io-and-webp-images
try_files $uri$webp_suffix $uri =404;
expires max;
log_not_found off;
access_log off;
}

# Feeds
location ~ \.(?:rss|atom)$ {
expires 600s; # 10 minutes
Expand Down
21 changes: 21 additions & 0 deletions globals/cloudflare-ip-list.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
6 changes: 6 additions & 0 deletions globals/cloudflare.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# make sure you set up a cron to run update-cloudflare-ip-list.sh regularly

include '/etc/nginx/globals/cloudflare-ip-list.conf';
real_ip_header CF-Connecting-IP;
real_ip_header CF-Connecting-IP;
real_ip_recursive on;
5 changes: 2 additions & 3 deletions globals/wp-fastest-cache.conf
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ location / {
#--> all the following would apply, only if the request hits the cache

# add some useful headers
add_header "X-Cache" "HIT";
add_header "X-Cache" "HIT - WP Fastest Cache";
add_header "X-CF-Powered-By" "WP Fastest Cache";
add_header "Vary" "Cookie";
# include "globals/hsts.conf";
Expand All @@ -62,8 +62,7 @@ location @mobileaccess {
#--> all the following would apply, only if the request hits the cache

# add some useful headers
add_header "X-Cache" "HIT - Mobile";
add_header "X-CF-Powered-By" "WP Fastest Cache";
add_header "X-Cache" "HIT - Mobile - WP Fastest Cache";
add_header "Vary" "User-Agent, Cookie";
# include "globals/hsts.conf";

Expand Down
14 changes: 6 additions & 8 deletions globals/wprocket.conf → globals/wp-rocket.conf
Original file line number Diff line number Diff line change
Expand Up @@ -30,18 +30,17 @@ location / {
if ($http_cookie ~* "comment_author_") { return 418; }
if ($http_cookie ~* "wp_postpass_") { return 418; }

# if ($http_user_agent ~* (2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad)) { return 419; }
# if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }
# add_header "Vary" "User-Agent";

# uncomment the following if deemed fit
# if ($http_user_agent ~* (w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad)) { return 419; }
# if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }

try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index$wpsc_https.html" $uri $uri/ /index.php$is_args$args;
try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index$https_suffix.html" $uri $uri/ /index.php$is_args$args;

#--> all the following would apply, only if the request hits the cache

add_header "X-Cache" "HIT - Desktop";
add_header "X-CF-Powered-By" "WP Rocket";
add_header "X-Cache" "HIT - WP Rocket";
add_header "Vary" "Cookie";
# include "globals/hsts.conf";

Expand All @@ -54,10 +53,9 @@ location / {

location @mobileaccess {
# try_files $uri $uri/ /index.php$is_args$args;
try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index-mobile$wpsc_https.html" $uri $uri/ /index.php$is_args$args;
try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index-mobile$https_suffix.html" $uri $uri/ /index.php$is_args$args;

add_header "X-Cache" "HIT - Mobile";
add_header "X-CF-Powered-By" "WP Rocket";
add_header "X-Cache" "HIT - Mobile - WP Rocket";
add_header "Vary" "User-Agent, Cookie";
# include "globals/hsts.conf";

Expand Down
8 changes: 4 additions & 4 deletions globals/wpsc.conf → globals/wp-super-cache.conf
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,12 @@ location / {
if ($http_cookie ~* "comment_author_") { return 418; }
if ($http_cookie ~* "wp_postpass_") { return 418; }

# if ($http_user_agent ~* (2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad)) { return 419; }
# if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }

# uncomment the following if deemed fit
# if ($http_user_agent ~* (w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad)) { return 419; }
# if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }

try_files "/wp-content/cache/supercache/$host${uri}index$wpsc_https.html" $uri $uri/ /index.php$is_args$args;
try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix.html" $uri $uri/ /index.php$is_args$args;

#--> all the following would apply, only if the request hits the cache

Expand All @@ -52,7 +52,7 @@ location / {

location @mobileaccess {
# try_files $uri $uri/ /index.php$is_args$args;
try_files "/wp-content/cache/supercache/$host${uri}index$wpsc_https-mobile.html" $uri $uri/ /index.php$is_args$args;
try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args;

add_header "X-Cache" "HIT - Mobile - WP Super Cache";
# include "globals/hsts.conf";
Expand Down
16 changes: 16 additions & 0 deletions scripts/update-cloudflare-ip-list.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
#!/bin/bash

# script to set Cloudflare IPs (ipv4 and ipv6)

# empty the list
echo -n > /etc/nginx/globals/cloudflare-ip-list.conf;

# fetch and update ipv4
for i in `curl -s https://www.cloudflare.com/ips-v4`; do
echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf;
done

# fetch and update ipv6
for i in `curl -s https://www.cloudflare.com/ips-v6`; do
echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf;
done
14 changes: 12 additions & 2 deletions sites-available/dev.example.com.conf
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
server {
listen 80;
listen [::]:80; # IPv6 support
listen 443 ssl http2;
listen [::]:443 ssl http2; # IPv6 support

server_name dev.example.com;

index index.php;

# Replace the path with the actual path to WordPress core files
Expand Down Expand Up @@ -33,15 +37,21 @@ server {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;

# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";

include fastcgi.conf;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass fpm-dev;

add_header "X-Cache" "MISS";
}

# The rewrite magic
location / { try_files $uri $uri/ /index.php$is_args$args; }
# include "globals/wpsc.conf";
# include "globals/wprocket.conf";
# include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
# include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support
# include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support
}
9 changes: 7 additions & 2 deletions sites-available/example.com.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@
# you are a fan of micro-optimization, please use the following to redirect www.example.com => example.com (301)
# server {
# listen 80;
# listen [::]:80; # IPv6 support
# server_name www.example.com;
# return 301 $scheme://example.com$request_uri;
# }

server {
listen 80;
listen [::]:80; # IPv6 support
server_name example.com;

server_name www.example.com; # hide this line, if you enable the server-level 301 redirect above
Expand Down Expand Up @@ -49,11 +51,14 @@ server {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass fpm;

add_header "X-Cache" "MISS";
}

### Enaable only one of the following lines
include "globals/wpsc.conf"; # WP Super Cache plugin support
# include "globals/wprocket.conf"; # WP Rocket Cache plugin support
include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
# include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support
# include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support
# location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache

}
8 changes: 6 additions & 2 deletions sites-available/ssl-example.com.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# http => https
server {
listen 80;
listen [::]:80; # IPv6 support
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
Expand All @@ -9,6 +10,7 @@ server {
# use it only if you are a fan of micro-optimization
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2; # IPv6 support
# server_name www.example.com;
# ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
# ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
Expand All @@ -17,6 +19,7 @@ server {

server {
listen 443 ssl http2;
listen [::]:443 ssl http2; # IPv6 support
server_name example.com;

# hide the following line, if you enable the server-level 301 redirect above
Expand Down Expand Up @@ -58,7 +61,8 @@ server {
}

### Enaable only one of the following lines
include "globals/wpsc.conf"; # WP Super Cache plugin support
# include "globals/wprocket.conf"; # WP Rocket Cache plugin support
include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
# include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support
# include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support
# location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache
}
Loading

0 comments on commit fb8366d

Please sign in to comment.