added nginx configuration examples

.gitignore

@@ -41,4 +41,14 @@ authelia/*
 php/*
 !php/php7
 !php/php7/*
-!php/php7/conf.d/*
+!php/php7/conf.d/*
+!nginx
+!nginx/*
+!nginx/conf.d
+!nginx/conf.d/*
+!nginx/sites
+nginx/sites/*
+!nginx/sites/*.example
+!nginx/common
+nginx/common/*
+!nginx/common/*.example

nginx/common/nonwp-common-php7.conf.example

@@ -0,0 +1,33 @@
+# WordPress COMMON SETTINGS
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Limit access to avoid brute force attack
+
+# Disable WP Login
+location = /wp-login.php {
+  deny all;
+  access_log off;
+  log_not_found off;
+}
+
+# Disable wp-config.txt
+location = /wp-config.txt {
+  deny all;
+  access_log off;
+  log_not_found off;
+}
+
+# Disable xmlrpc
+location = /xmlrpc.php {
+  deny all;
+  access_log off;
+  log_not_found off;
+}
+
+# Disallow php in upload folder
+#location /wp-content/uploads/ {
+location /images/ {
+  location ~ \.php$ {
+    #Prevent Direct Access Of PHP Files From Web Browsers
+    deny all;
+  }
+}

nginx/common/nonwp-locations-php7.conf.example

@@ -0,0 +1,48 @@
+# NGINX CONFIGURATION FOR COMMON LOCATION
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Basic locations files
+
+location = /favicon.ico {
+  access_log off;
+  log_not_found off;
+  expires max;
+}
+
+location = /robots.txt {
+  # Refer #340 issue
+  try_files $uri $uri/ /index.php?$args;
+  access_log off;
+  log_not_found off;
+}
+
+# Cache static files
+location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
+  add_header "Access-Control-Allow-Origin" "*";
+  access_log off;
+  log_not_found off;
+  expires max;
+}
+
+# Security settings for better privacy
+# Deny hidden files
+location ~ /\.well-known {
+  allow all;
+}
+
+location ~ /\. {
+  deny all;
+  access_log off;
+  log_not_found off;
+}
+
+# Deny backup extensions & log files
+location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
+  deny all;
+  access_log off;
+  log_not_found off;
+}
+
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
+if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
+  return 403;
+}

nginx/common/nonwp-nfc-php7.conf.example

@@ -0,0 +1,36 @@
+# WPFC NGINX CONFIGURATION
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+
+# Enable Nginx FastCGI Cache
+set $skip_cache 1;
+# Disable Nginx FastCGI Cache
+#set $skip_cache 1;
+
+# POST requests and URL with a query string should always go to php
+if ($request_method = POST) {
+  set $skip_cache 1;
+}
+if ($query_string != "") {
+  set $skip_cache 1;
+}
+
+# Use cached or actual file if they exists, Otherwise pass request to WordPress
+location / {
+  try_files $uri $uri/ /index.php?$args;
+}
+
+location ~ \.php$ {
+#  include common/hbgauthor.conf;
+  try_files $uri =404;
+  include fastcgi.conf;
+  fastcgi_pass php7;
+  fastcgi_cache_bypass $skip_cache;
+  fastcgi_no_cache $skip_cache;
+  fastcgi_cache WORDPRESS; #WORDPRESS cannot be changed here.
+}
+
+# Not available - Nginx Commercial Subscription Required
+# location ~ /purge(/.*) {
+#  fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
+#  access_log off;
+#}

nginx/common/wp-common-php7.conf.example

@@ -0,0 +1,30 @@
+# WordPress COMMON SETTINGS
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Limit access to avoid brute force attack
+location = /wp-login.php {
+  #include common/acl.conf;
+  limit_req zone=one burst=1 nodelay;
+  include fastcgi.conf;
+  fastcgi_pass php7;  
+}
+# Disable wp-config.txt
+location = /wp-config.txt {
+  deny all;
+  access_log off;
+  log_not_found off;
+}
+
+# Disable xmlrpc
+location = /xmlrpc.php {
+  deny all;
+  access_log off;
+  log_not_found off;
+}
+
+# Disallow php in upload folder
+location /wp-content/uploads/ {
+  location ~ \.php$ {
+    #Prevent Direct Access Of PHP Files From Web Browsers
+    deny all;
+  }
+}

nginx/common/wp-locations-php7.conf.example

@@ -0,0 +1,50 @@
+# NGINX CONFIGURATION FOR COMMON LOCATION
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Basic locations files
+
+location = /favicon.ico {
+  access_log off;
+  log_not_found off;
+  expires max;
+}
+
+location = /robots.txt {
+  # Some WordPress plugin gererate robots.txt file
+  # Refer #340 issue
+  try_files $uri $uri/ /index.php?$args;
+  access_log off;
+  log_not_found off;
+}
+
+# Cache static files
+location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
+  add_header "Access-Control-Allow-Origin" "*";
+  access_log off;
+  log_not_found off;
+  expires max;
+}
+
+# Security settings for better privacy
+# Deny hidden files
+location ~ /\.well-known {
+  allow all;
+}
+
+location ~ /\. {
+  deny all;
+  access_log off;
+  log_not_found off;
+}
+
+# Deny backup extensions & log files
+location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
+  deny all;
+  access_log off;
+  log_not_found off;
+}
+
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
+# Added build.xml based on 404 data on redirection plugin - 9/21/2020
+if ($uri ~* "^.+(readme|license|example|build)\.(txt|html|xml)$") {
+  return 403;
+}

nginx/common/wp-nfc-php7.conf.example

@@ -0,0 +1,42 @@
+# WPFC NGINX CONFIGURATION
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+
+# Enable Nginx FastCGI Cache
+set $skip_cache 0;
+# Disable Nginx FastCGI Cache
+#set $skip_cache 1;
+
+# POST requests and URL with a query string should always go to php
+if ($request_method = POST) {
+  set $skip_cache 1;
+}
+if ($query_string != "") {
+  set $skip_cache 1;
+}
+# Don't cache URL containing the following segments
+if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|wp-.*\.php|index.php|/feed/|.*sitemap.*\.xml)") {
+  set $skip_cache 1;
+}
+# Don't use the cache for logged in users or recent commenter or customer with items in cart
+if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|[a-z0-9]+_items_in_cart") {
+  set $skip_cache 1;
+}
+# Use cached or actual file if they exists, Otherwise pass request to WordPress
+location / {
+  try_files $uri $uri/ /index.php?$args;
+}
+
+location ~ \.php$ {
+  try_files $uri =404;
+  include fastcgi.conf;
+  fastcgi_pass php7;
+  fastcgi_cache_bypass $skip_cache;
+  fastcgi_no_cache $skip_cache;
+  fastcgi_cache WORDPRESS;
+}
+
+# Not available - Nginx Commercial Subscription Required
+# location ~ /purge(/.*) {
+#  fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
+#  access_log off;
+#}

nginx/conf.d/blockips.conf

@@ -0,0 +1,2 @@
+# Block IP Address
+# deny 1.1.1.1;

nginx/conf.d/fastcgi.conf

@@ -0,0 +1,10 @@
+# FastCGI cache settings
+fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:50m inactive=60m;
+fastcgi_cache_key "$scheme$request_method$host$request_uri";
+fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
+fastcgi_cache_valid 200 301 302 404 1h;
+fastcgi_buffers 16 16k;
+fastcgi_buffer_size 32k;
+fastcgi_param SERVER_NAME $http_host;
+fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+fastcgi_keep_conn on;

nginx/conf.d/optimizations.conf

@@ -0,0 +1,31 @@
+# Custom Configs
+# Prevent iframe or clickjacking https://gist.github.com/plentz/6737338
+# add_header X-Frame-Options SAMEORIGIN; # Added by Traefik
+
+# Custom Sizes https://www.digitalocean.com/community/articles/how-to-optimize-nginx-configuration
+# http://www.narga.net/recommended-nginx-configuration-high-traffic-wordpress/2/
+client_body_buffer_size 10K;
+client_header_buffer_size 1k;
+client_max_body_size 16M;
+large_client_header_buffers 2 8k; # 400 Bad Request
+
+# Caches information about open FDs, freqently accessed files.
+# Changing this setting, in my environment, brought performance up from 560k req/sec, to 904k req/sec.
+# I recommend using some varient of these options, though not the specific values listed below.
+# http://www.narga.net/recommended-nginx-configuration-high-traffic-wordpress/2/
+open_file_cache max=1000 inactive=20s;
+open_file_cache_valid 30s;
+open_file_cache_min_uses 2;
+open_file_cache_errors on;
+
+# Time Outs https://www.digitalocean.com/community/articles/how-to-optimize-nginx-configuration
+# http://www.narga.net/recommended-nginx-configuration-high-traffic-wordpress/2/
+# send the client a "request timed out" if the body is not loaded by this time. Default 60.
+client_body_timeout 12;
+client_header_timeout 12;
+
+# If the client stops reading data, free up the stale client connection after this much time. Default 60.
+send_timeout 10;
+
+#  How long an idle keepalive connection remains open.
+keepalive_timeout 15;

nginx/conf.d/upstream.conf

@@ -0,0 +1,10 @@
+upstream php7 {
+  server php7:9000;
+}
+
+#upstream php5 {
+#  server php5:9000;
+#}
+#upstream debug7 {
+#server 127.0.0.1:9170;
+#}

nginx/fastcgi.conf

@@ -0,0 +1,27 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_FILENAME		$request_filename;
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
+
+# To fix CGI application vulnerability - https://httpoxy.org
+fastcgi_param   HTTP_PROXY      "";