Created
July 15, 2016 22:16
-
-
Save brian4286/cb191ec6cf0c20342854380d32b87f58 to your computer and use it in GitHub Desktop.
Highly optimized WordPress nginx.conf for security and performance.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80 default_server; | |
| listen [::]:80 default_server; | |
| location / { | |
| return 301 https://www.domain.com$request_uri; | |
| } | |
| } | |
| server { | |
| listen 443 ssl http2; | |
| server_name www.domain.com assets.domain.com; # assets.domain.com added for origin pull. | |
| access_log /var/log/nginx/domain.com-access.log; | |
| error_log /var/log/nginx/domain.com-error.log; | |
| root /usr/share/nginx/www/www.domain.com; | |
| autoindex off; | |
| add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always; | |
| add_header X-Frame-Options "SAMEORIGIN" always; | |
| add_header X-XSS-Protection "1; mode=block" always; | |
| add_header X-Content-Type-Options "nosniff" always; | |
| add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;"; | |
| add_header "Cache-Control" "no-transform"; | |
| add_header Alternate-Protocol 443:npn-spdy/3; | |
| add_header X-Your-Custom-Header $yourcustomheader; | |
| ssl on; | |
| ssl_certificate /etc/nginx/ssl/www.domain.com.crt; | |
| ssl_certificate_key /etc/nginx/ssl/www.domain.com.key; | |
| ssl_session_tickets on; | |
| ssl_session_cache shared:SSL:15m; | |
| ssl_session_timeout 4h; | |
| ssl_prefer_server_ciphers On; | |
| ssl_dhparam /etc/ssl/certs/dhparam.pem; # Run cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096 | |
| ssl_protocols TLSv1.1 TLSv1.2; | |
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
| ssl_ecdh_curve secp384r1; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| ssl_trusted_certificate /etc/nginx/ssl/www.domain.com.crt; | |
| resolver 1.1.1.1 2.2.2.2 valid=5m; #Add your local resolvers here. | |
| resolver_timeout 10s; | |
| spdy_keepalive_timeout 5m; | |
| keepalive_timeout 5m; | |
| spdy_headers_comp 8; | |
| location /wp-admin { | |
| allow 1.1.1.1; #Your public ip here | |
| allow 2.2.2.2; #Second public ip | |
| deny all; | |
| index index.php index.html; | |
| try_files $uri $uri/ /index.php?$args; | |
| } | |
| location / { | |
| index index.php index.html; | |
| try_files $uri $uri/ /index.php?$args; | |
| } | |
| location ~ \.php$ { | |
| try_files $uri =404; | |
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| include fastcgi_params; | |
| fastcgi_index index.php; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| fastcgi_pass unix:/var/run/php/php7.0-fpm-domain.com.sock; # Switch to your current socket | |
| #fastcgi_pass 127.0.0.1:9000; # Uncomment if you want to switch to TCP and comment above. | |
| } | |
| location = /robots.txt { access_log off; log_not_found off; } | |
| location = /favicon.ico { access_log off; log_not_found off; } | |
| location ~* \.(?:manifest|appcache|html?|xml|json)$ { | |
| expires -1 | |
| } | |
| location ~* \.(?:rss|atom)$ { | |
| expires 1h; | |
| add_header Cache-Control "public"; | |
| } | |
| location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|css|js|ttf|ttc|otf|eot|woff|woff2)$ { | |
| access_log off; | |
| expires max; | |
| add_header Pragma public; | |
| add_header Cache-Control "public, must-revalidate, proxy-revalidate"; | |
| } | |
| location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ { | |
| deny all; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment