Last active
December 6, 2020 01:57
-
-
Save Abukamel/5b5821cdfe5938b44c05fc2d93ab2ac3 to your computer and use it in GitHub Desktop.
NGINX WordPress VirtualHost sample including mozilla intermediate SSL letsecrypt certificate using config best practices, mod_pagespeed, wordpress fastcgi_cache and naxsi web application firewall.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name www.domainName domainName; | |
| return 301 https://domainName$request_uri; | |
| } | |
| server { | |
| listen 443 ssl http2; # we listen on all ips at port 80 | |
| listen [::]:443 ssl http2; | |
| server_name domainName; # vhost domain name | |
| root /home/userName/public_html; # home directory for site files | |
| ssl_certificate /etc/letsencrypt/live/domainName/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/domainName/privkey.pem; | |
| # Mozilla SSL best practices https://mozilla.github.io/server-side-tls/ssl-config-generator/ | |
| ssl_session_timeout 1d; | |
| ssl_session_cache shared:SSL:50m; | |
| ssl_session_tickets off; | |
| add_header X-Content-Type-Options nosniff; | |
| add_header X-Frame-Options SAMEORIGIN; | |
| # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
| # Command to generate ciphersuites: `openssl dhparam -out /usr/local/nginx/conf/dhparams.pem 2048` | |
| ssl_dhparam /usr/local/nginx/conf/dhparams.pem; | |
| # intermediate configuration. tweak to your needs. | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; | |
| ssl_prefer_server_ciphers on; | |
| # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | |
| add_header Strict-Transport-Security max-age=15768000; | |
| # OCSP Stapling --- | |
| # fetch OCSP records from URL in ssl_certificate and cache them | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| ## verify chain of trust of OCSP response using Root CA and Intermediate certs | |
| ssl_trusted_certificate /etc/letsencrypt/live/domainName/fullchain.pem; | |
| resolver 8.8.8.8; | |
| access_log /var/log/nginx/domainName-access_log; # access log path relative to nginx main dir | |
| error_log /var/log/nginx/domainName-error_log warn; # error log path relative to nginx main dir | |
| # mod_pagespeed activation | |
| pagespeed on; | |
| # Needs to exist and be writable by nginx. Use tmpfs for best performance. | |
| pagespeed FileCachePath /var/ngx_pagespeed_cache; | |
| # Ensure requests for pagespeed optimized resources go to the pagespeed handler | |
| # and no extraneous headers get set. | |
| location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { | |
| add_header "" ""; | |
| } | |
| location ~ "^/pagespeed_static/" { } | |
| location ~ "^/ngx_pagespeed_beacon$" { } | |
| set $skip_cache 0; | |
| # POST requests and urls with a query string should always go to PHP | |
| if ($request_method = POST) { | |
| set $skip_cache 1; | |
| } | |
| if ($query_string != "") { | |
| set $skip_cache 1; | |
| } | |
| # Don’t cache uris containing the following segments | |
| if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { | |
| set $skip_cache 1; | |
| } | |
| # Don’t use the cache for logged in users or recent commenters | |
| if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { | |
| set $skip_cache 1; | |
| } | |
| set $naxsi_flag_learning 1; | |
| set $naxsi_extensive_log 1; | |
| set $naxsi_flag_libinjection_sql 1; | |
| set $naxsi_flag_libinjection_xss 1; | |
| location / { | |
| include /usr/local/nginx/conf/naxsi.rules; | |
| include /usr/local/nginx/conf/wordpress.rules; # https://raw.githubusercontent.com/nbs-system/naxsi-rules/master/wordpress.rules | |
| try_files $uri $uri/ /index.php$is_args$args; | |
| } | |
| location /RequestDenied { return 406; } | |
| location ~ /purge(/.*) { | |
| fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1"; | |
| } | |
| location ~* ^.+\.(mid|midi|wav|mp4|ttf|rss|atom|eot|otf|svgz|ogg|ogv|swf|woff|jpg|jpeg|gif|png|ico|svg|css|zip|tgz|gz|rar|bz2|exe|pdf|doc|xls|ppt|txt|odt|ods|odp|odf|tar|bmp|rtf|js|mp3|avi|mpeg|flv|woff)$ { | |
| try_files $uri @static_backend; | |
| expires max; | |
| add_header Cache-Control "public"; | |
| } | |
| location @static_backend { | |
| try_files $uri /index.php =404; | |
| include fastcgi_params; | |
| fastcgi_index index.php; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| fastcgi_pass unix:/usr/local/php7-fpm/var/run/domainName.sock; | |
| } | |
| location ~ \.php$ { | |
| try_files $uri /index.php =404; | |
| include fastcgi_params; | |
| fastcgi_index index.php; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| fastcgi_pass unix:/usr/local/php7-fpm/var/run/domainName.sock; | |
| fastcgi_cache_bypass $skip_cache; | |
| fastcgi_no_cache $skip_cache; | |
| fastcgi_cache WORDPRESS; | |
| fastcgi_cache_valid 24h; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment