Last active
March 23, 2023 03:31
-
-
Save vivianspencer/0b6c0e449383f2ef53e87fc0f494c23e to your computer and use it in GitHub Desktop.
Wordpress PHP7 Nginx LetsEncrypt Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { | |
| expires 30d; | |
| add_header Pragma public; | |
| add_header Cache-Control "public"; | |
| } | |
| # Uncomment one of the lines below for the appropriate caching plugin (if used). | |
| #include snippets/wordpress-wp-super-cache.conf; | |
| #include snippets/wordpress-w3-total-cache.conf; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name example.com www.example.com; | |
| return 301 https://example.com$request_uri; | |
| } | |
| server { | |
| # SSL configuration | |
| listen 443 ssl; | |
| listen [::]:443 ssl; | |
| include snippets/ssl-example.com.conf; | |
| include snippets/ssl-params.conf; | |
| server_name www.example.com; | |
| return 301 https://example.com$request_uri; | |
| } | |
| server { | |
| # SSL configuration | |
| listen 443 ssl; | |
| listen [::]:443 ssl; | |
| include snippets/ssl-example.com.conf; | |
| include snippets/ssl-params.conf; | |
| root /usr/share/nginx/www/example.com/www/web; | |
| index index.php; | |
| error_log /var/log/nginx/example.com-error.log error; | |
| server_name example.com; | |
| location ~ /\.well-known\/acme-challenge { | |
| root /usr/share/nginx/www/example.com/www/web; | |
| auth_basic off; | |
| } | |
| include snippets/restrictions.conf; | |
| location ~ ^/assets/(img|js|css|font)/(.*)$ { | |
| try_files $uri $uri/ /app/themes/THEME_NAME/assets/$1/$2; | |
| } | |
| location ~ ^/plugins/(.*)$ { | |
| try_files $uri $uri/ /app/plugins/$1; | |
| } | |
| location ~* /app/uploads/.*\.php$ { | |
| deny all; | |
| } | |
| include snippets/wordpress.conf; | |
| include snippets/caching.conf; | |
| } | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name staging.example.com; | |
| return 301 https://staging.example.com$request_uri; | |
| } | |
| server { | |
| # SSL configuration | |
| listen 443 ssl; | |
| listen [::]:443 ssl; | |
| include snippets/ssl-example.com.conf; | |
| include snippets/ssl-params.conf; | |
| server_name staging.example.com; | |
| root /usr/share/nginx/www/example.com/staging/web; | |
| index index.php; | |
| auth_basic "Restricted"; | |
| auth_basic_user_file /usr/share/nginx/www/example.com/.htpasswd; | |
| location ~ /\.well-known\/acme-challenge { | |
| root /usr/share/nginx/www/example.com/staging/web; | |
| auth_basic off; | |
| } | |
| include snippets/restrictions.conf; | |
| location ~ ^/assets/(img|js|css|font)/(.*)$ { | |
| try_files $uri $uri/ /app/themes/THEME_NAME/assets/$1/$2; | |
| } | |
| location ~ ^/plugins/(.*)$ { | |
| try_files $uri $uri/ /app/plugins/$1; | |
| } | |
| location ~* /app/uploads/.*\.php$ { | |
| deny all; | |
| } | |
| include snippets/wordpress.conf; | |
| include snippets/caching.conf; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Global restrictions configuration file. | |
| # Designed to be included in any server {} block.</p> | |
| location = /favicon.ico { | |
| log_not_found off; | |
| access_log off; | |
| } | |
| location = /robots.txt { | |
| allow all; | |
| log_not_found off; | |
| access_log off; | |
| } | |
| # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). | |
| # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) | |
| location ~ /\. { | |
| deny all; | |
| } | |
| # Deny access to any files with a .php extension in the uploads directory | |
| # Works in sub-directory installs and also in multisite network | |
| # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) | |
| location ~* /(?:uploads|files)/.*\.php$ { | |
| deny all; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # from https://cipherli.st/ | |
| # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
| ssl_ecdh_curve secp384r1; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_tickets off; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 8.8.8.8 8.8.4.4 valid=300s; | |
| resolver_timeout 5s; | |
| add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; | |
| add_header X-Frame-Options DENY; | |
| add_header X-Content-Type-Options nosniff; | |
| ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
| # Security Headers | |
| add_header X-Xss-Protection "1"; | |
| add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # WordPress single blog rules. | |
| # Designed to be included in any server {} block. | |
| # This order might seem weird - this is attempted to match last if rules below fail. | |
| # http://wiki.nginx.org/HttpCoreModule | |
| location / { | |
| try_files $uri $uri/ /index.php?$args; | |
| } | |
| # Add trailing slash to */wp-admin requests. | |
| rewrite /wp-admin$ $scheme://$host$uri/ permanent; | |
| # Directives to send expires headers and turn off 404 error logging. | |
| location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { | |
| access_log off; | |
| log_not_found off; | |
| expires max; | |
| } | |
| # Pass all .php files onto a php-fpm/php-fcgi server. | |
| location ~ [^/]\.php(/|$) { | |
| fastcgi_split_path_info ^(.+?\.php)(/.*)$; | |
| if (!-f $document_root$fastcgi_script_name) { | |
| return 404; | |
| } | |
| # This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default) | |
| fastcgi_index index.php; | |
| fastcgi_intercept_errors off; | |
| fastcgi_pass myphpsevenbackend; | |
| include fastcgi.conf; | |
| fastcgi_read_timeout 300; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
NGINX Configuration for SSL secured Live and Staging environments
Replace example.com with your domain name, and replace THEME_NAME with the theme folder for your wordpress theme.
Add the following snippet to /etc/nginx/nginx.conf
Just before
Structure
/etc/nginx/snippets/ssl-params.conf
/etc/nginx/snippets/ssl-example.com.conf
/etc/nginx/snippets/restrictions.conf
/etc/nginx/snippets/wordpress.conf
/etc/nginx/snippets/caching.conf
/etc/nginx/sites-available/example.com.conf