Skip to content

Instantly share code, notes, and snippets.

@evansolomon
Created April 1, 2012 09:36
Show Gist options
  • Save evansolomon/2274120 to your computer and use it in GitHub Desktop.
Save evansolomon/2274120 to your computer and use it in GitHub Desktop.
nginx WordPress multisite config
server {
listen 80 default_server;
server_name domain.com *.domain.com;
root /srv/www/domain.com/public;
access_log /srv/www/domain.com/log/access.log;
error_log /srv/www/domain.com/log/error.log;
location / {
index index.php;
try_files $uri $uri/ /index.php?$args;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
# Directives to send expires headers and turn off 404 error logging.
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 24h;
log_not_found off;
}
# this prevents hidden files (beginning with a period) from being served
location ~ /\. { access_log off; log_not_found off; deny all; }
# Pass uploaded files to wp-includes/ms-files.php.
rewrite /files/$ /index.php last;
if ($uri !~ wp-content/plugins) {
rewrite /files/(.+)$ /wp-includes/ms-files.php?file=$1 last;
}
# Rewrite multisite '.../wp-.*' and '.../*.php'.
if (!-e $request_filename) {
rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last;
rewrite ^/[_0-9a-zA-Z-]+.*(/wp-admin/.*\.php)$ $1 last;
rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last;
}
location ~ \.php$ {
client_max_body_size 25M;
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
@oshripi
Copy link

oshripi commented Jul 16, 2016

this is not help me :(

what i m missing ?

server {
listen 80 default_server;
listen [::]:80 default_server;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

Rewrite multisite

if (!-e $request_filename) {
    rewrite ^/[_0-9a-zA-Z-]+(/wp-._) $1 last;
    rewrite ^/[_0-9a-zA-Z-]+._(/wp-admin/._.php)$ $1 last;
    rewrite ^/[_0-9a-zA-Z-]+(/._.php)$ $1 last;
}
    server_name 167.114.17.67;
    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
            location ~ \.php$ {
                    include snippets/fastcgi-php.conf;
                    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                }

                location ~ /\.ht {
                    deny all;
              }
    }

}

@danieluyo
Copy link

Possible HTTP-Splitting vulnerability.
Using variables that can contain "\n" may lead to http injection. At least variable "$uri" can contain "\n"

rewrite /wp-admin$ $scheme://$host$uri/ permanent;

https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md

@elhardoum
Copy link

Thanks a lot!

One thing though, the HTTP 404 error pages probably needed to be forwarded to WordPress, in case someone had a {..}.php in their permalink structure or has dynamic routes, they'll always be served basic nginx 404 pages, which do not load the website. To do so:

error_page 403 404 =200 /error.html;
location = /error.html { try_files $uri $uri/ /index.php?$args; }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment