mihdan
9/28/2015 - 9:36 AM
Codeable.io Nginx config
Codeable.io Nginx config
server {
include /home/webmaster/www/codeable.io.conf;
server_name codeable.io;
listen 443 ssl spdy default_server;
root /home/webmaster/www/codeable.io;
index index.php index.html;
error_log /var/log/nginx/codeable.io.error.log warn;
###################################################################################################
# SSL configuration
#
ssl_certificate /home/webmaster/certs/codeable.io.crt;
ssl_certificate_key /home/webmaster/certs/codeable.io.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 24h;
###################################################################################################
# Spdy configuration
#
spdy_keepalive_timeout 300;
spdy_headers_comp 6;
add_header Alternate-Protocol 443:npn-spdy/3;
add_header Strict-Transport-Security max-age=31536000;
ssl_dhparam /home/webmaster/certs/dhparam.pem;
###################################################################################################
# SSL stapling config (checking cert validity)
#
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /home/webmaster/certs/rapidssl.pem;
resolver 8.8.8.8 8.8.4.4;
set $rocket_debug 0; # Add debug information into header
###################################################################################################
# Do not alter theses values
#
set $rocket_bypass 1; # Should NGINX bypass WordPress and call cache file directly ?
set $rocket_encryption ""; # Is GZIP accepted by client ?
set $rocket_file ""; # Filename to use
set $rocket_is_bypassed "No"; # Header text added to check if the bypass worked or not. Header: X-Rocket-Nginx-Bypass
set $rocket_reason ""; # Reason why cache file was not used. If cache file is used, what file was used
###################################################################################################
# GZIP
#
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 9;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/plain text/css image/x-icon image/svg+xml image/png image/jpg image/jpeg text/js text/php application/javascript application/x-javascript;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
###################################################################################################
# PAGE CACHE
#
# Is GZIP accepted by client ?
if ($http_accept_encoding ~ gzip) {
set $rocket_encryption _gzip;
}
# File/URL to return IF we must bypass WordPress
set $rocket_url "/assets/cache/wp-rocket/$http_host/$request_uri/index.html$rocket_encryption";
set $rocket_file "$document_root$rocket_url";
# Do not bypass if it's a POST request
if ($request_method = POST) {
set $rocket_bypass 0;
set $rocket_reason "POST request";
}
# Do not bypass if arguments are found (e.g. ?page=2)
if ($args != "") {
set $rocket_bypass 0;
set $rocket_reason "Arguments found";
}
# Do not bypass if the site is in maintenance mode
if (-f "$document_root/.maintenance") {
set $rocket_bypass 0;
set $rocket_reason "Maintenance mode";
}
# Do not bypass if one of those cookie if found
# wordpress_logged_in_[hash] : When a user is logged in, this cookie is created (we'd rather let WP-Rocket handle that)
# wp-postpass_[hash] : When a protected pass requires a password, this cookie is created.
if ($http_cookie ~* "(wordpress_logged_in_|wp\-postpass_)") {
set $rocket_bypass 0;
set $rocket_reason "Cookie";
}
# Do not bypass if the cached file does not exist
if (!-f "$rocket_file") {
set $rocket_bypass 0;
set $rocket_reason "File not cached";
}
# If the bypass token is still on, let's bypass WordPress with the cached URL
if ($rocket_bypass = 1) {
set $rocket_is_bypassed "Yes";
set $rocket_reason "$rocket_url";
}
# Clear variables if debug is not needed
if ($rocket_debug = 0) {
set $rocket_is_bypassed "";
set $rocket_reason "";
}
# If the bypass token is still on, rewrite according to the file linked to the request
if ($rocket_bypass = 1) {
rewrite .* "$rocket_url" last;
}
# Add header to HTML cached files
location ~ /assets/cache/wp-rocket/.*html$ {
add_header Vary "Accept-Encoding, Cookie";
add_header X-Rocket-Nginx-Bypass $rocket_is_bypassed;
add_header X-Rocket-Nginx-Reason $rocket_reason;
expires 1h;
}
# Do not gzip cached files that are already gzipped
location ~ /assets/cache/wp-rocket/.*_gzip$ {
gzip off;
types {}
default_type text/html;
add_header Content-Encoding gzip;
add_header Vary "Accept-Encoding, Cookie";
add_header X-Rocket-Nginx-Bypass $rocket_is_bypassed;
add_header X-Rocket-Nginx-Reason $rocket_reason;
# expires 30d;
expires 1h;
}
rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
location / {
try_files $uri $uri/ /index.php?$args;
}
###################################################################################################
# Asset (CSS, JS, IMG) cache
#
location ~* \.(?:rss|atom)$ {
expires 1h;
add_header Cache-Control "public";
}
location ~* \.(eot|ttf|woff|woff2)$ {
expires 1M;
add_header Access-Control-Allow-Origin *;
}
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
###################################################################################################
# When dealing with plugins, php-fpm should be used, HHVM does not support SFTP
#
location ~ /wp-admin/(update|plugins).php {
try_files $uri /index.php;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
}
location = /wp-login.php {
# Rate limiting so that brute force is prevented
limit_req zone=one burst=1 nodelay;
# try_files $uri /index.php;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
}
location ~ \.(hh|php)$ {
add_header X-Rocket-Nginx-Reason "Processing PHP";
proxy_intercept_errors on;
error_page 502 = @fpm;
try_files $uri /index.php;
include fastcgi_params;
fastcgi_pass unix:/var/run/hhvm/hhvm.sock;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
}
location @fpm {
try_files $uri /index.php;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
}
}
###################################################################################################
# Other domain options
#
server {
listen 443;
server_name www.codeable.io;
return 301 https://codeable.io$request_uri;
}
server {
listen 80;
server_name www.codeable.io;
return 301 https://codeable.io$request_uri;
}
server {
listen 80 default_server;
server_name codeable.io;
return 301 https://codeable.io$request_uri;
}