├── .gitignore ├── README.md ├── includes ├── cloudflare.inc ├── expires.inc ├── performance.inc ├── php.inc ├── robots.txt.inc ├── ssl_config.inc ├── wp_microcaching.inc └── wp_subdir_multisite.inc ├── security ├── automatticips.inc ├── block_xmlrpc.inc └── wordpress_security.inc └── template ├── example.conf └── nginx.conf /.gitignore: -------------------------------------------------------------------------------- 1 | *DS_Store 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Nginx Configuration Template 2 | 3 | > This repo is a collection of our Nginx configurations and optimizations for performance and security 4 | 5 | [![Support Level](https://img.shields.io/badge/support-archived-red.svg)](#support-level) 6 | 7 | > [!CAUTION] 8 | > As of 12 April 2024, this project is archived and no longer being actively maintained. 9 | 10 | ## Overview 11 | 12 | 10up uses [Nginx](http://nginx.org/) as it's standard webserver software on many high traffic, enterprise [WordPress](http://wordpress.org/) sites. This repo is a collection of our configurations and optimizations for performance and security. For most sites, these configurations can be included as-is in your Nginx server and http blocks. For sites that need more customization, these configurations can serve as a reference. 13 | 14 | ## Usage 15 | 16 | The `.inc` files in the `includes` and `security` directories are intended to be used as is with no modification. For files like `blockxmlrpc.inc` that have options, these are controlled by variables that should be set in the `nginx.conf` file and the `.conf` file used for the specific site. The `template` directory contains an example `nginx.conf` file and an `example.conf` file that contains the server block. The `example.conf` file usually goes in the `/etc/nginx/conf.d/` directory or in the `/etc/nginx/sites-enabled/` directory. 17 | 18 | Certain security rules block pages in WordPress that can impact expected behavior in some use-cases. Notably, the WordPress "5-minute" installation pages in `wp-admin` are blocked, which will prevent an initial installation from the browser, and sites using these configs must be created with a manual `wp-config.php` file and database import, or via the WP-CLI command line tool. 19 | 20 | ## Installation 21 | 22 | The easiest way to use this repo is to clone it to your `/etc/nginx/` directory. All of the include file paths used in `/template/nginx.conf` and `/template/example.conf` will work without modification with this method: 23 | 24 | 1. `cd /etc/nginx/` 25 | 26 | 2. `git clone https://github.com/10up/nginx_configs.git` 27 | 28 | Use the `nginx.conf` file in `nginx_configs/template/` to update your existing nginx.conf file in `/etc/nginx/nginx.conf` where appropriate (you could copy the `nginx.conf` file over the existing one, but there is some potential to overwrite important settings from your install by doing this). Copy the `example.conf` file from `nginx_configs/template/` to your `conf.d` or `sites-enabled` directory and rename it something related to the domain of the site it will configure. In the new `example.conf` file, comment out or uncomment the `include` statements that apply to your use case. For example, if you have a WordPress single-site install, comment out `nginx_configs/includes/wp_subdir_multisite.inc;`. If you have a WordPress multisite subdirectory install, uncomment this line to include this file. 29 | 30 | After making configuration changes, remember to test first with `nginx -t` before reloading Nginx (`systemctl reload nginx` for systemd or `/etc/init.d/nginx reload` for SysVinit). 31 | 32 | ## Issues 33 | 34 | If you identify any errors or have an idea for improving these files, please [open an issue](https://github.com/10up/nginx_configs/issues). We're excited to see what the community thinks of this project, and we would love your input! 35 | 36 | ## License 37 | 38 | Our Nginx Configuration Template is free; you can redistribute it and/or modify it under the terms of the [GNU General Public License](http://www.gnu.org/licenses/gpl-2.0.html) as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. 39 | 40 | ## Support Level 41 | 42 | **Archived:** This project is no longer maintained by 10up. We are no longer responding to Issues or Pull Requests unless they relate to security concerns. We encourage interested developers to fork this project and make it their own! 43 | 44 | ## Like what you see? 45 | 46 |

47 | 48 |

49 | -------------------------------------------------------------------------------- /includes/cloudflare.inc: -------------------------------------------------------------------------------- 1 | set_real_ip_from 103.21.244.0/22; 2 | set_real_ip_from 103.22.200.0/22; 3 | set_real_ip_from 103.31.4.0/22; 4 | set_real_ip_from 104.16.0.0/12; 5 | set_real_ip_from 108.162.192.0/18; 6 | set_real_ip_from 131.0.72.0/22; 7 | set_real_ip_from 141.101.64.0/18; 8 | set_real_ip_from 162.158.0.0/15; 9 | set_real_ip_from 172.64.0.0/13; 10 | set_real_ip_from 173.245.48.0/20; 11 | set_real_ip_from 188.114.96.0/20; 12 | set_real_ip_from 190.93.240.0/20; 13 | set_real_ip_from 197.234.240.0/22; 14 | set_real_ip_from 198.41.128.0/17; 15 | set_real_ip_from 2400:cb00::/32; 16 | set_real_ip_from 2606:4700::/32; 17 | set_real_ip_from 2803:f800::/32; 18 | set_real_ip_from 2405:b500::/32; 19 | set_real_ip_from 2405:8100::/32; 20 | set_real_ip_from 2c0f:f248::/32; 21 | set_real_ip_from 2a06:98c0::/29; 22 | 23 | real_ip_header CF-Connecting-IP; 24 | -------------------------------------------------------------------------------- /includes/expires.inc: -------------------------------------------------------------------------------- 1 | location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|js|css|pdf)$ { 2 | access_log off; log_not_found off; expires max; 3 | } 4 | -------------------------------------------------------------------------------- /includes/performance.inc: -------------------------------------------------------------------------------- 1 | # Performance settings 2 | 3 | # gzip compression 4 | gzip on; 5 | gzip_disable "msie6"; 6 | gzip_vary on; 7 | gzip_proxied any; 8 | gzip_comp_level 6; 9 | gzip_buffers 16 8k; 10 | gzip_types 11 | application/atom+xml 12 | application/javascript 13 | application/json 14 | application/rss+xml 15 | application/vnd.ms-fontobject 16 | application/x-font-ttf 17 | application/x-javascript 18 | application/x-web-app-manifest+json 19 | application/xhtml+xml 20 | application/xml 21 | font/opentype 22 | image/svg+xml 23 | image/x-icon 24 | text/css 25 | text/plain 26 | text/x-component; 27 | 28 | keepalive_timeout 65; 29 | 30 | sendfile on; 31 | -------------------------------------------------------------------------------- /includes/php.inc: -------------------------------------------------------------------------------- 1 | try_files $uri =404; 2 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 3 | #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini 4 | 5 | include /etc/nginx/fastcgi_params; 6 | 7 | # "php" is defined as an upstream server in nginx.conf 8 | fastcgi_pass php; 9 | 10 | fastcgi_index index.php; 11 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 12 | 13 | #matches keys_zone in fastcgi_cache_path in nginx.conf 14 | fastcgi_cache mysite; 15 | 16 | #don't serve pages defined earlier 17 | fastcgi_cache_bypass $no_cache; 18 | 19 | #don't cache pages defined earlier 20 | fastcgi_no_cache $no_cache; 21 | 22 | #unsure what the impacts of this variable is 23 | fastcgi_max_temp_file_size 2M; 24 | 25 | #Use stale cache items while updating in the background 26 | fastcgi_cache_use_stale updating error timeout invalid_header http_500; 27 | fastcgi_cache_lock on; 28 | fastcgi_cache_lock_timeout 10s; 29 | 30 | add_header X-Cache $upstream_cache_status; 31 | -------------------------------------------------------------------------------- /includes/robots.txt.inc: -------------------------------------------------------------------------------- 1 | # For internal sites that should not be discoverable by search engines, 2 | # force the robots.txt file to disallow indexing by all bots. 3 | # 4 | # Do NOT use on public sites that should show up on Google. 