vivianspencer · August 29, 2015 14:26
diff --git a/example.com b/example.com
 server {
        listen  80;
        server_name www.example.com;
        return 301 $scheme://example.com$request_uri;
 }
 server {
        listen   80;

        root /usr/share/nginx/www/example.com/www/web;
        index index.php index.html index.htm;

        server_name example.com;

        location / {
                try_files $uri $uri/ /index.php?$args;
        }

 	location ~ \.php$ {
                try_files $uri =404;

                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }
 }
 server {
 	listen   80;

        server_name staging.example.com;

        root /usr/share/nginx/www/example.com/staging/web;
        index index.php;

 	auth_basic "Restricted";
 	auth_basic_user_file /usr/share/nginx/www/example.com/.htpasswd;

        include global/restrictions.conf;

        location ~ ^/assets/(img|js|css|font)/(.*)$ {
                try_files $uri $uri/ /wp-content/themes/example_theme/assets/$1/$2;
        }
        location ~ ^/plugins/(.*)$ {
                try_files $uri $uri/ /wp-content/plugins/$1;
        }

 	include global/wordpress.conf;
 }
diff --git a/restrictions.conf b/restrictions.conf
 # Global restrictions configuration file.
 # Designed to be included in any server {} block.</p>
 location = /favicon.ico {
 	log_not_found off;
 	access_log off;
 }

 location = /robots.txt {
 	allow all;
 	log_not_found off;
 	access_log off;
 }

 # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
 location ~ /\. {
 	deny all;
 }

 # Deny access to any files with a .php extension in the uploads directory
 # Works in sub-directory installs and also in multisite network
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
 location ~* /(?:uploads|files)/.*\.php$ {
 	deny all;
 }
diff --git a/wordpress.conf b/wordpress.conf
 # WordPress single blog rules.
 # Designed to be included in any server {} block.

 # This order might seem weird - this is attempted to match last if rules below fail.
 # http://wiki.nginx.org/HttpCoreModule
 location / {
 	try_files $uri $uri/ /index.php?$args;
 }

 # Add trailing slash to */wp-admin requests.
 rewrite /wp-admin$ $scheme://$host$uri/ permanent;

 # Directives to send expires headers and turn off 404 error logging.
 location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
       access_log off; log_not_found off; expires max;
 }

 # Uncomment one of the lines below for the appropriate caching plugin (if used).
 #include global/wordpress-wp-super-cache.conf;
 #include global/wordpress-w3-total-cache.conf;

 # Pass all .php files onto a php-fpm/php-fcgi server.
 location ~ [^/]\.php(/|$) {
 	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
 	if (!-f $document_root$fastcgi_script_name) {
 		return 404;
 	}
 	# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)

 	fastcgi_index index.php;
 	fastcgi_intercept_errors off;
 	fastcgi_pass unix:/var/run/php5-fpm.sock;
 	include fastcgi_params;
 }
	server {
	listen 80;
	server_name www.example.com;
	return 301 $scheme://example.com$request_uri;
	}
	server {
	listen 80;

	root /usr/share/nginx/www/example.com/www/web;
	index index.php index.html index.htm;

	server_name example.com;

	location / {
	try_files $uri $uri/ /index.php?$args;
	}

	location ~ \.php$ {
	try_files $uri =404;

	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php;
	include fastcgi_params;
	}
	}
	server {
	listen 80;

	server_name staging.example.com;

	root /usr/share/nginx/www/example.com/staging/web;
	index index.php;

	auth_basic "Restricted";
	auth_basic_user_file /usr/share/nginx/www/example.com/.htpasswd;

	include global/restrictions.conf;

	location ~ ^/assets/(img\|js\|css\|font)/(.*)$ {
	try_files $uri $uri/ /wp-content/themes/example_theme/assets/$1/$2;
	}
	location ~ ^/plugins/(.*)$ {
	try_files $uri $uri/ /wp-content/plugins/$1;
	}

	include global/wordpress.conf;
	}
	# Global restrictions configuration file.
	# Designed to be included in any server {} block.</p>
	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~ /\. {
	deny all;
	}

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}
	# WordPress single blog rules.
	# Designed to be included in any server {} block.

	# This order might seem weird - this is attempted to match last if rules below fail.
	# http://wiki.nginx.org/HttpCoreModule
	location / {
	try_files $uri $uri/ /index.php?$args;
	}

	# Add trailing slash to */wp-admin requests.
	rewrite /wp-admin$ $scheme://$host$uri/ permanent;

	# Directives to send expires headers and turn off 404 error logging.
	location ~* ^.+\.(ogg\|ogv\|svg\|svgz\|eot\|otf\|woff\|mp4\|ttf\|rss\|atom\|jpg\|jpeg\|gif\|png\|ico\|zip\|tgz\|gz\|rar\|bz2\|doc\|xls\|exe\|ppt\|tar\|mid\|midi\|wav\|bmp\|rtf)$ {
	access_log off; log_not_found off; expires max;
	}

	# Uncomment one of the lines below for the appropriate caching plugin (if used).
	#include global/wordpress-wp-super-cache.conf;
	#include global/wordpress-w3-total-cache.conf;

	# Pass all .php files onto a php-fpm/php-fcgi server.
	location ~ [^/]\.php(/\|$) {
	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	if (!-f $document_root$fastcgi_script_name) {
	return 404;
	}
	# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)

	fastcgi_index index.php;
	fastcgi_intercept_errors off;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
	include fastcgi_params;
	}