├── LICENSE
├── README.md
├── global
    ├── cloudflare.conf
    ├── common.conf
    ├── hackrepair.conf
    └── wordpress.conf
├── nginx.conf
├── ramdisk
└── sites-available
    └── example


/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 Collin Barrett
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # wp-vps-build-guide
  2 | A verbose build guide for a modern, high-performance production WordPress VPS.
  3 | 
  4 | [Introductory Blog Post](https://collinmbarrett.com/wp-vps-build-guide/ "WordPress VPS: DIY Build Guide for Fast and Cheap Hosting - collinmbarrett.com")
  5 | 
  6 | ## Intro
  7 | This project aims to provide a straightforward, albeit lengthy and all-inclusive, build guide for a low-budget, high-performance WordPress hosting solution. For as little as $5/mo., one can develop a cutting edge hosting stack for his or her projects. The instructions are verbose so that developers with little server administration experience can track.
  8 | 
  9 | ### The Stack
 10 | 
 11 | | Component | Solution | Notes |
 12 | |---|---|---|
 13 | | Development Client | macOS | |
 14 | | Production Host | DigitalOcean | |
 15 | | Server | Ubuntu LTS x64 |  |
 16 | | WordPress Management Tools | WP-CLI |  |
 17 | | Database | MariaDB | |
 18 | | Object Cache Store | Redis | in-RAM (persists) |
 19 | | PHP Compiler | HHVM | |
 20 | | Web Server | NGINX | w/FastCGI Caching in-RAM (persists) |
 21 | | Connection | Modern TLS Ciphers<br>HTTP/2<br>ipv4/ipv6 | |
 22 | 
 23 | ### Scope
 24 | This stack is designed to host one or multiple WordPress sites with light to medium loads. It will scale well, but it is not designed for an ultra-heavy use case that requires load balancing across multiple servers, etc. Server configurations are not one-size-fits-all, for sure, but hopefully this guide serves as a "good-enough-for-most" solution. While configuration recommendations provided are a good starting point, it is no substitution for ongoing optimization. Both speed and security have been key values during the development of this guide. The instructions to follow are scoped to only cover a single self-contained VPS. No load-balancing or CDN configuration is described, while these are highly recommended.
 25 | 
 26 | ### General Notes
 27 | - Items in curly brackets {} should be treated as variables and replaced with custom info.
 28 | - Recommended Snapshot points are annotated throughout, but feel free to take these more or less frequently.
 29 | 
 30 | ### Assumptions
 31 | - The developer has basic Linux terminal skills.
 32 | - The developer has access to a VPS host. DigitalOcean (DO) is used for the purposes of this guide, but competitors such as Linode work just fine with minor adaptations.
 33 | - The developer has a ssh key already created. The public key is stored with the host and the private .pem stored locally at {myPK}.
 34 | 
 35 | ### Support
 36 | The best way to support this project is to submit issues and pull requests to assist in keeping the guide up-to-date. Clicking through the maintainer's [DigitalOcean affiliate link](http://brrt.co/CBDigitalOcean) when signing up is helpful as well, but by no means expected.
 37 | 
 38 | #### To amateurs at WordPress Operations...
 39 | Feel free to use this guide to turbocharge projects! Please submit issues or pull requests for any problems discovered.
 40 | 
 41 | #### To experts at WordPress Operations...
 42 | Please provide feedback. This guide should continue to receive ongoing optimizations and updates. In its current state, it will lead to a server that is higher-performing than most, but it is not perfect and the technologies powering it are constantly changing. Issues and pull requests are welcome.
 43 | 
 44 | ### Sources
 45 | This build guide is constructed from a compilation of sources from all over the web. Inline "via"s give credit to some of these authors, but apologies go out to any blogs that were forgotten. A special recognition goes out to [Mark Jaquith](http://wordpress.tv/2014/10/16/mark-jaquith-next-generation-wordpress-hosting-stack/) and [Carl Alexander](http://wordpress.tv/2016/05/03/carl-alexander-a-look-at-the-modern-wordpress-server-stack/) whose talks played fundamental roles in this architecture.
 46 | 
 47 | ## Roadmap / To-Do
 48 | 
 49 | ### Near-Term
 50 | 
 51 | - NGINX FastCGI Cache Tuning
 52 | - HHVM Tuning
 53 | - Redis Tuning
 54 | - MariaDB Tuning
 55 | - Verify Ubuntu Automatic Upgrades
 56 | - Verify WordPress Ownership and Permissions
 57 | - SSL Certificate Installation
 58 | - SSH Key Installation
 59 | - Automated _Scheduled_ Backups
 60 | 
 61 | ### Moonshots / Long-Term
 62 | 
 63 | - Automated _Realtime_ Backups
 64 | - Automated Build Script
 65 | - Dockerize
 66 | - Clusterize
 67 | 
 68 | ## Build Guide
 69 | 1. Create a new VPS running the latest Ubuntu LTS x64 in the DO control panel.
 70 |   - Enable backups.
 71 |   - Enable IPv6.
 72 |   - Add your SSH key.
 73 | 2. Locally, configure a ssh config file to make ssh easy.
 74 |   - In Terminal, `sudo nano ~/.ssh/config`
 75 | 
 76 |     ```
 77 |     Host {myVpsName}
 78 |       HostName {myVpsIP}
 79 |       Port 22
 80 |       User root
 81 |       IdentityFile {myPK}
 82 |     ```
 83 | 
 84 |     - Press "ctrl + x" to save and exit.
 85 | 3. ssh into the new VPS.
 86 |   - `ssh {myVpsName}`
 87 |     - Type "yes" to continue connecting.
 88 | 4. Create a new user and add it to the sudo group.
 89 |   - `adduser {myUser}`
 90 |     - Provide {myUserPassword} twice when prompted.
 91 |     - Press "return" repeatedly to accept the rest of the default options.
 92 |   - `usermod -aG sudo {myUser}`
 93 |   - *via [DigitalOcean](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04)*
 94 | 5. Copy the ssh key to the new user and configure ssh.
 95 |   - `mkdir /home/{myUser}/.ssh`
 96 |   - `cp ~/.ssh/authorized_keys /home/{myUser}/.ssh/`
 97 |   - `chown -R {myUser}:{myUser} /home/{myUser}/.ssh`
 98 |   - `chmod 700 /home/{myUser}/.ssh`
 99 |   - `chmod 600 /home/{myUser}/.ssh/authorized_keys`
100 |   - `nano /etc/ssh/sshd_config`
101 |     - Modify `PermitRootLogin no`
102 |     - Uncomment and modify `PasswordAuthentication no`
103 |   - `service ssh restart`
104 |   - Do not close the Terminal window yet. In a new Terminal window, `sudo nano ~/.ssh/config`
105 | 
106 |       ```
107 |       Host {myVpsName}
108 |         HostName {myVpsIP}
109 |         Port 22
110 |         User {myUser}
111 |         IdentityFile {myPK}
112 |       ```
113 | 
114 |   - Test ssh into the VPS as {myUser} before closing the root Terminal window.
115 |     - `ssh {myVPSName}`
116 |   - Type `exit` in the root Terminal window and close it.
117 |   - *via [DigitalOcean](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04)*
118 | 6. Ensure all of the latest updates are installed.
119 |   - `sudo apt-get update`
120 |     - Provide {myUserPassword} when prompted.
121 |   - `sudo apt-get upgrade`
122 |   - `sudo apt-get dist-upgrade`
123 | 7. Snapshot 1
124 |   - `sudo poweroff`
125 |   - Create a Snapshot in the DO control panel.
126 | 8. Configure a basic firewall with ufw.
127 |   - `sudo ufw allow OpenSSH`  
128 |   - `sudo ufw enable`
129 |     - Type "y" to proceed with the operation.
130 |   - *via [DigitalOcean](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04)*
131 | 9. Install fail2ban to protect SSH.
132 |   - `sudo apt-get install fail2ban`
133 |   - `sudo service fail2ban restart`
134 |   - *via [DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04)*
135 | 10. Update the timezone and configure ntp sync.
136 |   - `sudo dpkg-reconfigure tzdata`
137 |     - Select the local timezone.
138 |   - `sudo apt-get update`
139 |   - `sudo apt-get install ntp`
140 |   - *via [DigitalOcean](https://www.digitalocean.com/community/tutorials/additional-recommended-steps-for-new-ubuntu-14-04-servers#configure-timezones-and-network-time-protocol-synchronization)*
141 | 11. Enable a swap file.
142 |   - `sudo fallocate -l {swapSizeInGb}G /swapfile`
143 |     - For guidance on determining {swapSizeInGb}, see [here](https://help.ubuntu.com/community/SwapFaq#How_much_swap_do_I_need.3F).
144 |   - `sudo chmod 600 /swapfile`
145 |   - `sudo mkswap /swapfile`
146 |   - `sudo swapon /swapfile`
147 |   - `sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'`
148 |   - *via [DigitalOcean](https://www.digitalocean.com/community/tutorials/additional-recommended-steps-for-new-ubuntu-14-04-servers)*
149 | 12. Configure automatic updates, upgrades, and cleanup.
150 |   - `sudo nano /etc/apt/apt.conf.d/50unattended-upgrades`
151 |     - Uncomment `"${distro_id}:${distro_codename}-updates";`
152 |   - `sudo nano /etc/apt/apt.conf.d/10periodic`
153 |     - Modify `APT::Periodic::Download-Upgradeable-Packages "1";`
154 |     - Modify `APT::Periodic::AutocleanInterval "7";`
155 |   - *via [Ubuntu](https://help.ubuntu.com/lts/serverguide/automatic-updates.html)*
156 | 13. Snapshot 2
157 | 14. Install NGINX with ngx_cache_purge.
158 |   - `sudo apt-get install nginx`
159 | 15. Install MariaDB.
160 |   - Follow the 5 commands [here](https://downloads.mariadb.org/mariadb/repositories/) based on the setup.
161 |     - Use the DO node that the VPS is hosted on as the mirror in both the 4th box and the 3rd command.
162 |     - Provide {myMariaDBRootPassword} twice when prompted.
163 |   - `mysql_secure_installation`
164 |     - Provide {myMariaDBRootPassword}.
165 |     - Type `n` for do not change root password.
166 |     - Press "return" repeatedly to accept the rest of the default options.
167 | 16. Install HHVM.
168 |   - `sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0x5a16e7281be7a449`
169 |   - `sudo add-apt-repository "deb http://dl.hhvm.com/ubuntu $(lsb_release -sc) main"`
170 |   - `sudo apt-get update`
171 |   - `sudo apt-get install hhvm`
172 |   - `sudo update-rc.d hhvm defaults`
173 |   - `sudo /usr/share/hhvm/install_fastcgi.sh`
174 |   - `sudo mkdir /var/cache/hhvm` (do only if RAM < 512mb)
175 |   - `sudo chown www-data:www-data /var/cache/hhvm/`  (do only if RAM < 512mb)
176 |   - `sudo nano /etc/hhvm/server.ini`
177 |     - Replace `hhvm.server.port = 9000` with `hhvm.server.file_socket=/var/run/hhvm/hhvm.sock`
178 |     - Modify `hhvm.repo.central.path = /var/cache/hhvm/hhvm.hhbc` (do only if RAM < 512mb)
179 |   - `sudo service hhvm restart`
180 |   - *via [DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-install-hhvm-with-nginx-on-ubuntu-14-04)*
181 | 17. Snapshot 3
182 | 18. Create a database for WordPress.
183 |   - `mysql -u root -p`
184 |     - Provide {myMariaDBRootPassword}.
185 |     - `CREATE DATABASE {myWPDB} DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;`
186 |     - `GRANT ALL ON {myWPDB}.* TO '{myWPDBUser}'@'localhost' IDENTIFIED BY '{myWPDBPassword}';`
187 |     - `FLUSH PRIVILEGES;`
188 |     - `exit`
189 |   - Repeat this step for each WordPress site to be installed with new values for {myWPDB}, {myWPDBUser}, and {myWPDBPassword}.
190 |   - *via [DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-lemp-on-ubuntu-16-04)*
191 | 19. Download and install WordPress.
192 |   - `wget http://wordpress.org/latest.tar.gz`
193 |   - `tar -xzvf latest.tar.gz`
194 |   - `rm latest.tar.gz`
195 |   - `cd ~/wordpress`
196 |   - `cp wp-config-sample.php wp-config.php`
197 |   - `sudo nano wp-config.php`
198 |     - Modify `define('DB_NAME', '{myWPDB}');`
199 |     - Modify `define('DB_USER', '{myWPDBUser}');`
200 |     - Modify `define('DB_PASSWORD', '{myWPDBPassword}');`
201 |     - Replace `{myWPSecurityKeys}` [Generate {myWPSecurityKeys}](https://api.wordpress.org/secret-key/1.1/salt/)
202 |     - Modify `$table_prefix  = '{myRandomPrefix}_';` ([Generate {myRandomPrefix}](https://www.random.org/strings/?num=1&len=8&loweralpha=on&unique=on&format=html&rnd=new))
203 |     - Add `define( 'WP_AUTO_UPDATE_CORE', true );`
204 |   - `mkdir wp-content/uploads`
205 |   - `sudo mkdir -p /var/www/{myWPSiteName}`
206 |   - `sudo rsync -avP ~/wordpress/ /var/www/{myWPSiteName}/`
207 |   - `rm -rf ~/wordpress/`
208 |   - Repeat this step for each WordPress site to be installed with new values for {myWPDB}, {myWPDBUser}, {myWPDBPassword}, {myWPSecurityKeys}, and {myRandomPrefix}.
209 |   - *via [DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-lemp-on-ubuntu-16-04)*
210 | 20. Configure permissions and ownership. (WARNING: still under review, however these should be appropriate)
211 |   - `sudo chown root:root /var/www/{myWPSiteName}/`
212 |   - `sudo chown -R {myUser}:{myUser} /var/www/{myWPSiteName}/*`
213 |   - `sudo chown {myUser}:www-data /var/www/{myWPSiteName}/wp-config.php`
214 |   - `sudo find /var/www/{myWPSiteName}/ -type d -exec chmod 755 {} \;`
215 |   - `sudo find /var/www/{myWPSiteName}/ -type f -exec chmod 644 {} \;`
216 |   - `sudo chmod 440 /var/www/{myWPSiteName}/wp-config.php`
217 |   - High Security Variant (does not allow plugins to be installed via Dashboard, recommended for use in conjunction with wp-cli)
218 |     - `sudo chown -R www-data:www-data /var/www/{myWPSiteName}/wp-content/uploads/`
219 |   - Medium Security Variant
220 |     - `sudo chown -R www-data:www-data /var/www/{myWPSiteName}/wp-content/`
221 |   - - *via [StackOverflow](https://stackoverflow.com/questions/18352682/correct-file-permissions-for-wordpress)*
222 | 21. Snapshot 4
223 | 22. Configure FastCGI Cache RAM disk.
224 |   - `sudo mkdir /mnt/ramdisk`
225 |   - `sudo nano /etc/fstab`
226 |     - Add `tmpfs /mnt/ramdisk tmpfs defaults,size=32M 0 0`
227 |   - `sudo mount /mnt/ramdisk`
228 |   - `sudo mkdir /var/ramdisk-backup`
229 |   - `sudo wget https://raw.githubusercontent.com/collinbarrett/wp-vps-build-guide/master/ramdisk -O /etc/init.d/ramdisk`
230 |   - `sudo chmod +x /etc/init.d/ramdisk`
231 |   - `sudo /etc/init.d/ramdisk sync`
232 |   - `sudo crontab -e`
233 |     - Add `@reboot /etc/init.d/ramdisk start >> /dev/null 2>&1`
234 |     - Add `2 * * * * /etc/init.d/ramdisk sync >> /dev/null 2>&1`
235 |   - *via [Observium](https://www.observium.org/docs/persistent_ramdisk/)*
236 | 23. Configure nginx.
237 |   - `sudo ufw allow 'Nginx Full'`
238 |   - `sudo wget https://raw.githubusercontent.com/h5bp/server-configs-nginx/master/mime.types -O /etc/nginx/mime.types`
239 |   - `sudo wget https://raw.githubusercontent.com/collinbarrett/wp-vps-build-guide/master/nginx.conf -O /etc/nginx/nginx.conf`
240 |   - `sudo mkdir /etc/nginx/global`
241 |   - `sudo wget https://raw.githubusercontent.com/collinbarrett/wp-vps-build-guide/master/global/common.conf -O /etc/nginx/global/common.conf`
242 |   - `sudo wget https://raw.githubusercontent.com/collinbarrett/wp-vps-build-guide/master/global/wordpress.conf -O /etc/nginx/global/wordpress.conf`
243 |   - `sudo wget https://raw.githubusercontent.com/collinbarrett/wp-vps-build-guide/master/global/hackrepair.conf -O /etc/nginx/global/hackrepair.conf`
244 |   - `sudo rm /etc/nginx/sites-available/default`
245 |   - `sudo rm /etc/nginx/sites-enabled/default`
246 |   - Note: Before using the example conf in the next step, you may need to edit it if you are not installing SSL (see step 24 and [this issue](https://github.com/collinbarrett/wp-vps-build-guide/issues/10)).
247 |   - `sudo wget https://raw.githubusercontent.com/collinbarrett/wp-vps-build-guide/master/sites-available/example -O /etc/nginx/sites-available/example`
248 |   - `sudo mv /etc/nginx/sites-available/example /etc/nginx/sites-available/{myWPSiteName}`
249 |   - `sudo nano /etc/nginx/sites-available/{myWPSiteName}`
250 |     - Modify `root /var/www/{myWPSiteName};`
251 |     - Replace `example.com` with `{myWPSiteUrl}`
252 |     - If site should not be the default for the server, toggle listen directives so the ones without `default_server` are active.
253 |   - `sudo ln -s /etc/nginx/sites-available/{myWPSiteName} /etc/nginx/sites-enabled/{myWPSiteName}`
254 |   - Repeat the last four top-level bullets for each WordPress site to be installed with new values for {myWPSiteName} and {myWPSiteUrl}.
255 |   - *via [DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-configure-single-and-multiple-wordpress-site-settings-with-nginx), [DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration)*
256 | 24. Configure TLS encryption.
257 |   - `sudo mkdir /etc/nginx/cert`
258 |   - `sudo chmod 700 /etc/nginx/cert`
259 |   - `sudo openssl dhparam 2048 -out /etc/nginx/cert/dhparam.pem`
260 |   - `sudo chmod 600 /etc/nginx/cert/dhparam.pem`
261 |   - Install certificate(s) and key(s) to `/etc/nginx/cert/`.
262 |     - Outside the scope of this guide.
263 |     - Free Options:
264 |       - [Let's Encrypt](https://letsencrypt.org/)
265 |       - [CloudFlare Origin CA](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/)
266 |       - [StartSSL](https://www.startssl.com/Support?v=1)
267 | 25. Snapshot 5
268 | 26. Install and configure WP-CLI to auto-update WordPress.
269 |   - `curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar`
270 |   - `chmod +x wp-cli.phar`
271 |   - `sudo mv wp-cli.phar /usr/local/bin/wp`
272 |   - `sudo crontab -e`
273 |     - Add `0 1 * * * /usr/local/bin/wp cli update --yes --allow-root`
274 |   - `crontab -e`
275 |     - Add `0 */6 * * * cd /var/www/{myWPSiteName}/ && /usr/local/bin/wp core update --quiet && /usr/local/bin/wp core update-db --quiet && /usr/local/bin/wp plugin update --all --quiet && /usr/local/bin/wp db optimize`
276 |   - *via [WP-CLI](http://wp-cli.org/docs/installing/)*
277 | 27. Install and configure Redis.
278 |   - `sudo apt-get install redis-server`
279 |   - `sudo nano /etc/redis/redis.conf`
280 |     - Add `maxmemory 64mb`
281 |     - Add `maxmemory-policy allkeys-lru`
282 |   - `sudo nano /var/www/{myWPSiteName}/wp-config.php`
283 | 
284 |     ```
285 |     define( 'WP_CACHE_KEY_SALT', '{myWPSiteName}_' );
286 |     $redis_server = array( 'host' => '127.0.0.1', 'port' => 6379, );
287 |     ```
288 | 
289 |   - `cd /var/www/{myWPSiteName}/`
290 |   - `wp plugin install wp-redis`
291 |   - `sudo ln -s /var/www/{myWPSiteName}/wp-content/plugins/wp-redis/object-cache.php /var/www/{myWPSiteName}/wp-content`
292 |   - Verify Redis is working by `redis-cli monitor` and watching Terminal as you load {myWPSiteUrl} in a browser.
293 |   - Repeat all but the first bullet for each WordPress site to be installed.
294 |   - *via [Codeable](https://codeable.io/community/speed-up-wp-admin-redis-hhvm/)*
295 | 28. Install and configure NGINX Helper.
296 |   - `cd /var/www/{myWPSiteName}/`
297 |   - `sudo nano wp-config.php`
298 |     - Add `define('RT_WP_NGINX_HELPER_CACHE_PATH','/mnt/ramdisk/nginx-cache');`
299 |   - `wp plugin install nginx-helper --activate`
300 |   - Log into WordPress and navigate to "Settings -> Nginx Helper".
301 |   - Configure settings as follows. Some settings do not appear until after you click "Save All Changes" the first time.
302 |     - Check `Enable Purge`
303 |     - Check `nginx Fastcgi cache`
304 |     - Check `Delete local server cache files`
305 |     - Check all `Purging Conditions`
306 |   - Repeat all for each WordPress site to be installed.
307 | 29. Snapshot 6
308 | 
309 | ## Ongoing Maintenance
310 | - If the VPS is ever resized, the swap file size should be re-evaluated.
311 | - The size of `/mnt/ramdisk` should be tuned on occasion.
312 | - MariaDB should be tuned on occasion.
313 | 


--------------------------------------------------------------------------------
/global/cloudflare.conf:
--------------------------------------------------------------------------------
 1 | ##
 2 | # CloudFlare RealIp
 3 | # cloudflare.com/ips/
 4 | ##
 5 | 
 6 | set_real_ip_from 103.21.244.0/22;
 7 | set_real_ip_from 103.22.200.0/22;
 8 | set_real_ip_from 103.31.4.0/22;
 9 | set_real_ip_from 104.16.0.0/12;
10 | set_real_ip_from 108.162.192.0/18;
11 | set_real_ip_from 131.0.72.0/22;
12 | set_real_ip_from 141.101.64.0/18;
13 | set_real_ip_from 162.158.0.0/15;
14 | set_real_ip_from 172.64.0.0/13;
15 | set_real_ip_from 173.245.48.0/20;
16 | set_real_ip_from 188.114.96.0/20;
17 | set_real_ip_from 190.93.240.0/20;
18 | set_real_ip_from 197.234.240.0/22;
19 | set_real_ip_from 198.41.128.0/17;
20 | set_real_ip_from 199.27.128.0/21;
21 | set_real_ip_from 2400:cb00::/32;
22 | set_real_ip_from 2606:4700::/32;
23 | set_real_ip_from 2803:f800::/32;
24 | set_real_ip_from 2405:b500::/32;
25 | set_real_ip_from 2405:8100::/32;
26 | 
27 | real_ip_header CF-Connecting-IP;
28 | 


--------------------------------------------------------------------------------
/global/common.conf:
--------------------------------------------------------------------------------
 1 | index index.php index.html index.htm;
 2 | 
 3 | ##
 4 | # App Association
 5 | ##
 6 | 
 7 | location = /.well-known/apple-app-site-association { return 404; }
 8 | location = /.well-known/assetlinks.json { return 404; }
 9 | 
10 | ##
11 | # Security
12 | ##
13 | 
14 | add_header X-Xss-Protection "1; mode=block" always;
15 | add_header X-Frame-Options SAMEORIGIN always;
16 | location ~ /\. { deny all; }
17 | include /etc/nginx/global/hackrepair.conf;
18 | 
19 | ##
20 | # HTTP Code
21 | ##
22 | 
23 | error_page 404 /404.html;
24 | error_page 500 502 503 504 /50x.html;
25 | location = /50x.html { root /usr/share/nginx/www; }
26 | 
27 | ##
28 | # Browser Cache
29 | ##
30 | 
31 | location ~* \.(?:manifest|appcache|html?|xml|json)$ { expires -1; }
32 | location ~* \.(?:rss|atom)$ { expires 1h; }
33 | location ~* \.(?:css|js)$ { expires max; }
34 | location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { expires max; }
35 | location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
36 |         expires max;
37 |         add_header Cache-Control "public";
38 | }
39 | 


--------------------------------------------------------------------------------
/global/hackrepair.conf:
--------------------------------------------------------------------------------
  1 | ##
  2 | # HackRepair.com Blacklist
  3 | # http://pastebin.com/u/hackrepair
  4 | ##
  5 | 
  6 | if ($http_user_agent ~* "^Mozilla.*Indy"){return 403;}
  7 | if ($http_user_agent ~* "^Mozilla.*NEWT"){return 403;}
  8 | if ($http_user_agent ~* "^$"){return 403;}
  9 | if ($http_user_agent ~* "^Maxthon$"){return 403;}
 10 | if ($http_user_agent ~* "^SeaMonkey$"){return 403;}
 11 | if ($http_user_agent ~* "^Acunetix"){return 403;}
 12 | if ($http_user_agent ~* "^binlar"){return 403;}
 13 | if ($http_user_agent ~* "^BlackWidow"){return 403;}
 14 | if ($http_user_agent ~* "^Bolt 0"){return 403;}
 15 | if ($http_user_agent ~* "^BOT for JCE"){return 403;}
 16 | if ($http_user_agent ~* "^Bot mailto\:craftbot@yahoo\.com"){return 403;}
 17 | if ($http_user_agent ~* "^casper"){return 403;}
 18 | if ($http_user_agent ~* "^checkprivacy"){return 403;}
 19 | if ($http_user_agent ~* "^ChinaClaw"){return 403;}
 20 | if ($http_user_agent ~* "^clshttp"){return 403;}
 21 | if ($http_user_agent ~* "^cmsworldmap"){return 403;}
 22 | if ($http_user_agent ~* "^comodo"){return 403;}
 23 | if ($http_user_agent ~* "^Custo"){return 403;}
 24 | if ($http_user_agent ~* "^Default Browser 0"){return 403;}
 25 | if ($http_user_agent ~* "^diavol"){return 403;}
 26 | if ($http_user_agent ~* "^DIIbot"){return 403;}
 27 | if ($http_user_agent ~* "^DISCo"){return 403;}
 28 | if ($http_user_agent ~* "^dotbot"){return 403;}
 29 | if ($http_user_agent ~* "^Download Demon"){return 403;}
 30 | if ($http_user_agent ~* "^eCatch"){return 403;}
 31 | if ($http_user_agent ~* "^EirGrabber"){return 403;}
 32 | if ($http_user_agent ~* "^EmailCollector"){return 403;}
 33 | if ($http_user_agent ~* "^EmailSiphon"){return 403;}
 34 | if ($http_user_agent ~* "^EmailWolf"){return 403;}
 35 | if ($http_user_agent ~* "^Express WebPictures"){return 403;}
 36 | if ($http_user_agent ~* "^extract"){return 403;}
 37 | if ($http_user_agent ~* "^ExtractorPro"){return 403;}
 38 | if ($http_user_agent ~* "^EyeNetIE"){return 403;}
 39 | if ($http_user_agent ~* "^feedfinder"){return 403;}
 40 | if ($http_user_agent ~* "^FHscan"){return 403;}
 41 | if ($http_user_agent ~* "^FlashGet"){return 403;}
 42 | if ($http_user_agent ~* "^flicky"){return 403;}
 43 | if ($http_user_agent ~* "^g00g1e"){return 403;}
 44 | if ($http_user_agent ~* "^GetRight"){return 403;}
 45 | if ($http_user_agent ~* "^GetWeb\!"){return 403;}
 46 | if ($http_user_agent ~* "^Go\!Zilla"){return 403;}
 47 | if ($http_user_agent ~* "^Go\-Ahead\-Got\-It"){return 403;}
 48 | if ($http_user_agent ~* "^grab"){return 403;}
 49 | if ($http_user_agent ~* "^GrabNet"){return 403;}
 50 | if ($http_user_agent ~* "^Grafula"){return 403;}
 51 | if ($http_user_agent ~* "^harvest"){return 403;}
 52 | if ($http_user_agent ~* "^HMView"){return 403;}
 53 | if ($http_user_agent ~* "^ia_archiver"){return 403;}
 54 | if ($http_user_agent ~* "^Image Stripper"){return 403;}
 55 | if ($http_user_agent ~* "^Image Sucker"){return 403;}
 56 | if ($http_user_agent ~* "^InterGET"){return 403;}
 57 | if ($http_user_agent ~* "^Internet Ninja"){return 403;}
 58 | if ($http_user_agent ~* "^InternetSeer\.com"){return 403;}
 59 | if ($http_user_agent ~* "^jakarta"){return 403;}
 60 | if ($http_user_agent ~* "^Java"){return 403;}
 61 | if ($http_user_agent ~* "^JetCar"){return 403;}
 62 | if ($http_user_agent ~* "^JOC Web Spider"){return 403;}
 63 | if ($http_user_agent ~* "^kanagawa"){return 403;}
 64 | if ($http_user_agent ~* "^kmccrew"){return 403;}
 65 | if ($http_user_agent ~* "^larbin"){return 403;}
 66 | if ($http_user_agent ~* "^LeechFTP"){return 403;}
 67 | if ($http_user_agent ~* "^libwww"){return 403;}
 68 | if ($http_user_agent ~* "^Mass Downloader"){return 403;}
 69 | if ($http_user_agent ~* "^microsoft\.url"){return 403;}
 70 | if ($http_user_agent ~* "^MIDown tool"){return 403;}
 71 | if ($http_user_agent ~* "^miner"){return 403;}
 72 | if ($http_user_agent ~* "^Mister PiX"){return 403;}
 73 | if ($http_user_agent ~* "^MSFrontPage"){return 403;}
 74 | if ($http_user_agent ~* "^Navroad"){return 403;}
 75 | if ($http_user_agent ~* "^NearSite"){return 403;}
 76 | if ($http_user_agent ~* "^Net Vampire"){return 403;}
 77 | if ($http_user_agent ~* "^NetAnts"){return 403;}
 78 | if ($http_user_agent ~* "^NetSpider"){return 403;}
 79 | if ($http_user_agent ~* "^NetZIP"){return 403;}
 80 | if ($http_user_agent ~* "^nutch"){return 403;}
 81 | if ($http_user_agent ~* "^Octopus"){return 403;}
 82 | if ($http_user_agent ~* "^Offline Explorer"){return 403;}
 83 | if ($http_user_agent ~* "^Offline Navigator"){return 403;}
 84 | if ($http_user_agent ~* "^PageGrabber"){return 403;}
 85 | if ($http_user_agent ~* "^Papa Foto"){return 403;}
 86 | if ($http_user_agent ~* "^pavuk"){return 403;}
 87 | if ($http_user_agent ~* "^pcBrowser"){return 403;}
 88 | if ($http_user_agent ~* "^PeoplePal"){return 403;}
 89 | if ($http_user_agent ~* "^planetwork"){return 403;}
 90 | if ($http_user_agent ~* "^psbot"){return 403;}
 91 | if ($http_user_agent ~* "^purebot"){return 403;}
 92 | if ($http_user_agent ~* "^pycurl"){return 403;}
 93 | if ($http_user_agent ~* "^RealDownload"){return 403;}
 94 | if ($http_user_agent ~* "^ReGet"){return 403;}
 95 | if ($http_user_agent ~* "^Rippers 0"){return 403;}
 96 | if ($http_user_agent ~* "^sitecheck\.internetseer\.com"){return 403;}
 97 | if ($http_user_agent ~* "^SiteSnagger"){return 403;}
 98 | if ($http_user_agent ~* "^skygrid"){return 403;}
 99 | if ($http_user_agent ~* "^SmartDownload"){return 403;}
100 | if ($http_user_agent ~* "^sucker"){return 403;}
101 | if ($http_user_agent ~* "^SuperBot"){return 403;}
102 | if ($http_user_agent ~* "^SuperHTTP"){return 403;}
103 | if ($http_user_agent ~* "^Surfbot"){return 403;}
104 | if ($http_user_agent ~* "^tAkeOut"){return 403;}
105 | if ($http_user_agent ~* "^Teleport Pro"){return 403;}
106 | if ($http_user_agent ~* "^Toata dragostea mea pentru diavola"){return 403;}
107 | if ($http_user_agent ~* "^turnit"){return 403;}
108 | if ($http_user_agent ~* "^vikspider"){return 403;}
109 | if ($http_user_agent ~* "^VoidEYE"){return 403;}
110 | if ($http_user_agent ~* "^Web Image Collector"){return 403;}
111 | if ($http_user_agent ~* "^Web Sucker"){return 403;}
112 | if ($http_user_agent ~* "^WebAuto"){return 403;}
113 | if ($http_user_agent ~* "^WebBandit"){return 403;}
114 | if ($http_user_agent ~* "^WebCopier"){return 403;}
115 | if ($http_user_agent ~* "^WebFetch"){return 403;}
116 | if ($http_user_agent ~* "^WebGo IS"){return 403;}
117 | if ($http_user_agent ~* "^WebLeacher"){return 403;}
118 | if ($http_user_agent ~* "^WebReaper"){return 403;}
119 | if ($http_user_agent ~* "^WebSauger"){return 403;}
120 | if ($http_user_agent ~* "^Website eXtractor"){return 403;}
121 | if ($http_user_agent ~* "^Website Quester"){return 403;}
122 | if ($http_user_agent ~* "^WebStripper"){return 403;}
123 | if ($http_user_agent ~* "^WebWhacker"){return 403;}
124 | if ($http_user_agent ~* "^WebZIP"){return 403;}
125 | if ($http_user_agent ~* "^Wget"){return 403;}
126 | if ($http_user_agent ~* "^Widow"){return 403;}
127 | if ($http_user_agent ~* "^WPScan"){return 403;}
128 | if ($http_user_agent ~* "^WWW\-Mechanize"){return 403;}
129 | if ($http_user_agent ~* "^WWWOFFLE"){return 403;}
130 | if ($http_user_agent ~* "^Xaldon WebSpider"){return 403;}
131 | if ($http_user_agent ~* "^Zeus"){return 403;}
132 | if ($http_user_agent ~* "^zmeu"){return 403;}
133 | if ($http_user_agent ~* "360Spider"){return 403;}
134 | if ($http_user_agent ~* "AhrefsBot"){return 403;}
135 | if ($http_user_agent ~* "CazoodleBot"){return 403;}
136 | if ($http_user_agent ~* "discobot"){return 403;}
137 | if ($http_user_agent ~* "EasouSpider"){return 403;}
138 | if ($http_user_agent ~* "ecxi"){return 403;}
139 | if ($http_user_agent ~* "GT\:\:WWW"){return 403;}
140 | if ($http_user_agent ~* "heritrix"){return 403;}
141 | if ($http_user_agent ~* "HTTP\:\:Lite"){return 403;}
142 | if ($http_user_agent ~* "HTTrack"){return 403;}
143 | if ($http_user_agent ~* "ia_archiver"){return 403;}
144 | if ($http_user_agent ~* "id\-search"){return 403;}
145 | if ($http_user_agent ~* "IDBot"){return 403;}
146 | if ($http_user_agent ~* "Indy Library"){return 403;}
147 | if ($http_user_agent ~* "IRLbot"){return 403;}
148 | if ($http_user_agent ~* "ISC Systems iRc Search 2\.1"){return 403;}
149 | if ($http_user_agent ~* "LinksCrawler"){return 403;}
150 | if ($http_user_agent ~* "LinksManager\.com_bot"){return 403;}
151 | if ($http_user_agent ~* "linkwalker"){return 403;}
152 | if ($http_user_agent ~* "lwp\-trivial"){return 403;}
153 | if ($http_user_agent ~* "MFC_Tear_Sample"){return 403;}
154 | if ($http_user_agent ~* "Microsoft URL Control"){return 403;}
155 | if ($http_user_agent ~* "Missigua Locator"){return 403;}
156 | if ($http_user_agent ~* "MJ12bot"){return 403;}
157 | if ($http_user_agent ~* "panscient\.com"){return 403;}
158 | if ($http_user_agent ~* "PECL\:\:HTTP"){return 403;}
159 | if ($http_user_agent ~* "PHPCrawl"){return 403;}
160 | if ($http_user_agent ~* "PleaseCrawl"){return 403;}
161 | if ($http_user_agent ~* "SBIder"){return 403;}
162 | if ($http_user_agent ~* "SearchmetricsBot"){return 403;}
163 | if ($http_user_agent ~* "SeznamBot"){return 403;}
164 | if ($http_user_agent ~* "Snoopy"){return 403;}
165 | if ($http_user_agent ~* "Steeler"){return 403;}
166 | if ($http_user_agent ~* "URI\:\:Fetch"){return 403;}
167 | if ($http_user_agent ~* "urllib"){return 403;}
168 | if ($http_user_agent ~* "Web Sucker"){return 403;}
169 | if ($http_user_agent ~* "webalta"){return 403;}
170 | if ($http_user_agent ~* "WebCollage"){return 403;}
171 | if ($http_user_agent ~* "Wells Search II"){return 403;}
172 | if ($http_user_agent ~* "WEP Search"){return 403;}
173 | if ($http_user_agent ~* "XoviBot"){return 403;}
174 | if ($http_user_agent ~* "YisouSpider"){return 403;}
175 | if ($http_user_agent ~* "zermelo"){return 403;}
176 | if ($http_user_agent ~* "ZyBorg"){return 403;}
177 | if ($http_referer ~* "^https?://(?:[^/]+\.)?semalt\.com"){return 403;}
178 | if ($http_referer ~* "^https?://(?:[^/]+\.)?kambasoft\.com"){return 403;}