5 | 6 | location = /robots.txt { 7 | add_header Content-Type text/plain; 8 | return 200 "User-agent: *\nDisallow: /\n# Robots.txt controlled by Nginx"; 9 | } -------------------------------------------------------------------------------- /includes/ssl_config.inc: -------------------------------------------------------------------------------- 1 | # Uses https://mozilla.github.io/server-side-tls/ssl-config-generator/?hsts=no for reference 2 | ssl_protocols TLSv1.2; 3 | ssl_prefer_server_ciphers on; 4 | ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; 5 | ssl_buffer_size 8k; 6 | ssl_session_cache shared:SSL:50m; 7 | ssl_session_timeout 1d; 8 | ssl_session_tickets off; 9 | 10 | resolver 8.8.8.8; -------------------------------------------------------------------------------- /includes/wp_microcaching.inc: -------------------------------------------------------------------------------- 1 | # Microcaching 2 | fastcgi_cache_key "$scheme://$request_method$host$request_uri"; 3 | fastcgi_ignore_headers Cache-Control Expires Vary; 4 | 5 | #Cache everything by default 6 | set $no_cache 0; 7 | 8 | #Don't cache logged in users or commenters 9 | if ( $http_cookie ~* "comment_author_|wordpress_(?!test_cookie)|wp-postpass_" ) { 10 | set $no_cache 1; 11 | } 12 | 13 | #Don't cache the following URLs 14 | if ($request_uri ~* "/(wp-admin/|xmlrpc.php|wp-login.php)") 15 | { 16 | set $no_cache 1; 17 | } 18 | -------------------------------------------------------------------------------- /includes/wp_subdir_multisite.inc: -------------------------------------------------------------------------------- 1 | if (!-e $request_filename) { 2 | rewrite /wp-admin$ $scheme://$host$uri/ permanent; 3 | rewrite ^(/[^/]+)?(/wp-.*) $2 last; 4 | rewrite ^(/[^/]+)?(/.*\.php) $2 last; 5 | } 6 | -------------------------------------------------------------------------------- /security/automatticips.inc: -------------------------------------------------------------------------------- 1 | # Note that using the Automattic IP to match can be dangerous. This is the most secure method, 2 | # but must be frequently updated with new IP addresses. These can be found at 3 | # http://whois.arin.net/rest/org/AUTOM-93/nets. The ticket 4 | # https://github.com/Automattic/jetpack/issues/1719 contains a discussion of why 5 | # this is dangerous. 6 | 7 | # Automattic's netblocks 8 | 9 | geo $is_automattic_ip { 10 | default 0; # Block everything not in the ranges below 11 | 216.151.209.64/26 1; 12 | 66.135.48.128/25 1; 13 | 69.174.248.128/25 1; 14 | 76.74.255.0/25 1; 15 | 216.151.210.0/25 1; 16 | 76.74.248.128/25 1; 17 | 76.74.254.0/25 1; 18 | 207.198.112.0/23 1; 19 | 207.198.101.0/25 1; 20 | 198.181.116.0/22 1; 21 | 192.0.64.0/18 1; 22 | 66.155.8.0/22 1; 23 | 66.155.38.0/24 1; 24 | 72.233.119.192/26 1; 25 | 209.15.21.0/24 1; 26 | 64.34.206.0/24 1; 27 | 192.0.114.0/24 1; 28 | 2620:115:c000:0:0:0:0:0/44 1; 29 | 192.0.72.0/24 1; 30 | 192.0.76.0/23 1; 31 | 192.0.78.0/23 1; 32 | 192.0.74.0/23 1; 33 | 192.0.65.0/24 1; 34 | 192.0.112.0/24 1; 35 | 185.64.140.0/24 1; 36 | 185.64.141.0/24 1; 37 | 185.64.142.0/24 1; 38 | 185.64.143.0/24 1; 39 | 192.0.80.0/24 1; 40 | 192.0.81.0/24 1; 41 | 192.0.82.0/24 1; 42 | 192.0.83.0/24 1; 43 | 192.0.84.0/24 1; 44 | 192.0.85.0/24 1; 45 | 192.0.86.0/24 1; 46 | 192.0.87.0/24 1; 47 | 192.0.88.0/24 1; 48 | 192.0.89.0/24 1; 49 | 192.0.90.0/24 1; 50 | 192.0.91.0/24 1; 51 | 192.0.92.0/24 1; 52 | 192.0.93.0/24 1; 53 | 192.0.94.0/24 1; 54 | 192.0.95.0/24 1; 55 | 192.0.96.0/24 1; 56 | 192.0.97.0/24 1; 57 | 192.0.98.0/24 1; 58 | 192.0.99.0/24 1; 59 | 192.0.100.0/24 1; 60 | 192.0.101.0/24 1; 61 | 192.0.102.0/24 1; 62 | 192.0.103.0/24 1; 63 | 192.0.104.0/24 1; 64 | 192.0.105.0/24 1; 65 | 192.0.106.0/24 1; 66 | 192.0.107.0/24 1; 67 | 192.0.108.0/24 1; 68 | 192.0.109.0/24 1; 69 | 192.0.110.0/24 1; 70 | 192.0.111.0/24 1; 71 | 192.0.124.0/24 1; 72 | 192.0.125.0/24 1; 73 | 192.0.126.0/24 1; 74 | 192.0.127.0/24 1; 75 | 192.0.66.0/24 1; 76 | 192.0.67.0/24 1; 77 | 192.0.68.0/24 1; 78 | 192.0.69.0/24 1; 79 | 192.0.70.0/24 1; 80 | 192.0.71.0/24 1; 81 | 192.0.73.0/24 1; 82 | 192.0.74.0/24 1; 83 | 192.0.75.0/24 1; 84 | 192.0.76.0/24 1; 85 | 192.0.77.0/24 1; 86 | 192.0.78.0/24 1; 87 | 192.0.79.0/24 1; 88 | 192.0.80.0/20 1; 89 | 192.0.96.0/20 1; 90 | 198.181.117.0/24 1; 91 | 198.181.118.0/24 1; 92 | 198.181.119.0/24 1; 93 | 103.62.32.0/24 1; 94 | 103.62.33.0/24 1; 95 | 103.62.34.0/24 1; 96 | 103.62.35.0/24 1; 97 | 45.121.180.0/24 1; 98 | 45.121.181.0/24 1; 99 | 45.121.182.0/24 1; 100 | 45.121.183.0/24 1; 101 | 192.0.112.0/21 1; 102 | 192.0.120.0/22 1; 103 | 192.0.113.0/24 1; 104 | 192.0.115.0/24 1; 105 | 192.0.116.0/24 1; 106 | 192.0.117.0/24 1; 107 | 192.0.118.0/24 1; 108 | 192.0.119.0/24 1; 109 | 192.0.120.0/24 1; 110 | 192.0.121.0/24 1; 111 | 192.0.122.0/24 1; 112 | 192.0.123.0/24 1; 113 | 200.9.112.0/24 1; 114 | 200.9.113.0/24 1; 115 | 185.138.28.0/22 1; 116 | 185.138.28.0/23 1; 117 | 185.138.28.0/24 1; 118 | 185.138.29.0/24 1; 119 | 185.138.30.0/23 1; 120 | 185.138.30.0/24 1; 121 | 185.138.31.0/24 1; 122 | 192.0.72.0/21 1; 123 | 124 | } 125 | -------------------------------------------------------------------------------- /security/block_xmlrpc.inc: -------------------------------------------------------------------------------- 1 | location ~* xmlrpc.php$ { 2 | 3 | # Identify Jetpack by user agent. A more secure way is by IP address. 4 | # See below to understand why this is the preferred method. 5 | set $is_jetpack_ua 0; 6 | if ($http_user_agent = "Jetpack by WordPress.com" ) { 7 | set $is_jetpack_ua 1; 8 | } 9 | 10 | set $do_block_xmlrpc "${allow_jetpack}${is_xmlrpc_whitelist_ip}${is_jetpack_ua}${is_automattic_ip}"; 11 | 12 | 13 | # Don't allow Jetpack, not a whitelisted IP = redirect to homepage 14 | if ($do_block_xmlrpc ~* "^00.*") { return 403; } 15 | 16 | # Allow Jetpack by UA, not a whitelisted IP, not the Jetpack UA = block 17 | if ($do_block_xmlrpc ~* "ua00\d") { return 403; } 18 | 19 | # Allow Jetpack by UA and IP, not a whitelisted IP, is the Jetpack UA, but not the Jetpack IP = block 20 | if ($do_block_xmlrpc ~* "ip010") { return 403; } 21 | 22 | ## All other connections are allowed ## 23 | 24 | # Parse the PHP - this cannot be included in an if block 25 | include nginx_configs/includes/php.inc; 26 | 27 | } 28 | -------------------------------------------------------------------------------- /security/wordpress_security.inc: -------------------------------------------------------------------------------- 1 | # Instead of blocking requests with a 403 Denied status, use a redirect to the homepage instead. 2 | # The reasoning behind this is that by returning a 403, we broadcast what is a sensitive file 3 | # which could be used by bad guys to draw conclusions about what kind of CMS or technology we 4 | # are using on this server. A redirect give a less clear message and keeps our technology more 5 | # obfuscated. Here we set the 6 | set $redirect_to $scheme://$host; 7 | 8 | # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). 9 | # uses regex negative lookahead to allow use of letsencrypt webroot authentication 10 | # in the .wellknown directory 11 | location ~ /\.(?!well\-known) { deny all; auth_basic off;} 12 | 13 | # Prevent access to any files starting with a $ (usually temp files) 14 | location ~ ~$ { deny all; } 15 | 16 | # Common deny or internal locations, to help prevent access to areas of 17 | # the site that should not be public 18 | location ~* wp-admin/includes { deny all; } 19 | location ~* wp-includes/theme-compat/ { deny all; } 20 | location ~* wp-includes/js/tinymce/langs/.*\.php { deny all; } 21 | location ~* wp-includes/js/swfupload/swfupload\.swf { deny all; } 22 | location ~* ^/wp-includes/js/mediaelement/.