-
-
Save felipeg48/8db4ed94c8194419733807cb2943204f to your computer and use it in GitHub Desktop.
nginx configuration + wordpress + SSL using letsencrypt + a static site + a reverse proxy for a hosted NodeJS webapp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://cipherli.st/ | |
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_session_cache shared:SSL:10m; | |
| add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; | |
| add_header X-Frame-Options DENY; | |
| add_header X-Content-Type-Options nosniff; | |
| #ssl_session_tickets off; | |
| ssl_stapling on; # Requires nginx >= 1.3.7 | |
| ssl_stapling_verify on; # Requires nginx >= 1.3.7 | |
| resolver 8.8.8.8 8.8.4.4 valid=300s; | |
| resolver_timeout 5s; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622 | |
| location ^~ /.well-known/ { | |
| root /var/www/letsencrypt; | |
| default_type text/plain; | |
| auth_basic off; | |
| allow all; | |
| } | |
| location = /.well-known/ { | |
| return 404; | |
| } | |
| location = /.well-known/acme-challenge/ { | |
| return 404; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # vim:set ft=conf ts=4 sts=4 noet: | |
| server_tokens off; | |
| types { | |
| text/plain asc; | |
| } | |
| # SOME http -> https | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name .wordpress-site.com .static-site.com ; | |
| return 301 https://$host$request_uri; | |
| include /etc/nginx/letsencrypt; | |
| } | |
| # CATCHALL http | |
| server { | |
| listen 80 default_server; | |
| listen [::]:80 default_server; | |
| server_name _; | |
| root /var/www; | |
| index index.php index.html index.htm; | |
| include /etc/nginx/letsencrypt; | |
| } | |
| # CATCHALL https | |
| server { | |
| listen 443 default_server; | |
| listen [::]:443 default_server; | |
| server_name _; | |
| root /var/www; | |
| ssl on; | |
| ssl_certificate /etc/letsencrypt/live/webhost.static-site.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/webhost.static-site.com/privkey.pem; | |
| include /etc/nginx/cipherlist; | |
| include /etc/nginx/letsencrypt; | |
| index index.php index.html index.htm; | |
| } | |
| # www.wordpress-site.com -> wordpress-site.com | |
| server { | |
| listen 443; | |
| listen [::]:443; | |
| server_name www.wordpress-site.com; | |
| ssl on; | |
| ssl_certificate /etc/letsencrypt/live/www.wordpress-site.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/www.wordpress-site.com/privkey.pem; | |
| include /etc/nginx/cipherlist; | |
| location / { | |
| return 301 https://wordpress-site$request_uri; | |
| } | |
| include /etc/nginx/letsencrypt; | |
| } | |
| # wordpress-site.com | |
| server { | |
| listen 443; | |
| listen [::]:443; | |
| server_name wordpress-site.com; | |
| root /home/user/wordpress; | |
| ssl on; | |
| ssl_certificate /etc/letsencrypt/live/wordpress-site.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/wordpress-site.com/privkey.pem; | |
| include /etc/nginx/cipherlist; | |
| include /etc/nginx/letsencrypt; | |
| index index.php index.html index.htm; | |
| autoindex off; | |
| location / { | |
| #try_files $uri $uri/ /index.php?q=$uri&$args; | |
| try_files $uri $uri/ @phpmagic; | |
| } | |
| location @phpmagic { | |
| rewrite ^/(.+)$ /index.php?p=$1 last; | |
| } | |
| error_page 404 /index.php; | |
| error_page 403 =404 /404.html; | |
| error_page 500 502 503 504 /50x.html; | |
| location = /50x.html { | |
| root /usr/share/nginx/html; | |
| } | |
| location ~* wp-config.php { deny all; } | |
| location ~* wp-settings.php { deny all; } | |
| # legacy stuff | |
| location ~ ^/\d\d\d\d/\d\d/ { | |
| rewrite ^/\d\d\d\d/\d\d/(.+) $scheme://$server_name/$1 permanent; | |
| } | |
| location ~ \.php$ { | |
| try_files $uri =404; | |
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| fastcgi_pass unix:/var/run/php5-fpm.sock; | |
| fastcgi_index index.php; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| include fastcgi_params; | |
| } | |
| location ~ ^/(wp-admin|wp-login) { | |
| auth_basic "wordpress-site.com"; | |
| auth_basic_user_file "auth/wordpress-passwd"; | |
| } | |
| # Stop things from executing in the uploads directory | |
| location ~* ^/uploads/.*.(html|htm|shtml|php)$ { | |
| types { } | |
| default_type text/plain; | |
| } | |
| # Keep nosey people from discivering categories by number | |
| location ~* /categories/([0-9]|[1-9][0-9]|[1-9][0-9][0-9])$ { | |
| return 404; | |
| } | |
| # Deny, drop, or internal locations | |
| location ~ /\. { access_log off; log_not_found off; deny all; } | |
| location ~ ~$ { access_log off; log_not_found off; deny all; } | |
| location = /robots.txt { access_log off; log_not_found off; } | |
| location ^~ favicon { access_log off; log_not_found off; } | |
| location ^~ /conf/ { internal; } | |
| # Taking advantage of browser caching for static stuff | |
| location ~* \.(js|css|png|jpg|jpeg|gif|ico|eot|woff|ttf|svg)$ { | |
| expires max; | |
| log_not_found off; | |
| } | |
| } | |
| # webapp.static-site.com | |
| server { | |
| listen 443; | |
| listen [::]:443; | |
| server_name webapp.static-site.com; | |
| location / { | |
| proxy_pass http://localhost:8900; | |
| auth_basic "webapp"; | |
| auth_basic_user_file "auth/webapp-passwd"; | |
| } | |
| ssl on; | |
| ssl_certificate /etc/letsencrypt/live/webapp.static-site.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/webapp.static-site.com/privkey.pem; | |
| include /etc/nginx/cipherlist; | |
| include /etc/nginx/letsencrypt; | |
| } | |
| # www.static-site.com | |
| server { | |
| listen 443; | |
| listen [::]:443; | |
| server_name www.static-site.com; | |
| root /home/user/static; | |
| ssl on; | |
| ssl_certificate /etc/letsencrypt/live/www.static-site.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/www.static-site.com/privkey.pem; | |
| include /etc/nginx/cipherlist; | |
| include /etc/nginx/letsencrypt; | |
| index index.php index.html index.htm; | |
| location /slideshow { alias /home/user/slideshow/dist; } | |
| location /images { | |
| alias /home/user/images; | |
| add_header X-Robots-Tag "noindex, nofollow, noarchive"; | |
| } | |
| location ~ /\. { deny all; } | |
| } | |
| # static-site.com -> www.static-site.com | |
| server { | |
| listen 443; | |
| listen [::]:443; | |
| server_name static-site.com; | |
| ssl on; | |
| ssl_certificate /etc/letsencrypt/live/static-site.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/static-site.com/privkey.pem; | |
| include /etc/nginx/cipherlist; | |
| location / { | |
| return 301 https://www.static-site.com$request_uri; | |
| } | |
| include /etc/nginx/letsencrypt; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment