-
Notifications
You must be signed in to change notification settings - Fork 4
/
wordpress-cloudflare
148 lines (119 loc) · 4.3 KB
/
wordpress-cloudflare
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# EasyPath NGINX virtual host configuration
# Customized for PHP/WordPress running behind CloudFlare's CDN (https://www.cloudflare.com)
# CloudFlare can also do the HTTP to HTTPS redirect, however it seems to cause chained 301 redirects
# i.e. http://<domain_name> to https://<domain_name> to https://www.<domain_name>, which is bad for SEO
# Can test for chained 301 redirects at https://www.gtmetrix.com
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
# PEM contains signed server certificate and chain
ssl_certificate /webapps/<domain_name>/ssl/<domain_name>.pem;
# Private key of server certificate
ssl_certificate_key /webapps/<domain_name>/ssl/<domain_name>.key;
# Session caching to improve performance
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
# Turn off session tickets
ssl_session_tickets off;
# Sourced from https://cipherli.st
# Higher security; modify if IE < 9 support on Windows XP is required
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# DH parameter
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Deters click-jacking
# Do not set to DENY, otherwise causes issues in WordPress WP-Admin
add_header X-Frame-Options SAMEORIGIN;
# Deters MIME-type confusion attacks
add_header X-Content-Type-Options nosniff;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /webapps/<domain_name>/ssl/ca_chain.pem;
# Root location
root /webapps/<domain_name>/public;
# Add & move index.php to the front of the list for PHP/Wordpress
index index.php index.html index.htm;
# Required for WordPress permalinks
location / {
try_files $uri $uri/ /index.php?$args;
}
# For PHP
# Pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# PHP7.0-FPM
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
# Logging
access_log /webapps/<domain_name>/logs/access.log;
error_log /webapps/<domain_name>/logs/error.log;
# Prevent serving files beginning with a “.”
# Do not log attempt
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
# Prevent serving files beginning with a “$”
# Do not log attempt
location ~ ~$ {
access_log off;
log_not_found off;
deny all;
}
# Prevent logging whenever favicon & robots.txt files are accessed
location = /robots.txt {
log_not_found off;
}
location = /favicon.ico {
access_log off;
log_not_found off;
}
# Restores visitor's original IP address in log files
# See https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-
# List of CloudFlare's IP addresses
# Must be periodically updated
# Refer to https://www.cloudflare.com/ips/ for latest list
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
# use any of the following two
real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;
}
# Redirect all HTTP traffic to HTTPS
# Always redirect to www.<domain_name>, not bare-domain (without "www") according to SEO best-practices
server {
listen 80;
listen [::]:80;
return 301 https://www.<domain_name>$request_uri;
}
# Redirect bare-domain HTTPS to https://www.<domain_name>
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name <domain_name>;
return 301 https://www.<domain_name>$request_uri;
}