wordpress-trade-starter/nginx.conf at main · iPythoning/wordpress-trade-starter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# ============================================================
# Nginx Reverse Proxy for WordPress
# Features: SSL, Gzip, Proxy Cache, WebP, Cloudflare-friendly
# ============================================================

proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=wpcache:10m max_size=100m inactive=60m;

# HTTP → HTTPS redirect
server {
    listen 80;
    server_name YOUR_DOMAIN www.YOUR_DOMAIN;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name YOUR_DOMAIN www.YOUR_DOMAIN;

    # --- SSL ---
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    client_max_body_size 64M;

    # --- Gzip ---
    gzip on;
    gzip_vary on;
    gzip_min_length 1000;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml image/svg+xml;

    # --- Cache bypass rules ---
    set $skip_cache 0;
    if ($request_method = POST) { set $skip_cache 1; }
    if ($query_string != "") { set $skip_cache 1; }
    if ($http_cookie ~* "comment_author|wordpress_logged_in|wp-postpass") { set $skip_cache 1; }
    if ($request_uri ~* "/wp-admin/|/wp-login.php|/wp-cron.php|/xmlrpc.php") { set $skip_cache 1; }

    # --- Static files: cache 1 year, WebP support ---
    location ~* \.(jpg|jpeg|png|gif|webp|avif|ico|svg|css|js|woff|woff2|ttf|eot)$ {
        proxy_pass http://wordpress:80;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Accept $http_accept;
        proxy_cache wpcache;
        proxy_cache_valid 200 30d;
        proxy_cache_key "$uri$http_accept";
        expires 365d;
        add_header Cache-Control "public, max-age=31536000, immutable";
        add_header X-Cache-Status $upstream_cache_status;
        add_header Vary Accept;
    }

    # --- Security headers ---
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

    # --- Block xmlrpc.php ---
    location = /xmlrpc.php {
        return 403;
    }

    # --- Sitemap: cache 1 hour ---
    location ~* ^/sitemap.*\.xml$ {
        proxy_pass http://wordpress:80;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_cache wpcache;
        proxy_cache_valid 200 1h;
        add_header Cache-Control "public, max-age=3600, s-maxage=3600";
        add_header X-Cache-Status $upstream_cache_status;
    }

    # --- robots.txt: cache 24 hours ---
    location = /robots.txt {
        proxy_pass http://wordpress:80;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_cache wpcache;
        proxy_cache_valid 200 24h;
        add_header Cache-Control "public, max-age=86400, s-maxage=86400";
        add_header X-Cache-Status $upstream_cache_status;
    }

    # --- Affiliate links: no cache, pass-through ---
    location /go/ {
        proxy_pass http://wordpress:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        add_header Cache-Control "no-store";
    }

    # --- Main location: proxy cache + Cloudflare s-maxage ---
    location / {
        proxy_pass http://wordpress:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_cache wpcache;
        proxy_cache_valid 200 10m;
        proxy_cache_bypass $skip_cache;
        proxy_no_cache $skip_cache;
        proxy_cache_key "$scheme$host$request_uri";
        add_header X-Cache-Status $upstream_cache_status;

        # Tell Cloudflare to cache HTML for 10 minutes
        proxy_hide_header Cache-Control;
        proxy_hide_header Set-Cookie;
        proxy_hide_header X-Powered-By;
        add_header Cache-Control "public, max-age=60, s-maxage=600, stale-while-revalidate=86400";
        add_header CDN-Cache-Control "public, max-age=600";
    }

    # --- Never cache admin/login ---
    location /wp-admin {
        proxy_pass http://wordpress:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        add_header Cache-Control "no-store, no-cache, must-revalidate";
    }

    location /wp-login.php {
        proxy_pass http://wordpress:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        add_header Cache-Control "no-store, no-cache, must-revalidate";
    }
}