diff --git a/README.md b/README.md index c418b26..380338f 100644 --- a/README.md +++ b/README.md @@ -11,12 +11,15 @@ There are multiplpe advantages of using this repo as your go-to nginx configurat + Multisite support. + Contains ready-to-use sample vhost entries. + Continuously updated sample configurations with best practices. -+ Ansible friendly (coming soon) ++ IPv6 is supported out of the box. ++ Cloudflare support. ++ [WebP](https://developers.google.com/speed/webp/) support. ## Available templates / vhost entries + WP Super Cache plugin (with support for SSL and separate mobile cache) -+ WP Rocket cache plugin (SSL / mobile supported out of the box) ++ WP Rocket cache plugin (SSL and / or mobile supported out of the box) ++ WP Fastest Cache plugin (SSL and / or mobile supported out of the box) + Multisite (sub-domain and sub-directory) + Varnish with Nginx for SSL termination. + Custom error pages. @@ -43,10 +46,11 @@ There are multiplpe advantages of using this repo as your go-to nginx configurat Tested with the following servers... + Debian Debian 9 (Stretch) -+ Ubuntu 16.04 LTS (Xenial) ++ Ubuntu 16.04 LTS (Xenial Xerus) ++ Ubuntu 18.04 LTS (Bionic Beaver) Test with the following Nginx versions... -+ Stable verisons 1.12.x ++ Stable verisons 1.12.x and 1.14.x + Mainline versions 1.13.x For RPM based distros (Fedora, Redhat, CentOS and Amazon Linux AMI), the configuration mentioned in the repo should work. Additional steps may be needed, though. See below for some details! @@ -57,7 +61,7 @@ For all the steps mentioned below, you need __sudo__ or __root__ privileges! Step #1 - Install Nginx -You may use the official Nginx repo or just use the Nginx package that comes with the OS. Both would work fine! I will leave the decision to you. Since, the installation process varies across Operating Systems, please refer the official installation docs to complete this step. +You may use the official Nginx repo or just use the Nginx package that comes with the OS. Both would work fine! I will leave the decision to you. Since, the installation process varies across Operating Systems, please refer the official installation guide to complete this step. Step #2 - Please backup your existing configuration files. Probably, have /etc under version control! @@ -90,7 +94,7 @@ sudo ln -s ../sites-available/$WP_DOMAIN.conf sudo nginx -t && sudo systemctl restart nginx ``` -### Changes on CentOS +### Changes on CentOS (and on rpm based distros in general) CentOS has a different file naming convention, yet simple directory structure, when compared to Debian derivatives. Let me describe them and I'd let you decide upon how you'd want to structure your files and name those files. diff --git a/changelog.txt b/changelog.txt index aa00551..e3d0597 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,17 @@ +v3.0 +- Released on May 9, 2018 +- Rename wprocket.conf to wp-rocket.conf +- Rename wpsupercache.conf to wp-super-cache.conf +- Added Cloudflare support. +- IPv6 support added. +- WebP support. +- Other minor changes. + +v2.0 +- released on Dec 20, 2017 +- changed filename globals/common-locations.conf to globals/assets.conf +- other minor changes + v1.0 - released on April 23, 2017 - uniform naming scheme for domain names diff --git a/conf.d/common.conf b/conf.d/common.conf index acc5df6..3090c5f 100644 --- a/conf.d/common.conf +++ b/conf.d/common.conf @@ -2,10 +2,6 @@ index index.html index.php; -# include globals/pagespeed.conf; -# include globals/hide-headers.conf; -# include globals/varnish-as-front-end-compatibility.conf; - # Ref: https://gist.github.com/magnetikonline/11312172 fastcgi_buffers 32 32k; fastcgi_buffer_size 32k; @@ -29,8 +25,8 @@ server_names_hash_bucket_size 128; # ------------------------------------------------------------------- -# For SSL - WP Super Cache Compatibility -map $scheme $wpsc_https { default ''; https '-https'; } +# For SSL Compatibility - WP Super Cache and WP Rocket depend on this +map $scheme $https_suffix { default ''; https '-https'; } # ------------------------------------------------------------------- @@ -52,3 +48,23 @@ charset $charset; charset_types *; # ------------------------------------------------------------------- + +# if you'd like to hide some header info, uncomment this +# include globals/hide-headers.conf; + +# ------------------------------------------------------------------- +# +# if you'd like to hide some header info, uncomment this +# include globals/cloudflare.conf; + +# ------------------------------------------------------------------- + +# webp support +# see: https://docs.ewww.io/article/16-ewww-io-and-webp-images + +map $http_accept $webp_suffix { + default ""; + "~*webp" ".webp"; +} + +# ------------------------------------------------------------------- diff --git a/globals/assets.conf b/globals/assets.conf index 8c917bb..f79920d 100644 --- a/globals/assets.conf +++ b/globals/assets.conf @@ -29,7 +29,7 @@ location ~ \.(?:ttf|ttc|eot|woff|woff2|otf|svg)$ { } # Referers for images -location ~ \.(?:jpg|jpeg|gif|png|ico)$ { +location ~ \.(?:gif|ico|webp)$ { ### Please change the domainname before uncommenting the following # valid_referers none blocked www.example.com example.com; # if ($invalid_referer) { return 403; } @@ -39,6 +39,19 @@ location ~ \.(?:jpg|jpeg|gif|png|ico)$ { access_log off; } +location ~* ^.+\.(png|jpe?g)$ { + ### Please change the domainname before uncommenting the following + # valid_referers none blocked www.example.com example.com; + # if ($invalid_referer) { return 403; } + + # add_header Vary Accept; + # see https://docs.ewww.io/article/16-ewww-io-and-webp-images + try_files $uri$webp_suffix $uri =404; + expires max; + log_not_found off; + access_log off; +} + # Feeds location ~ \.(?:rss|atom)$ { expires 600s; # 10 minutes diff --git a/globals/cloudflare-ip-list.conf b/globals/cloudflare-ip-list.conf new file mode 100644 index 0000000..0bfb300 --- /dev/null +++ b/globals/cloudflare-ip-list.conf @@ -0,0 +1,21 @@ +set_real_ip_from 103.21.244.0/22; +set_real_ip_from 103.22.200.0/22; +set_real_ip_from 103.31.4.0/22; +set_real_ip_from 104.16.0.0/12; +set_real_ip_from 108.162.192.0/18; +set_real_ip_from 131.0.72.0/22; +set_real_ip_from 141.101.64.0/18; +set_real_ip_from 162.158.0.0/15; +set_real_ip_from 172.64.0.0/13; +set_real_ip_from 173.245.48.0/20; +set_real_ip_from 188.114.96.0/20; +set_real_ip_from 190.93.240.0/20; +set_real_ip_from 197.234.240.0/22; +set_real_ip_from 198.41.128.0/17; +set_real_ip_from 2400:cb00::/32; +set_real_ip_from 2405:8100::/32; +set_real_ip_from 2405:b500::/32; +set_real_ip_from 2606:4700::/32; +set_real_ip_from 2803:f800::/32; +set_real_ip_from 2c0f:f248::/32; +set_real_ip_from 2a06:98c0::/29; diff --git a/globals/cloudflare.conf b/globals/cloudflare.conf new file mode 100644 index 0000000..5866237 --- /dev/null +++ b/globals/cloudflare.conf @@ -0,0 +1,6 @@ +# make sure you set up a cron to run update-cloudflare-ip-list.sh regularly + +include '/etc/nginx/globals/cloudflare-ip-list.conf'; +real_ip_header CF-Connecting-IP; +real_ip_header CF-Connecting-IP; +real_ip_recursive on; diff --git a/globals/wp-fastest-cache.conf b/globals/wp-fastest-cache.conf index 1d472fa..20054a6 100644 --- a/globals/wp-fastest-cache.conf +++ b/globals/wp-fastest-cache.conf @@ -41,7 +41,7 @@ location / { #--> all the following would apply, only if the request hits the cache # add some useful headers - add_header "X-Cache" "HIT"; + add_header "X-Cache" "HIT - WP Fastest Cache"; add_header "X-CF-Powered-By" "WP Fastest Cache"; add_header "Vary" "Cookie"; # include "globals/hsts.conf"; @@ -62,8 +62,7 @@ location @mobileaccess { #--> all the following would apply, only if the request hits the cache # add some useful headers - add_header "X-Cache" "HIT - Mobile"; - add_header "X-CF-Powered-By" "WP Fastest Cache"; + add_header "X-Cache" "HIT - Mobile - WP Fastest Cache"; add_header "Vary" "User-Agent, Cookie"; # include "globals/hsts.conf"; diff --git a/globals/wprocket.conf b/globals/wp-rocket.conf similarity index 85% rename from globals/wprocket.conf rename to globals/wp-rocket.conf index 4411002..8cc201b 100644 --- a/globals/wprocket.conf +++ b/globals/wp-rocket.conf @@ -30,18 +30,17 @@ location / { if ($http_cookie ~* "comment_author_") { return 418; } if ($http_cookie ~* "wp_postpass_") { return 418; } - # if ($http_user_agent ~* (2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad)) { return 419; } + # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; } # add_header "Vary" "User-Agent"; # uncomment the following if deemed fit - # if ($http_user_agent ~* (w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad)) { return 419; } + # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; } - try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index$wpsc_https.html" $uri $uri/ /index.php$is_args$args; + try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index$https_suffix.html" $uri $uri/ /index.php$is_args$args; #--> all the following would apply, only if the request hits the cache - add_header "X-Cache" "HIT - Desktop"; - add_header "X-CF-Powered-By" "WP Rocket"; + add_header "X-Cache" "HIT - WP Rocket"; add_header "Vary" "Cookie"; # include "globals/hsts.conf"; @@ -54,10 +53,9 @@ location / { location @mobileaccess { # try_files $uri $uri/ /index.php$is_args$args; - try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index-mobile$wpsc_https.html" $uri $uri/ /index.php$is_args$args; + try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index-mobile$https_suffix.html" $uri $uri/ /index.php$is_args$args; - add_header "X-Cache" "HIT - Mobile"; - add_header "X-CF-Powered-By" "WP Rocket"; + add_header "X-Cache" "HIT - Mobile - WP Rocket"; add_header "Vary" "User-Agent, Cookie"; # include "globals/hsts.conf"; diff --git a/globals/wpsc.conf b/globals/wp-super-cache.conf similarity index 85% rename from globals/wpsc.conf rename to globals/wp-super-cache.conf index b07ed01..931cee8 100644 --- a/globals/wpsc.conf +++ b/globals/wp-super-cache.conf @@ -30,12 +30,12 @@ location / { if ($http_cookie ~* "comment_author_") { return 418; } if ($http_cookie ~* "wp_postpass_") { return 418; } - # if ($http_user_agent ~* (2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad)) { return 419; } + # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; } # uncomment the following if deemed fit - # if ($http_user_agent ~* (w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad)) { return 419; } + # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; } - try_files "/wp-content/cache/supercache/$host${uri}index$wpsc_https.html" $uri $uri/ /index.php$is_args$args; + try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix.html" $uri $uri/ /index.php$is_args$args; #--> all the following would apply, only if the request hits the cache @@ -52,7 +52,7 @@ location / { location @mobileaccess { # try_files $uri $uri/ /index.php$is_args$args; - try_files "/wp-content/cache/supercache/$host${uri}index$wpsc_https-mobile.html" $uri $uri/ /index.php$is_args$args; + try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args; add_header "X-Cache" "HIT - Mobile - WP Super Cache"; # include "globals/hsts.conf"; diff --git a/scripts/update-cloudflare-ip-list.sh b/scripts/update-cloudflare-ip-list.sh new file mode 100644 index 0000000..4fc2f8b --- /dev/null +++ b/scripts/update-cloudflare-ip-list.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# script to set Cloudflare IPs (ipv4 and ipv6) + +# empty the list +echo -n > /etc/nginx/globals/cloudflare-ip-list.conf; + +# fetch and update ipv4 +for i in `curl -s https://www.cloudflare.com/ips-v4`; do + echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf; +done + +# fetch and update ipv6 +for i in `curl -s https://www.cloudflare.com/ips-v6`; do + echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf; +done diff --git a/sites-available/dev.example.com.conf b/sites-available/dev.example.com.conf index 6fe47ba..7c1d5b9 100644 --- a/sites-available/dev.example.com.conf +++ b/sites-available/dev.example.com.conf @@ -1,7 +1,11 @@ server { listen 80; + listen [::]:80; # IPv6 support listen 443 ssl http2; + listen [::]:443 ssl http2; # IPv6 support + server_name dev.example.com; + index index.php; # Replace the path with the actual path to WordPress core files @@ -33,15 +37,21 @@ server { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + include fastcgi.conf; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_intercept_errors on; fastcgi_pass fpm-dev; + + add_header "X-Cache" "MISS"; } # The rewrite magic location / { try_files $uri $uri/ /index.php$is_args$args; } - # include "globals/wpsc.conf"; - # include "globals/wprocket.conf"; + # include "globals/wp-super-cache.conf"; # WP Super Cache plugin support + # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support + # include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support } diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf index 007f363..e1ff8df 100644 --- a/sites-available/example.com.conf +++ b/sites-available/example.com.conf @@ -6,12 +6,14 @@ # you are a fan of micro-optimization, please use the following to redirect www.example.com => example.com (301) # server { # listen 80; + # listen [::]:80; # IPv6 support # server_name www.example.com; # return 301 $scheme://example.com$request_uri; # } server { listen 80; + listen [::]:80; # IPv6 support server_name example.com; server_name www.example.com; # hide this line, if you enable the server-level 301 redirect above @@ -49,11 +51,14 @@ server { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_index index.php; fastcgi_pass fpm; + + add_header "X-Cache" "MISS"; } ### Enaable only one of the following lines - include "globals/wpsc.conf"; # WP Super Cache plugin support - # include "globals/wprocket.conf"; # WP Rocket Cache plugin support + include "globals/wp-super-cache.conf"; # WP Super Cache plugin support + # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support + # include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache } diff --git a/sites-available/ssl-example.com.conf b/sites-available/ssl-example.com.conf index 32dc49c..74a82d7 100644 --- a/sites-available/ssl-example.com.conf +++ b/sites-available/ssl-example.com.conf @@ -1,6 +1,7 @@ # http => https server { listen 80; + listen [::]:80; # IPv6 support server_name example.com www.example.com; return 301 https://$host$request_uri; } @@ -9,6 +10,7 @@ server { # use it only if you are a fan of micro-optimization # server { # listen 443 ssl http2; + # listen [::]:443 ssl http2; # IPv6 support # server_name www.example.com; # ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; # ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; @@ -17,6 +19,7 @@ server { server { listen 443 ssl http2; + listen [::]:443 ssl http2; # IPv6 support server_name example.com; # hide the following line, if you enable the server-level 301 redirect above @@ -58,7 +61,8 @@ server { } ### Enaable only one of the following lines - include "globals/wpsc.conf"; # WP Super Cache plugin support - # include "globals/wprocket.conf"; # WP Rocket Cache plugin support + include "globals/wp-super-cache.conf"; # WP Super Cache plugin support + # include "globals/wp-rocket.conf"; # WP Rocket Cache plugin support + # include "globals/wp-fastest-cache.conf"; # WP Rocket Cache plugin support # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache } diff --git a/sites-available/wpfc.example.com.conf b/sites-available/wpfc.example.com.conf index 5359112..8d75410 100644 --- a/sites-available/wpfc.example.com.conf +++ b/sites-available/wpfc.example.com.conf @@ -1,13 +1,15 @@ server { listen 80; + listen [::]:80; # IPv6 support + server_name wpfc.example.com; index index.php; # Replace the path with the actual path to WordPress core files root /home/username/sites/wpsc.example.com/public; - access_log /var/log/nginx/wpsc.example.com-access.log combined buffer=64k flush=5m if=$loggable; - error_log /var/log/nginx/wpsc.example.com-error.log; + access_log /var/log/nginx/wp-fastest-cache.example.com-access.log combined buffer=64k flush=5m if=$loggable; + error_log /var/log/nginx/wp-fastest-cache.example.com-error.log; include "globals/assets.conf"; include "globals/restrictions.conf"; @@ -16,13 +18,16 @@ server { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + include fastcgi.conf; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_index index.php; fastcgi_pass fpm; - add_header "X-WPFC-Cache" "MISS"; + add_header "X-Cache" "MISS"; } - include "globals/wpfc.conf"; + include "globals/wp-fastest-cache.conf"; } diff --git a/sites-available/wpsc.example.com.conf b/sites-available/wpsc.example.com.conf index 8f0f15e..608edd4 100644 --- a/sites-available/wpsc.example.com.conf +++ b/sites-available/wpsc.example.com.conf @@ -1,5 +1,7 @@ server { listen 80; + listen [::]:80; # IPv6 support + server_name wpsc.example.com; index index.php; @@ -16,11 +18,16 @@ server { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + include fastcgi.conf; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_index index.php; fastcgi_pass fpm; + + add_header "X-Cache" "MISS"; } - include "globals/wpsc.conf"; + include "globals/wp-super-cache.conf"; }