|
|
@@ -0,0 +1,159 @@ |
|
|
############ |
|
|
# |
|
|
# nginx-wp-common.conf |
|
|
# |
|
|
# Contains a common configuration for use by nginx on a WordPress |
|
|
# installation. This file should be included in any WordPress site |
|
|
# nginx virtual host config located in sites-available with the following line: |
|
|
# |
|
|
# include /etc/nginx/wp-common.config; |
|
|
# |
|
|
|
|
|
rewrite ^/wp/([_0-9a-zA-Z-]+)/(xmlrpc\.php|wp-[0-9a-z-]+\.php) /wp/$2; |
|
|
rewrite ^/wp/([_0-9a-zA-Z-]+)/(wp-(admin|content|includes).*) /wp/$2; |
|
|
|
|
|
|
|
|
location / { |
|
|
index index.php index.html; |
|
|
try_files $uri $uri/ /index.php?$args; |
|
|
} |
|
|
|
|
|
############# |
|
|
# Specify a charset |
|
|
############ |
|
|
charset utf-8; |
|
|
|
|
|
############ |
|
|
# GZIP |
|
|
########### |
|
|
|
|
|
gzip off; |
|
|
|
|
|
############# |
|
|
# Add trailing slash to */wp-admin requests. |
|
|
############ |
|
|
|
|
|
rewrite /wp-admin$ $scheme://$host$uri/ permanent; |
|
|
|
|
|
|
|
|
############ |
|
|
# this prevents hidden files (beginning with a period) from being served |
|
|
############ |
|
|
|
|
|
location ~ /\. { |
|
|
access_log off; |
|
|
log_not_found off; |
|
|
deny all; |
|
|
} |
|
|
|
|
|
########### |
|
|
# SEND EXPIRES HEADERS AND TURN OFF 404 LOGGING |
|
|
########### |
|
|
|
|
|
location ~* ^.+.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|$ |
|
|
access_log off; |
|
|
log_not_found off; |
|
|
expires max; |
|
|
} |
|
|
|
|
|
############ |
|
|
# Pass uploaded files to wp-includes/ms-files.php. |
|
|
############ |
|
|
|
|
|
# rewrite /files/$ /index.php last; |
|
|
|
|
|
if ($uri !~ wp-content/plugins) { |
|
|
rewrite /files/(.+)$ /wp-includes/ms-files.php?file=$1 last; |
|
|
} |
|
|
|
|
|
# Rewrite multisite in a subdirectory '.../wp-.*' and '.../*.php'. |
|
|
# if (!-e $request_filename) { |
|
|
# rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last; |
|
|
# rewrite ^/[_0-9a-zA-Z-]+.*(/wp-admin/.*\.php)$ $1 last; |
|
|
# rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last; |
|
|
#} |
|
|
|
|
|
# Rewrite multisite '.../wp-.*' and '.../*.php'. |
|
|
if (!-e $request_filename) { |
|
|
rewrite /wp-admin$ $scheme://$host$uri/ permanent; |
|
|
rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) /wp$1 last; |
|
|
rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ /wp$1 last; |
|
|
} |
|
|
|
|
|
|
|
|
############ |
|
|
# Pass all .php files onto a php-fpm or php-cgi server |
|
|
############ |
|
|
|
|
|
location ~ \.php$ { |
|
|
|
|
|
# Try the files specified in order. In our case, try the requested URI and if |
|
|
# that fails, try (successfully) to pass a 404 error. |
|
|
# zero day exploit defense |
|
|
|
|
|
try_files $uri =404; |
|
|
|
|
|
# Include the fastcgi_params defaults provided by nginx |
|
|
|
|
|
include /etc/nginx/fastcgi_params; |
|
|
|
|
|
# The amount of time for upstream to wait for a fastcgi process to send data. |
|
|
# We keep this *extremely* high so that one can be lazy when remote debugging. |
|
|
|
|
|
fastcgi_read_timeout 3600s; |
|
|
|
|
|
# Buffer size for reading the header of the backend FastCGI process. |
|
|
# This defaults to the value of a single fastcgi_buffers, so does not |
|
|
# need to be specified in our case, but it's good to be explicit. |
|
|
|
|
|
fastcgi_buffer_size 128k; |
|
|
|
|
|
# The number and size of the buffers into which the reply from the FastCGI |
|
|
# process in the backend is read. |
|
|
# |
|
|
# 4 buffers at 128k means that any reply by FastCGI greater than 512k goes |
|
|
# to disk and replies under 512k are handled directly in memory. |
|
|
|
|
|
fastcgi_buffers 4 128k; |
|
|
|
|
|
# SCRIPT_FILENAME is a required parameter for things to work properly, |
|
|
# but was missing in the default fastcgi_params on upgrade to nginx 1.4. |
|
|
# We define it here to be sure that it exists. |
|
|
|
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
|
|
|
|
|
|
|
|
# Use the upstream for php5-fpm that we defined in nginx.conf |
|
|
|
|
|
fastcgi_pass unix:/var/run/php5-fpm.sock; |
|
|
|
|
|
# And get to serving the file! |
|
|
|
|
|
fastcgi_index index.php; |
|
|
} |
|
|
|
|
|
|
|
|
############ |
|
|
# ROBOTS |
|
|
########### |
|
|
|
|
|
# location = /robots.txt { |
|
|
# allow all; |
|
|
# log_not_found off; |
|
|
# access_log off; |
|
|
#} |
|
|
|
|
|
|
|
|
############ |
|
|
# RESTRICTIONS |
|
|
############ |
|
|
|
|
|
# Deny access to any files with a .php extension in the uploads directory |
|
|
# Works in sub-directory installs and also in multisite network |
|
|
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) |
|
|
location ~* /(?:uploads|files)/.*\.php$ { |
|
|
deny all; |
|
|
} |
|
|
|
|
|
|
|
|
|
kjprince revised this gist