This commit is contained in:
Elijah Duffy
@@ -2,68 +2,67 @@ server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
# Set the server name to a catch all since this will be behind
|
||||
# a reverse proxy or load balancer in most cases.
|
||||
server_name _;
|
||||
root /var/www/html;
|
||||
index index.php index.html index.htm;
|
||||
|
||||
# Basic security headers (can be extended per-site)
|
||||
root /var/www/html;
|
||||
index index.php;
|
||||
|
||||
# Security Headers
|
||||
# These provide a strong baseline against common web vulnerabilities.
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
# Deny access to hidden files and directories
|
||||
location ~ (^|/)[.] {
|
||||
# Deny access to any files starting with a dot.
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
# Static files: long cache, immutable where appropriate
|
||||
# Deny access to specific sensitive file types.
|
||||
location ~* \.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Cache static assets for a long time.
|
||||
# The 'immutable' directive is great for versioned assets.
|
||||
location ~* \.(?:css|js|gif|jpe?g|png|ico|svg|woff2?|ttf|eot)$ {
|
||||
try_files $uri =404;
|
||||
access_log off;
|
||||
expires 30d;
|
||||
add_header Cache-Control "public, max-age=2592000, immutable";
|
||||
add_header Cache-Control "public, immutable";
|
||||
}
|
||||
|
||||
# Handle favicon and robots.txt without logging.
|
||||
location = /favicon.ico { access_log off; log_not_found off; }
|
||||
location = /robots.txt { access_log off; log_not_found off; allow all; }
|
||||
location = /robots.txt { access_log off; log_not_found off; }
|
||||
|
||||
# Main front controller; fall back to index.php
|
||||
# Main WordPress front-controller.
|
||||
# All non-file requests fall through to index.php.
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$is_args$args;
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
|
||||
# PHP-FPM handling; pass to php-fpm:9000 (docker service name)
|
||||
location ~ [^/]
|
||||
\.php(/|$) {
|
||||
# Prevent direct access to PHP files in uploads or other writable dirs if necessary
|
||||
try_files $document_root$fastcgi_script_name =404;
|
||||
|
||||
# Pass PHP scripts to the PHP-FPM container.
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
# Use TCP FPM backend service name. Matches the php-fpm image we built.
|
||||
|
||||
# Use the service name of your PHP-FPM container.
|
||||
fastcgi_pass php-fpm:9000;
|
||||
fastcgi_index index.php;
|
||||
include fastcgi_params;
|
||||
|
||||
# Set required CGI parameters.
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
fastcgi_read_timeout 300;
|
||||
}
|
||||
|
||||
# Block access to .ht* files
|
||||
location ~* /\.(?:ht|git) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Optional: small buffer for large headers (WordPress with many cookies/plugins)
|
||||
# Optimize buffers for potentially large WordPress headers.
|
||||
fastcgi_buffers 16 16k;
|
||||
fastcgi_buffer_size 32k;
|
||||
|
||||
# Prevent clickjacking on all responses
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
fastcgi_read_timeout 300;
|
||||
}
|
||||
}
|
||||
|
||||
# Default server; allow override by mounting /etc/nginx/conf.d/default.conf
|
||||
|
||||
Reference in New Issue
Block a user