server { listen 80; listen [::]:80; # Set the server name to a catch all since this will be behind # a reverse proxy or load balancer in most cases. server_name _; root /var/www/html; index index.php; # Security Headers # These provide a strong baseline against common web vulnerabilities. add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Deny access to any files starting with a dot. location ~ /\. { deny all; } # Deny access to specific sensitive file types. location ~* \.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])$ { deny all; } # Cache static assets for a long time. # The 'immutable' directive is great for versioned assets. location ~* \.(?:css|js|gif|jpe?g|png|ico|svg|woff2?|ttf|eot)$ { try_files $uri =404; access_log off; expires 30d; add_header Cache-Control "public, immutable"; } # Handle favicon and robots.txt without logging. location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { access_log off; log_not_found off; } # Main WordPress front-controller. # All non-file requests fall through to index.php. location / { try_files $uri $uri/ /index.php?$args; } # Pass PHP scripts to the PHP-FPM container. location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; # Use the service name of your PHP-FPM container. fastcgi_pass php-fpm:9000; fastcgi_index index.php; include fastcgi_params; # Set required CGI parameters. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS $https if_not_empty; # Optimize buffers for potentially large WordPress headers. fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; fastcgi_read_timeout 300; } }