Created
January 17, 2020 03:48
-
-
Save kkumar326/e534c9bdec79ca79cb090b1c1d5eade1 to your computer and use it in GitHub Desktop.
Nginx Conf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # nginx.conf | |
| user www-data; | |
| worker_processes auto; | |
| pid /run/nginx.pid; | |
| include /etc/nginx/modules-enabled/*.conf; | |
| events { | |
| worker_connections 768; | |
| # multi_accept on; | |
| } | |
| http { | |
| ## | |
| # Basic Settings | |
| ## | |
| rewrite_log on; | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| keepalive_timeout 65; | |
| types_hash_max_size 2048; | |
| server_tokens off; | |
| # server_names_hash_bucket_size 64; | |
| # server_name_in_redirect off; | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| ## | |
| # SSL Settings | |
| ## | |
| ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE | |
| ## ssl_prefer_server_ciphers on; | |
| ssl_session_tickets on; | |
| ## | |
| # Logging Settings | |
| ## | |
| access_log /var/log/nginx/access.log; | |
| error_log /var/log/nginx/error.log; | |
| ## | |
| # Gzip Settings | |
| ## | |
| gzip on; | |
| gzip_disable "msie6"; | |
| gzip_comp_level 4; | |
| gzip_vary on; | |
| gzip_proxied any; | |
| gzip_min_length 256; | |
| # gzip_buffers 16 8k; | |
| # gzip_http_version 1.1; | |
| gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; | |
| # Security Headers | |
| add_header X-Frame-Options "SAMEORIGIN" always; | |
| add_header X-Content-Type-Options "nosniff" always; | |
| add_header X-XSS-Protection "1; mode=block" always; | |
| add_header Strict-Transport-Security "max-age=31536000" always; | |
| # Timeouts | |
| client_body_timeout 12; | |
| client_header_timeout 12; | |
| send_timeout 10; | |
| # Large header and cookie error | |
| large_client_header_buffers 4 16k; | |
| # Fastcgi Settings | |
| fastcgi_buffers 8 16k; | |
| fastcgi_buffer_size 32k; | |
| fastcgi_connect_timeout 60; | |
| fastcgi_send_timeout 300; | |
| fastcgi_read_timeout 300; | |
| # Fastcgi Cache | |
| fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=phpcache:100m inactive=60m; | |
| fastcgi_cache_key "$scheme$request_method$host$request_uri"; | |
| # File Upload limit | |
| client_max_body_size 32m; | |
| ## | |
| # Virtual Host Configs | |
| ## | |
| include /etc/nginx/conf.d/*.conf; | |
| include /etc/nginx/sites-enabled/*; | |
| } | |
| # host.conf | |
| server { | |
| root /var/www/[host]/live; | |
| index index.php index.html index.htm; | |
| server_name [host]; | |
| location / { | |
| #try_files $uri $uri/ /index.php?$args /index.php?q=$uri$args; | |
| try_files $uri $uri/ /index.php?$args; | |
| } | |
| # Fastcgi Cache Exclusions | |
| set $skip_cache 0; | |
| # POST requests and urls with a query string should always go to PHP | |
| if ($request_method = POST) { | |
| set $skip_cache 1; | |
| } | |
| if ($query_string != "") { | |
| set $skip_cache 1; | |
| } | |
| # Don't cache domain names | |
| if ($request_uri ~* "($|/$)") { | |
| set $skip_cache 1; | |
| } | |
| # Don't cache cache_clear.php | |
| if ($request_uri ~* "/cache_clear.php") { | |
| set $skip_cache 1; | |
| } | |
| # Don't cache uris containing the following segments | |
| if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { | |
| set $skip_cache 1; | |
| } | |
| # Don't use the cache for logged in users or recent commenters | |
| if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { | |
| set $skip_cache 1; | |
| } | |
| # Deny access to config file | |
| location ~* wp-config.php { | |
| deny all; | |
| } | |
| # if ($request_uri ~* "\?amp") { | |
| # return 302 https://$host$uri/amp; | |
| # } | |
| location ~ \.php$ { | |
| include snippets/fastcgi-php.conf; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| #fastcgi_index index.php; | |
| include fastcgi_params; | |
| fastcgi_pass unix:/run/php/php7.4-fpm.sock; | |
| #fastcgi_pass 127.0.0.1:9000; | |
| fastcgi_cache phpcache; | |
| fastcgi_cache_valid 200 301 302 10m; | |
| add_header X-FastCGI-Cache $upstream_cache_status; | |
| fastcgi_cache_bypass $skip_cache; | |
| fastcgi_no_cache $skip_cache; | |
| } | |
| # Deny access to uploads that aren’t images, videos, music, etc. | |
| location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ { | |
| deny all; | |
| } | |
| # Deny access to cache folder | |
| #location = /cache/* { | |
| # deny all; | |
| #} | |
| # Deny access to all hidden files | |
| location ~ /\. { | |
| access_log off; | |
| deny all; | |
| } | |
| listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot | |
| listen 443 ssl http2; # managed by Certbot | |
| ssl_certificate /etc/nginx/cloudflare-certs/cloudflare_origin.pem; # managed by Certbot | |
| ssl_certificate_key /etc/nginx/cloudflare-certs/cloudflare_key.pem; # managed by Certbot | |
| #ssl_certificate /etc/letsencrypt/live/sciencehook.com-0001/fullchain.pem; # managed by Certbot | |
| #ssl_certificate_key /etc/letsencrypt/live/sciencehook.com-0001/privkey.pem; # managed by Certbot | |
| include /etc/nginx/snippets/options-ssl-nginx.conf; # managed by Certbot | |
| #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |
| # Static Content Caching | |
| location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { | |
| access_log off; | |
| add_header Cache-Control "public, max-age=2592000"; | |
| #add_header Pragma "public, max-age=2592000"; | |
| #add_header Vary Accept-Encoding; | |
| #expires 1M; | |
| } | |
| } | |
| server { | |
| if ($host = www.[host]) { | |
| return 301 https://$host$request_uri; | |
| } # managed by Certbot | |
| if ($host = [host]) { | |
| return 301 https://$host$request_uri; | |
| } # managed by Certbot | |
| listen 80; | |
| listen [::]:80; | |
| server_name [host]; | |
| return 404; # managed by Certbot | |
| } | |
| # ssl.conf | |
| # This file contains important security parameters. If you modify this file | |
| # manually, Certbot will be unable to automatically provide future security | |
| # updates. Instead, Certbot will print and log an error message with a path to | |
| # the up-to-date file that you will need to refer to when manually updating | |
| # this file. | |
| ssl_session_cache shared:le_nginx_SSL:1m; | |
| ssl_session_timeout 1440m; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment