How to add a SSL certificate to Salty WordPress
##
# Step 5
#
# Now all you need to do is provision your Salty WordPress box.
##
vagrant reload --provision
##
# Step 4
#
# Using your terminal navigate to the `Salty-WordPress` directory on your computer.
#
# Run the following commands, remembering to replace `example.dev` with your real domain
# name.
##
openssl genrsa -out example.dev.key 2048
openssl req -new -x509 -key example.dev.key -out example.dev.cert -days 3650 -subj /CN=example.dev
##
# Step 3
#
# Make a copy of the server block, and paste it above it. Change the line `listen 80;`
# to the following:
#
# listen 443 ssl;
# server_name example.dev;
# ssl_certificate /vagrant/example.dev.cert;
# ssl_certificate_key /vagrant/example.dev.key;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers HIGH:!aNULL:!MD5;
#
# Remeber to replace `example.dev` with your real domain name.
##
{% if grains['user'] == 'vagrant' %}
user vagrant;
{% else %}
user www-data;
{% endif %}
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
server {
listen 443 ssl;
server_name example.dev;
ssl_certificate /vagrant/example.dev.cert;
ssl_certificate_key /vagrant/example.dev.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
set $root $host;
# for subdomains we want the document root to be the root domain only (e.g. notify.hmn.md > hmn.md)
# but only if the subdomain isn't also a folder in the server root
# Since we can't do nested ifs in nginx, this is a bit complicated
set $strip_sub 0;
set $new_domain 0;
if ( !-d /srv/www/$root ) {
set $strip_sub 1;
}
if ( $host ~* "(.+)\.(?<new_domain>(.+)\.([a-z]+|co\.uk))$" ) {
set $strip_sub "${strip_sub}1";
}
if ( $strip_sub = 11 ) {
set $root $new_domain;
}
# end subdomain striping
client_max_body_size 50M;
if ( !-d /srv/www/$root ) {
set $root 'default';
}
# For WordPress develop.
if ( -d /srv/www/$root/src ) {
set $root $root/src;
}
include /srv/vhosts/nginx-additions*.conf;
root /srv/www/$root;
index index.php index.html;
# rewrite for multiple sub-domain sets
if ( -d /srv/www/$root/wordpress ) {
rewrite ^(/wp-(admin|includes)/(.*))$ /wordpress$1 last;
rewrite ^(/wp-[^/]*\.php)$ /wordpress$1 last;
}
# rewrite for multisite in subdirs, e.g. example.com/subsite1/
# if the file doest exist for wp-admin/* or wp-*.php, try looking in the parent dir
if ( !-e $request_filename ) {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite ^(/[^/]+)?(/wp-.*) /wordpress$2 last;
rewrite ^(/[^/]+)?(/.*\.php) /wordpress$2 last;
}
# wordpress multisite files handler (this is technically legacy but
# still used on a lot of mutlisite installs)
location ~ ^(/[^/]+/)?files/(.+) {
try_files $uri /wp-includes/ms-files.php?file=$2 ;
access_log off; log_not_found off; expires max;
}
# Block all web requests to hidden directories
location ~ /\. {
deny all;
}
# Block access to build scripts.
location ~* /(Gruntfile\.js|package\.json|node_modules) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_index index.php;
include fastcgi_params;
# Set server name
fastcgi_param SERVER_NAME $host;
}
}
server {
listen 80;
set $root $host;
# for subdomains we want the document root to be the root domain only (e.g. notify.hmn.md > hmn.md)
# but only if the subdomain isn't also a folder in the server root
# Since we can't do nested ifs in nginx, this is a bit complicated
set $strip_sub 0;
set $new_domain 0;
if ( !-d /srv/www/$root ) {
set $strip_sub 1;
}
if ( $host ~* "(.+)\.(?<new_domain>(.+)\.([a-z]+|co\.uk))$" ) {
set $strip_sub "${strip_sub}1";
}
if ( $strip_sub = 11 ) {
set $root $new_domain;
}
# end subdomain striping
client_max_body_size 50M;
if ( !-d /srv/www/$root ) {
set $root 'default';
}
# For WordPress develop.
if ( -d /srv/www/$root/src ) {
set $root $root/src;
}
include /srv/vhosts/nginx-additions*.conf;
root /srv/www/$root;
index index.php index.html;
# rewrite for multiple sub-domain sets
if ( -d /srv/www/$root/wordpress ) {
rewrite ^(/wp-(admin|includes)/(.*))$ /wordpress$1 last;
rewrite ^(/wp-[^/]*\.php)$ /wordpress$1 last;
}
# rewrite for multisite in subdirs, e.g. example.com/subsite1/
# if the file doest exist for wp-admin/* or wp-*.php, try looking in the parent dir
if ( !-e $request_filename ) {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite ^(/[^/]+)?(/wp-.*) /wordpress$2 last;
rewrite ^(/[^/]+)?(/.*\.php) /wordpress$2 last;
}
# wordpress multisite files handler (this is technically legacy but
# still used on a lot of mutlisite installs)
location ~ ^(/[^/]+/)?files/(.+) {
try_files $uri /wp-includes/ms-files.php?file=$2 ;
access_log off; log_not_found off; expires max;
}
# Block all web requests to hidden directories
location ~ /\. {
deny all;
}
# Block access to build scripts.
location ~* /(Gruntfile\.js|package\.json|node_modules) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_index index.php;
include fastcgi_params;
# Set server name
fastcgi_param SERVER_NAME $host;
}
}
##
# Basic Settings
##
# sendfile doesn't work well on vagrant - caching side effects
sendfile off;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
log_format logstash_json '{ "@timestamp": "$time_iso8601",'
'"project": "{{ grains['project'] }}",'
'"role": "{{ grains['role'] }}",'
'"domain": "$host",'
'"url": "$uri",'
'"client": "$remote_addr",'
'"user": "$remote_user",'
'"size": $body_bytes_sent,'
'"responsetime": $request_time,'
'"status": "$status",'
'"request": "$request",'
'"method": "$request_method",'
'"http_referrer": "$http_referer",'
'"http_user_agent": "$http_user_agent"'
'}';
access_log /var/log/nginx/access.json logstash_json;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
##
# Step 2
#
# In that same folder there is also a file called `default`. Copy the contents of
# that file (the `server` block) into the `http` block of this file.
#
# Make sure that after the line `listen 80` you remove the bit of text that says
# `default_server`;
##
{% if grains['user'] == 'vagrant' %}
user vagrant;
{% else %}
user www-data;
{% endif %}
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
server {
listen 80;
set $root $host;
# for subdomains we want the document root to be the root domain only (e.g. notify.hmn.md > hmn.md)
# but only if the subdomain isn't also a folder in the server root
# Since we can't do nested ifs in nginx, this is a bit complicated
set $strip_sub 0;
set $new_domain 0;
if ( !-d /srv/www/$root ) {
set $strip_sub 1;
}
if ( $host ~* "(.+)\.(?<new_domain>(.+)\.([a-z]+|co\.uk))$" ) {
set $strip_sub "${strip_sub}1";
}
if ( $strip_sub = 11 ) {
set $root $new_domain;
}
# end subdomain striping
client_max_body_size 50M;
if ( !-d /srv/www/$root ) {
set $root 'default';
}
# For WordPress develop.
if ( -d /srv/www/$root/src ) {
set $root $root/src;
}
include /srv/vhosts/nginx-additions*.conf;
root /srv/www/$root;
index index.php index.html;
# rewrite for multiple sub-domain sets
if ( -d /srv/www/$root/wordpress ) {
rewrite ^(/wp-(admin|includes)/(.*))$ /wordpress$1 last;
rewrite ^(/wp-[^/]*\.php)$ /wordpress$1 last;
}
# rewrite for multisite in subdirs, e.g. example.com/subsite1/
# if the file doest exist for wp-admin/* or wp-*.php, try looking in the parent dir
if ( !-e $request_filename ) {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite ^(/[^/]+)?(/wp-.*) /wordpress$2 last;
rewrite ^(/[^/]+)?(/.*\.php) /wordpress$2 last;
}
# wordpress multisite files handler (this is technically legacy but
# still used on a lot of mutlisite installs)
location ~ ^(/[^/]+/)?files/(.+) {
try_files $uri /wp-includes/ms-files.php?file=$2 ;
access_log off; log_not_found off; expires max;
}
# Block all web requests to hidden directories
location ~ /\. {
deny all;
}
# Block access to build scripts.
location ~* /(Gruntfile\.js|package\.json|node_modules) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_index index.php;
include fastcgi_params;
# Set server name
fastcgi_param SERVER_NAME $host;
}
}
##
# Basic Settings
##
# sendfile doesn't work well on vagrant - caching side effects
sendfile off;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
log_format logstash_json '{ "@timestamp": "$time_iso8601",'
'"project": "{{ grains['project'] }}",'
'"role": "{{ grains['role'] }}",'
'"domain": "$host",'
'"url": "$uri",'
'"client": "$remote_addr",'
'"user": "$remote_user",'
'"size": $body_bytes_sent,'
'"responsetime": $request_time,'
'"status": "$status",'
'"request": "$request",'
'"method": "$request_method",'
'"http_referrer": "$http_referer",'
'"http_user_agent": "$http_user_agent"'
'}';
access_log /var/log/nginx/access.json logstash_json;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
##
# Step 1
#
# Inside the Salty-WordPress folder that you have gotten from the Human Made
# repo (https://github.com/humanmade/Salty-WordPress), you will find the file
# /config/salt/config/nginx/nginx.conf
#
# That file looks something like this.
##
{% if grains['user'] == 'vagrant' %}
user vagrant;
{% else %}
user www-data;
{% endif %}
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
# sendfile doesn't work well on vagrant - caching side effects
sendfile off;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
log_format logstash_json '{ "@timestamp": "$time_iso8601",'
'"project": "{{ grains['project'] }}",'
'"role": "{{ grains['role'] }}",'
'"domain": "$host",'
'"url": "$uri",'
'"client": "$remote_addr",'
'"user": "$remote_user",'
'"size": $body_bytes_sent,'
'"responsetime": $request_time,'
'"status": "$status",'
'"request": "$request",'
'"method": "$request_method",'
'"http_referrer": "$http_referer",'
'"http_user_agent": "$http_user_agent"'
'}';
access_log /var/log/nginx/access.json logstash_json;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}