Nginx Configuration Files for WordPress. Nginx is installed by YUM. @see:https://codex.wordpress.org/Nginx

conf.d|01_hoge.conf

server {
    listen       80;
    listen       [::]:80;
    server_name  dev.hoge.jp;
    return 301 https://dev.hoge.jp$request_uri;

    #root    /home/httpd/hoge/wordpress;

    # WordPress Setting
    #include conf.d/global/wordpress_restrictions.conf;
    #include conf.d/global/wordpress_dev.conf;
    #include conf.d/global/wordpress_live.conf;
}

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  .dev.hoge.jp;

    root /home/httpd/hoge/wordpress;

    # Gzip
    include conf.d/global/gzip.conf;

    # WordPress Setting
    include conf.d/global/wordpress_restrictions.conf;
    #include conf.d/global/wordpress_dev.conf;
    include conf.d/global/wordpress_live.conf;

    # SSL
    include conf.d/global/ssl.conf;
    ssl_certificate         /etc/letsencrypt/live/dev.hoge.jp/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/dev.hoge.jp/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/dev.hoge.jp/chain.pem;
}

conf.d|global|fastcgi_php.conf

#
# PHP-FPM
#
if (!-f $document_root$fastcgi_script_name) {
    return 404;
}
# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)

include fastcgi_params;
fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
fastcgi_index index.php;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_intercept_errors on;

# Buffer size
proxy_buffer_size 32k;
proxy_buffers 30 32k;
client_body_buffer_size 64k;

conf.d|global|gzip.conf

gzip         on;
gzip_vary    on;
gzip_proxied any;
gzip_types   text/plain
             text/xml
             text/css
             application/xml
             application/xhtml+xml
             application/rss+xml
             application/atom_xml
             application/javascript
             application/x-javascript
             application/x-httpd-php;
gzip_disable "MSIE [1-6]\.";
gzip_buffers 16 8k;

conf.d|global|ssl.conf

#
# SSL
#
# "ssl on" is deprecated
#ssl on;

# Certificates
# ssl_certificate         /etc/letsencrypt/live/dev.example.com/fullchain.pem;
# ssl_certificate_key     /etc/letsencrypt/live/dev.example.com/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/dev.example.com/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/dhparam.pem;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;

conf.d|global|wordpress_dev.conf

#
# WordPress single site rules.
# Designed to be included in any server {} block.
#

index   index.php;
charset utf-8;

# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
    try_files $uri $uri/ /index.php?$args;
    
    # Deny ?author= attack
    if ($args ~* author=) {
        return 403;
    }
    
    # Disable caching
    add_header X-Cache-Status $upstream_cache_status;
    add_header Cache-Control no-cache;
    expires off;
    sendfile off;

    # Pass all .php files onto a php-fpm/php-fcgi server.
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include conf.d/global/fastcgi_php.conf;
        client_max_body_size 5M;
    }
    
    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
}

conf.d|global|wordpress_live.conf

#
# WordPress single site rules.
# Designed to be included in any server {} block.
#

index   index.php;
charset utf-8;


#
# fastcgi_cache start
# https://codex.wordpress.org/Nginx#Nginx_fastcgi_cache
set $no_cache 0;

# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
    set $no_cache 1;
}
if ($query_string != "") {
    set $no_cache 1;
}

# Don't cache uris containing the following segments
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
    set $no_cache 1;
}

# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
    set $no_cache 1;
}


# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
    try_files $uri $uri/ /index.php?$args;

    # Deny ?author= attack
    if ($args ~* author=) {
        return 403;
    }
    
    # Header
    add_header X-Cache $upstream_cache_status;
    
    # Pass all .php files onto a php-fpm/php-fcgi server.
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include conf.d/global/fastcgi_php.conf;

        client_max_body_size 5M;

        # Enable FastCGI cache
        fastcgi_cache_bypass $no_cache;
        fastcgi_no_cache $no_cache;

        fastcgi_cache WORDPRESS;
        fastcgi_cache_valid 200 60m;
    }

    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;

    # Directives to send expires headers and turn off 404 error logging.
    location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|webp)$ {
        access_log off; log_not_found off; expires max;
    }
    
    location ~* \.(js|css)$ {
        expires max;
        log_not_found off;
    }
}

conf.d|global|wordpress_restrictions.conf

#
# Global Restrictions for WordPress site
# Designed to be included in any server {} block.</p>
#

location = /favicon.ico {
    log_not_found off;
    access_log off;
}

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
    deny all;
}

# Deny all xmlrpc.php access
location = /xmlrpc.php {
    #deny all;
    log_not_found off;
    access_log off;
    return 403;
}

# Deny all REST API access
location ^~ /wp-json/ {
    deny all;
    access_log off;
}

# Accept for Let's Encrypt(certbot)
location ^~ /.well-known/ {
    access_log           off;
    log_not_found        off;
    autoindex            off;
    try_files            $uri $uri/ =404;
}

# Deny less files
location ~* ^.+\.(less)$ {
    deny all;
    access_log off;
}

# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}

nginx.conf

user  nginx www;
worker_processes  auto;

error_log  /var/log/nginx/error.log warn;
pid        /run/nginx.pid;

worker_rlimit_nofile 10240;

events {
    worker_connections  1024;
    multi_accept on;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$host" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    tcp_nopush     on;
    tcp_nodelay         on;

    keepalive_timeout  65;
    types_hash_max_size 2048;

    #gzip  on;

    # FastCGI Cache
    fastcgi_cache_path /var/cache/nginx/fastcgi_www levels=1:2 keys_zone=WORDPRESS:100m inactive=60m max_size=1g;
    fastcgi_cache_key "$scheme$request_method$host$request_uri";
    fastcgi_cache_use_stale error timeout invalid_header http_500;

    include /etc/nginx/conf.d/*.conf;
}

ssl_2020.conf

#
# SSL
#
# @see https://ssl-config.mozilla.org/#server=nginx&version=1.16.1&config=intermediate&openssl=1.1.1c&guideline=5.4
#

# Certificates
#ssl_certificate         /etc/letsencrypt/live/dev.example.com/fullchain.pem;
#ssl_certificate_key     /etc/letsencrypt/live/dev.example.com/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/live/dev.example.com/chain.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/dhparam.pem;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;

ssl_dev.conf

#
# SSL
#
# "ssl on" is deprecated
#ssl on;

# Certificates
#ssl_certificate         /etc/letsencrypt/live/dev.example.com/fullchain.pem;
#ssl_certificate_key     /etc/letsencrypt/live/dev.example.com/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/live/dev.example.com/chain.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/dhparam.pem;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
#ssl_stapling on;
#ssl_stapling_verify on;
#resolver 8.8.8.8 8.8.4.4;