179 | if ($http_referer ~* "^https?://(?:[^/]+\.)?savetubevideo\.com"){return 403;}
180 | 


--------------------------------------------------------------------------------
/global/wordpress.conf:
--------------------------------------------------------------------------------
 1 | ##
 2 | # NGINX FastCGI Cache
 3 | ##
 4 | 
 5 | set $no_cache 0;
 6 | if ($request_method = POST) { set $no_cache 1; }
 7 | if ($query_string != "") { set $no_cache 1; }
 8 | if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") { set $no_cache 1; }
 9 | if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { set $no_cache 1; }
10 | add_header X-Cache $upstream_cache_status;
11 | 
12 | ##
13 | # Basic
14 | ##
15 | 
16 | rewrite /wp-admin$ $scheme://$host$uri/ permanent;
17 | location / { try_files $uri $uri/ /index.php?$args; }
18 | location ~ [^/]\.(hh|php)(/|$) {
19 |     try_files $uri /index.php;
20 |     include fastcgi_params;
21 |     fastcgi_index index.php;
22 |     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
23 |     fastcgi_pass unix:/var/run/hhvm/hhvm.sock;
24 |     fastcgi_cache_bypass $no_cache;
25 |     fastcgi_no_cache $no_cache;
26 |     fastcgi_cache FASTCGICACHE;
27 |     fastcgi_cache_valid 1y;
28 |     fastcgi_max_temp_file_size 1M;
29 |     fastcgi_cache_lock on;
30 |     fastcgi_cache_lock_timeout 5s;
31 | }
32 | 
33 | ##
34 | # Yoast SEO
35 | ##
36 | 
37 | rewrite ^/sitemap.xml$ /sitemap_index.xml permanent;
38 | rewrite ^/([a-z]+)?-?sitemap.xsl$ /index.php?xsl=$1 last;
39 | rewrite ^/sitemap_index.xml$ /index.php?sitemap=1 last;
40 | rewrite ^/([^/]+?)-sitemap([0-9]+)?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
41 | 
42 | ##
43 | # Security
44 | ##
45 | 
46 | location /wp-comments-post.php {
47 | 	limit_except POST { deny all; }
48 | 	if ($http_user_agent ~ "^$") { return 403; }
49 | 	valid_referers server_names jetpack.wordpress.com/jetpack-comment/;
50 | 	if ($invalid_referer) { return 403; }
51 | }
52 | location ~ xmlrpc.php { deny all; }
53 | location ~ wp-config.php { deny all; }
54 | location ~ readme.html { deny all; }
55 | location ~ readme.txt { deny all; }
56 | location ~ /install.php { deny all; }
57 | location ^wp-includes/(.*).php { deny all; }
58 | location ^/wp-admin/includes(.*)$ { deny all; }
59 | location ~* /(?:uploads|files|media)/.*\.php$ { deny all; }
60 | if ($request_method ~* "^(TRACE|DELETE|TRACK)") { return 403; }
61 | set $susquery 0;
62 | if ($args ~* "\.\./") { set $susquery 1; }
63 | if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
64 | if ($args ~* "etc/passwd") { set $susquery 1; }
65 | if ($args ~* "boot.ini") { set $susquery 1; }
66 | if ($args ~* "ftp:") { set $susquery 1; }
67 | if ($args ~* "http:") { set $susquery 1; }
68 | if ($args ~* "https:") { set $susquery 1; }
69 | if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
70 | if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
71 | if ($args ~* "base64_encode") { set $susquery 1; }
72 | if ($args ~* "(%24&x)") { set $susquery 1; }
73 | if ($args ~* "(127.0)") { set $susquery 1; }
74 | if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
75 | if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; }
76 | if ($args !~ "^loggedout=true") { set $susquery 0; }
77 | if ($args !~ "^action=jetpack-sso") { set $susquery 0; }
78 | if ($args !~ "^action=rp") { set $susquery 0; }
79 | if ($http_cookie !~ "^.*wordpress_logged_in_.*$") { set $susquery 0; }
80 | if ($http_referer !~ "^http://maps.googleapis.com(.*)$") { set $susquery 0; }
81 | if ($susquery = 1) { return 403; } 
82 | if ($args ~* "(%0|%A|%B|%C|%D|%E|%F)") { return 403; }
83 | 


--------------------------------------------------------------------------------
/nginx.conf:
--------------------------------------------------------------------------------
  1 | user www-data;
  2 | worker_processes auto;
  3 | pid /run/nginx.pid;
  4 | 
  5 | events {
  6 | 	worker_connections 1024;
  7 | 	use epoll;
  8 | 	multi_accept on;
  9 | }
 10 | 
 11 | http {
 12 | 	##
 13 | 	# Basic
 14 | 	##
 15 | 
 16 | 	sendfile on;
 17 | 	tcp_nopush on;
 18 | 	tcp_nodelay on;
 19 | 	keepalive_timeout 65;
 20 | 	types_hash_max_size 2048;
 21 | 	client_max_body_size 8m;
 22 | 	server_tokens off;
 23 | 	default_type application/octet-stream;
 24 | 	include mime.types;
 25 | 	charset_types
 26 | 		text/css
 27 | 		text/plain
 28 | 		text/vnd.wap.wml
 29 | 		application/javascript
 30 | 		application/json
 31 | 		application/rss+xml
 32 | 		application/xml;
 33 | 
 34 |         ##
 35 |         # SSL
 36 |         # mozilla.github.io/server-side-tls/ssl-config-generator/
 37 |         ##
 38 | 
 39 | 	ssl_session_timeout 1d;
 40 | 	ssl_session_cache shared:SSL:50m;
 41 | 	ssl_session_tickets off;
 42 | 	ssl_dhparam /etc/nginx/cert/dhparam.pem;
 43 | 	ssl_protocols TLSv1.2;
 44 | 	ssl_prefer_server_ciphers on;
 45 | 	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
 46 | 	add_header Strict-Transport-Security max-age=15768000 always;
 47 | 	#ssl_stapling on;
 48 | 	#ssl_stapling_verify on;
 49 | 	#resolver 8.8.8.8
 50 | 
 51 | 	##
 52 | 	# Log
 53 | 	##
 54 | 
 55 | 	log_format main
 56 | 		'$remote_addr - $remote_user - $upstream_cache_status [$time_local] '
 57 | 		'"$request" $status $body_bytes_sent "$http_referer" '
 58 | 		'"$http_user_agent" "$http_x_forwarded_for"';
 59 | 	access_log off;
 60 |         #access_log /var/log/nginx/access.log main;
 61 |         error_log /var/log/nginx/error.log warn;
 62 | 	log_not_found off;
 63 | 
 64 | 	##
 65 | 	# gzip
 66 | 	##
 67 | 
 68 | 	gzip on;
 69 | 	gzip_disable "msie6";
 70 | 	gzip_vary on;
 71 | 	gzip_proxied any;
 72 | 	gzip_comp_level 5;
 73 | 	gzip_min_length 256;
 74 | 	gzip_types
 75 | 		application/atom+xml
 76 | 		application/javascript
 77 | 		application/json
 78 | 		application/ld+json
 79 | 		application/manifest+json
 80 | 		application/rss+xml
 81 | 		application/vnd.geo+json
 82 | 		application/vnd.ms-fontobject
 83 | 		application/x-font-ttf
 84 | 		application/x-web-app-manifest+json
 85 | 		application/xhtml+xml
 86 | 		application/xml
 87 | 		font/opentype
 88 | 		image/bmp
 89 | 		image/svg+xml
 90 | 		image/x-icon
 91 | 		text/cache-manifest
 92 | 		text/css
 93 | 		text/plain
 94 | 		text/vcard
 95 | 		text/vnd.rim.location.xloc
 96 | 		text/vtt
 97 | 		text/x-component
 98 | 		text/x-cross-domain-policy;
 99 | 
100 | 	##
101 | 	# NGINX FastCGI Cache
102 | 	##
103 | 
104 | 	fastcgi_cache_path /mnt/ramdisk/nginx-cache levels=1:2 keys_zone=FASTCGICACHE:8m max_size=32m inactive=1y;
105 | 	fastcgi_cache_key "$scheme$request_method$host$request_uri";
106 | 	fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
107 | 	fastcgi_cache_use_stale updating error timeout invalid_header http_500;
108 | 
109 | 	##
110 | 	# CloudFlare RealIp
111 | 	# (For sites behind CloudFlare's proxy)
112 | 	##
113 | 
114 | 	#include /etc/nginx/global/cloudflare.conf;
115 | 
116 | 	##
117 | 	# Virtual Host
118 | 	##
119 | 
120 | 	include /etc/nginx/conf.d/*.conf;
121 | 	include /etc/nginx/sites-enabled/*;
122 | }
123 | 


--------------------------------------------------------------------------------
/ramdisk:
--------------------------------------------------------------------------------
 1 |  #! /bin/sh 
 2 |  # /etc/init.d/ramdisk
 3 |  #
 4 | 
 5 |  case "$1" in
 6 |    start)
 7 |      echo "Copying files to ramdisk"
 8 |      rsync -av /var/ramdisk-backup/ /mnt/ramdisk/
 9 |      #echo [`date +"%Y-%m-%d %H:%M"`] Ramdisk Synched from HD >> /var/log/ramdisk_sync.log
10 |      ;;
11 |    sync)
12 |      echo "Synching files from ramdisk to Harddisk"
13 |      rsync -av --delete --recursive --force /mnt/ramdisk/ /var/ramdisk-backup/
14 |      #echo [`date +"%Y-%m-%d %H:%M"`] Ramdisk Synched to HD >> /var/log/ramdisk_sync.log
15 |      ;;
16 |    stop)
17 |      echo "Synching logfiles from ramdisk to Harddisk"
18 |      rsync -av --delete --recursive --force /mnt/ramdisk/ /var/ramdisk-backup/
19 |      #echo [`date +"%Y-%m-%d %H:%M"`] Ramdisk Synched to HD >> /var/log/ramdisk_sync.log
20 |      ;;
21 |    *)
22 |      echo "Usage: /etc/init.d/ramdisk {start|stop|sync}"
23 |      exit 1
24 |      ;;
25 |  esac
26 | 
27 |  exit 0
28 | 


--------------------------------------------------------------------------------
/sites-available/example:
--------------------------------------------------------------------------------
 1 | # redirect to https
 2 | server {
 3 |         listen 80 default_server;
 4 |         #listen 80;
 5 |         listen [::]:80 default_server;
 6 |         #listen [::]:80;
 7 |         server_name www.example.com example.com;
 8 |         return 301 https://example.com$request_uri;
 9 | }
10 | 
11 | # redirect to non-www
12 | server {
13 |         listen 443 ssl http2;
14 |         listen [::]:443 ssl http2;
15 |         server_name www.example.com;
16 |         ssl_certificate_key /etc/nginx/cert/example_key.pem;
17 |         ssl_certificate /etc/nginx/cert/example_cert.pem;
18 |         #ssl_trusted_certificate /etc/nginx/cert/example_fullchain.pem;
19 |         #ssl_client_certificate /etc/nginx/cert/cloudflare.crt;
20 |         #ssl_verify_client on;
21 |         return 301 https://example.com$request_uri;
22 | }
23 | 
24 | # example.com server block
25 | server {
26 |         listen 443 default_server ssl http2;
27 |         #listen 443 ssl http2;
28 |         listen [::]:443 default_server ssl http2;
29 |         #listen [::]:443 ssl http2;
30 |         server_name example.com;
31 |         root /var/www/example;
32 |         include global/common.conf;
33 |         include global/wordpress.conf;
34 |         #add_header Content-Security-Policy "default-src 'self';" always;
35 |         ssl_certificate_key /etc/nginx/cert/example_key.pem;
36 |         ssl_certificate /etc/nginx/cert/example_cert.pem;
37 |         #ssl_trusted_certificate /etc/nginx/cert/example_fullchain.pem;
38 |         #ssl_client_certificate /etc/nginx/cert/cloudflare.crt;
39 |         #ssl_verify_client on;
40 | }
41 | 


--------------------------------------------------------------------------------