*\.swf$ { deny all; } 23 | 24 | # Since wp-admin pages are not cached, block WordPress installation pages to 25 | # avoid brute force attacks and for obscurity. 26 | # This will block the "5 minute" web-based install process and require WP-CLI or 27 | # manual wp-config.php set-up for new installations. 28 | location ~* wp-admin/(install|setup-config)\.php$ { return 301 $redirect_to; } 29 | 30 | # Deny access to .php files in the /wp-content/ directory (including sub-folders) 31 | location ~* ^/wp-content/.*\.(php|phps)$ { return 301 $redirect_to; } 32 | 33 | # Deny access to any files with a .php extension in the uploads directory (redundant with previous rule) 34 | location ~* ^/wp-content/uploads/.*\.php$ { return 301 $redirect_to; } 35 | 36 | # Block common exploit requests 37 | location ~* (/license\.txt|/phpmyadmin|/ckeditor|/hp/|/cfdocs/|/cfappman/|/SiteServer/|/webmail/|/nsn/|/servlet|/etc/passwd|/phpbb|/horde/|/administrator/|phpinfo|info\.php/|/cbms/|/readme\.html|readme\.md|readme\.txt|readme|composer\.json|composer\.lock|package\.json|package\.lock) { 38 | return 301 $redirect_to; 39 | } 40 | 41 | # Block by file type 42 | location ~* \.(sql|sql\.gz|sql\.zip|tar|tar\.gz|lzma|pem|cer|crt|key|jks|asp|aspx|cgi|pwd|nsf|exe|sh|csh|pl|tmp|swp|bak|bak2)$ { 43 | return 301 $redirect_to; 44 | } 45 | 46 | # Block access to wp-config.php and any files similarly named 47 | location ~* /wp-config { 48 | return 301 $redirect_to; 49 | } 50 | 51 | # Block user enumeration to protect user names 52 | # By default, WordPress redirects example.com/?author=1 to example.com/author/username 53 | 54 | # we will always redirect... 55 | set $force_author_redirect 1; 56 | 57 | # unless there is no author param in the query params 58 | if ($args !~* author=[0-9]) { 59 | set $force_author_redirect 0; 60 | } 61 | 62 | # or we are in the admin 63 | if ($uri ~* wp-admin) { 64 | set $force_author_redirect 0; 65 | } 66 | 67 | # if both author is in the URL/query param then we are not in wp-admin redirect 68 | if ($force_author_redirect) { 69 | return 301 $redirect_to; 70 | } 71 | 72 | # Prevent Nginx from announcing which version is running to the client. 73 | # Danger is minor from leaving this on, but reducing the amount of 74 | # invormation about the server environment is always good. 75 | server_tokens off; 76 | -------------------------------------------------------------------------------- /template/example.conf: -------------------------------------------------------------------------------- 1 | # Copy this file to /etc/nginx/conf.d and configure for your domain 2 | 3 | # Microcaching global settings 4 | fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=mysite:20m inactive=60m max_size=200m; 5 | 6 | server { 7 | listen 443 default_server ssl http2; # All sites should be SSL 8 | server_name example.com www.example.com; 9 | 10 | access_log /var/log/nginx/example.com.access.log main; 11 | error_log /var/log/nginx/example.com.error.log; 12 | 13 | root /var/www/html/example.com; 14 | index index.php; 15 | 16 | # Comment out or delete any unneeded includes 17 | #include nginx_configs/includes/robots.txt.inc; # Only enable if site is non-public 18 | include nginx_configs/includes/performance.inc; # Speed optimizations 19 | include nginx_configs/includes/ssl_config.inc; # SSL optimizations 20 | #include nginx_configs/includes/cloudflare.inc; # Set real visitor IP address if using Cloudflare 21 | include nginx_configs/security/wordpress_security.inc; # Recommended security rules 22 | include nginx_configs/includes/wp_microcaching.inc; # Short duration caching setup 23 | include nginx_configs/includes/wp_subdir_multisite.inc; # Subdirectory WP multisite rules 24 | include nginx_configs/includes/expires.inc; # Browser caching rules 25 | 26 | # The block_xmlrpc.inc file requires the variables $allow_jetpack 27 | # (set in the server block), $is_xmlrpc_whitelist_ip (set in the http 28 | # block in nginx.inc), and $is_automattic_ip (set in the http block via 29 | # the file automatticips.inc. Please be sure these variables are all set 30 | # before including this file. See the example nginx.inc for more info.) 31 | include nginx_configs/security/block_xmlrpc.inc; 32 | 33 | 34 | # Create this file with the command: 35 | # `openssl dhparam -out /etc/nginx/dh4096.pem 4096` 36 | # Careful! It will take many minutes and max your CPU! 37 | ssl_dhparam /etc/nginx/dh4096.pem; 38 | 39 | ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; 40 | ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; 41 | 42 | #define cache valid time for microcaching (use with nginx_configs/includes/wp_microcaching.inc) 43 | fastcgi_cache_valid any 90s; 44 | 45 | # Jetpack connects over xmlrpc.php. If we include block_xmlrpc.inc 46 | # above, Jetpack will be unable to connect without extra logic. This 47 | # variable controls whether we allow connections to xmlrpc.php for 48 | # Jetpack or not. Valid settings for this variable are: 49 | # 0 = You are not using Jetpack 50 | # ua = You are using Jetpack and want to match the 51 | # Jetpack user-agent to allow access. This 52 | # is the preferred method and is most reliable while 53 | # providing a reasonable level of protection. 54 | # ip = You are using Jetpack and wish to use the Automattic 55 | # (owner of Jetpack) IP address range AND the user 56 | # agent as the mechanisms to allow access to 57 | # xmlrpc.php. This is the most secure method, but 58 | # could break your connection to Jetpack at any time 59 | # due to a change of IP address by Automattic. 60 | # For discussion and more info, see 61 | # https://github.com/Automattic/jetpack/issues/1719 62 | set $allow_jetpack 0; 63 | 64 | location / { 65 | try_files $uri $uri/ /index.php?$args ; 66 | } 67 | 68 | location ~ \.php$ { 69 | include nginx_configs/includes/php.inc; 70 | } 71 | 72 | # This should match upload_max_filesize in php.ini. Note 73 | # upload_max_filesize can get overwritten in a number of places, 74 | # including the actual PHP code or the PHP-FPM www.conf file. 75 | client_max_body_size 20M; 76 | } 77 | 78 | server { 79 | listen 80; 80 | server_name example.com www.example.com; 81 | 82 | rewrite (.*) https://example.com$1 permanent; 83 | 84 | } 85 | -------------------------------------------------------------------------------- /template/nginx.conf: -------------------------------------------------------------------------------- 1 | # This template can be used for the /etc/nginx/nginx.conf file 2 | 3 | user nginx; # Use for CentOS 4 | #user www-data; # Use for Ubuntu 5 | worker_processes auto; # Or set to number of CPU cores 6 | 7 | error_log /var/log/nginx/error.log warn; 8 | pid /var/run/nginx.pid; 9 | 10 | 11 | events { 12 | worker_connections 1024; 13 | } 14 | 15 | 16 | http { 17 | include /etc/nginx/mime.types; 18 | default_type application/octet-stream; 19 | 20 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 21 | '$status $body_bytes_sent "$http_referer" ' 22 | '"$http_user_agent" "$http_x_forwarded_for"' 23 | '"$request_time" "$upstream_response_time" $upstream_cache_status'; 24 | 25 | access_log /var/log/nginx/access.log main; 26 | 27 | # Additional settings 28 | server_names_hash_bucket_size 64; 29 | 30 | # Include mapping of Automattic IPs to $is_automattic_ip for use in block_xmlrpc.inc. 31 | # This uses the "geo" directive which can only be done in the http block. 32 | include nginx_configs/security/automatticips.inc; 33 | 34 | # List of IPs to allow to connect to xmlrpc.php. For use with block_xmlrpc.inc. 35 | geo $is_xmlrpc_whitelist_ip { 36 | default 0; # Block everything not in the ranges below 37 | #216.151.209.64/26 1; 38 | #127.0.0.1 1; 39 | } 40 | 41 | # Define PHP 42 | upstream php { 43 | #server 127.0.0.1:9000; 44 | server unix:/run/php/php7.0-fpm.sock; 45 | } 46 | 47 | include /etc/nginx/conf.d/*.conf; 48 | } --------------------------------------------------------------------------------