Version 3.1 - multiple small fixes and tiny improvements

Author: pothi

README.md

@@ -52,7 +52,7 @@ Tested with the following servers...
 
 Test with the following Nginx versions...
 + Stable verisons 1.12.x and 1.14.x
-+ Mainline versions 1.13.x
++ Mainline versions 1.13.x, 1.15.x
 
 For RPM based distros (Fedora, Redhat, CentOS and Amazon Linux AMI), the configuration mentioned in the repo should work. Additional steps may be needed, though. See below for some details!
 

conf.d/common.conf

@@ -10,6 +10,13 @@ proxy_buffers 8 32k;
 proxy_buffer_size 64k;
 # -------------------------------------------------------------------
 
+# for time-consuming operations (such as WP import or file upload)
+# https://nginx.org/r/fastcgi_read_timeout
+# default 60 seconds
+fastcgi_read_timeout 5m;
+
+# -------------------------------------------------------------------
+
 ### To enable large uploads
 # Please make sure the corresponding PHP values are increased as well
 # post_max_size = 8M (default)

conf.d/ssl-common.conf

@@ -8,5 +8,5 @@ ssl_protocols TLSv1.1 TLSv1.2;
 # directly from https://weakdh.org/sysadmin.html
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 
-# run "openssl dhparam -out /etc/nginx/dhparam.pem 4096" before uncommenting the following option
+# run "openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096" before uncommenting the following option
 # ssl_dhparam /etc/nginx/dhparam.pem;

globals/cache-enabler.conf

@@ -0,0 +1,70 @@
+# To improve the perf, we may use open_file_cache
+# ref: https://nginx.org/r/open_file_cache
+# open_file_cache max=1000;
+# open_file_cache_valid 60s;
+# open_file_cache_min_uses 2;
+# open_file_cache_errors off;
+
+location / {
+    # requires server support
+    # gzip_static on;
+
+    error_page 418 = @cachemiss;
+    error_page 419 = @mobileaccess;
+    recursive_error_pages on;
+
+    # bypass POST requests
+    if ($request_method = POST) { return 418; }
+
+    # uncommenting the following degrades the performance on certain sites. YMMV
+    # if ($query_string != "") { return 418; }
+
+    # bypass cache for common query strings
+    if ($arg_s != "") { return 418; } # search query
+    if ($arg_p != "") { return 418; } # request a post / page by ID
+    if ($arg_amp != "") { return 418; } # amp test
+    if ($arg_preview = "true") { return 418; } # preview post / page
+    if ($arg_ao_noptimize != "") { return 418; } # support for Autoptimize plugin
+
+    if ($http_cookie ~* "wordpress_logged_in_") { return 418; }
+    if ($http_cookie ~* "comment_author_") { return 418; }
+    if ($http_cookie ~* "wp_postpass_") { return 418; }
+
+    # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }
+
+    # uncomment the following if deemed fit
+    # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }
+
+    try_files "/wp-content/cache/cache-enabler/$host${uri}index.html" $uri $uri/ /index.php$is_args$args;
+
+    #--> all the following would apply, only if the request hits the cache
+
+    add_header "X-Cache" "HIT - Cache Enabler";
+    # include "globals/hsts.conf";
+
+    # expires modified 30m;
+    expires 30m;
+    add_header "Cache-Control" "must-revalidate";
+
+    # For proxies
+    # add_header "Cache-Control" "s-maxage=3600";
+}
+
+location @mobileaccess {
+    # try_files $uri $uri/ /index.php$is_args$args;
+    try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args;
+
+    add_header "X-Cache" "HIT - Mobile - Cache Enabler";
+    # include "globals/hsts.conf";
+
+    # expires modified 30m;
+    expires 30m;
+    add_header "Cache-Control" "must-revalidate";
+
+    # For proxies
+    # add_header "Cache-Control" "s-maxage=3600";
+}
+
+location @cachemiss {
+    try_files $uri $uri/ /index.php$is_args$args;
+}

globals/cloudflare.conf

@@ -1,5 +1,9 @@
 # make sure you set up a cron to run update-cloudflare-ip-list.sh regularly
 
 include '/etc/nginx/globals/cloudflare-ip-list.conf';
+
+# use any of the following two options (but not both)
 real_ip_header CF-Connecting-IP;
+# real_ip_header X-Forwarded-For;
+
 real_ip_recursive on;

sites-available/default.conf

@@ -2,8 +2,12 @@ server {
     listen 80 default_server;
     listen [::]:80 default_server;
 
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    # create dummy certificates, if you'd like to enable the following...
+    # listen 443 ssl http2 default_server;
+    # listen [::]:443 ssl http2 default_server;
+
+    # ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
+    # ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
 
     # to catch all domains not hosted here!
     server_name _;

sites-available/example.com.conf

@@ -58,7 +58,8 @@ server {
     ### Enaable only one of the following lines
     include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
     # include "globals/wp-rocket.conf";  # WP Rocket Cache plugin support
-    # include "globals/wp-fastest-cache.conf";  # WP Rocket Cache plugin support
+    # include "globals/wp-fastest-cache.conf";  # WP Fastest Cache plugin support
+    # include "globals/cache-enabler.conf";  # Cache Enabler plugin support
     # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache
 
 }

sites-available/pma.example.com.conf

@@ -6,10 +6,25 @@
 ### Ref: http://serverfault.com/questions/246300/running-phpmyadmin-on-nginx-port-8080-passed-to-varnish-not-working-well
 ### Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1340187&group_id=23067&atid=377409
 
+# http => https
 server {
     listen 80;
+    listen [::]:80; # IPv6 support
     server_name pma.example.com;
-    return 301 https://$host$request_uri;
+
+    # Replace the path with the actual path to WordPress core files
+    root /home/username/sites/pma.example.com/public;
+
+    # for LetsEncrypt
+    location ^~ /.well-known/acme-challenge {
+        auth_basic off;
+        try_files $uri =404;
+        expires -1;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 server {
@@ -23,8 +38,8 @@ server {
     access_log /var/log/nginx/pma.example.com-access.log combined buffer=64k flush=5m if=$loggable; # $loggable is defined in conf.d/common.conf
     error_log /var/log/nginx/pma.example.com-error.log;
 
-    ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
-    ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
+    ssl_certificate "/etc/letsencrypt/live/pma.example.com/fullchain.pem";
+    ssl_certificate_key "/etc/letsencrypt/live/pma.example.com/privkey.pem";
 
     include globals/restrictions.conf;
     include globals/assets.conf;

sites-available/ssl-example.com.conf

@@ -3,7 +3,20 @@ server {
     listen 80;
     listen [::]:80; # IPv6 support
     server_name example.com www.example.com;
-    return 301 https://$host$request_uri;
+
+    # Replace the path with the actual path to WordPress core files
+    root /home/username/sites/example.com/public;
+
+    # for LetsEncrypt
+    location ^~ /.well-known/acme-challenge {
+        auth_basic off;
+        try_files $uri =404;
+        expires -1;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 # www.example.com => example.com (server-level)
@@ -29,7 +42,7 @@ server {
     index index.php;
 
     # Replace the path with the actual path to WordPress core files
-    root /home/username/sites/ssl-example.com/public;
+    root /home/username/sites/example.com/public;
 
     ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
     ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
@@ -46,6 +59,7 @@ server {
 
     include globals/restrictions.conf;
     include globals/assets.conf;
+    include globals/auto-versioning-support.conf;
 
     location ~ \.php$ {
         fastcgi_split_path_info ^(.+\.php)(/.*)$;
@@ -63,6 +77,7 @@ server {
     ### Enaable only one of the following lines
     include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
     # include "globals/wp-rocket.conf";  # WP Rocket Cache plugin support
-    # include "globals/wp-fastest-cache.conf";  # WP Rocket Cache plugin support
+    # include "globals/wp-fastest-cache.conf";  # WP Fastest Cache plugin support
+    # include "globals/cache-enabler.conf";  # Cache Enabler plugin support
     # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache
 }