Rename files, add cloudflare and webp support

pothi · pothi · commit fb8366d4507d · 2018-05-09T19:52:06.000+05:30
diff --git a/README.md b/README.md
@@ -11,12 +11,15 @@ There are multiplpe advantages of using this repo as your go-to nginx configurat
 + Multisite support.
 + Contains ready-to-use sample vhost entries.
 + Continuously updated sample configurations with best practices.
-+ Ansible friendly (coming soon)
++ IPv6 is supported out of the box.
++ Cloudflare support.
++ [WebP](https://developers.google.com/speed/webp/) support.
 
 ## Available templates / vhost entries
 
 + WP Super Cache plugin (with support for SSL and separate mobile cache)
-+ WP Rocket cache plugin (SSL / mobile supported out of the box)
++ WP Rocket cache plugin (SSL and / or mobile supported out of the box)
++ WP Fastest Cache plugin (SSL and / or mobile supported out of the box)
 + Multisite (sub-domain and sub-directory)
 + Varnish with Nginx for SSL termination.
 + Custom error pages.
@@ -43,10 +46,11 @@ There are multiplpe advantages of using this repo as your go-to nginx configurat
 
 Tested with the following servers...
 + Debian Debian 9 (Stretch)
-+ Ubuntu 16.04 LTS (Xenial)
++ Ubuntu 16.04 LTS (Xenial Xerus)
++ Ubuntu 18.04 LTS (Bionic Beaver)
 
 Test with the following Nginx versions...
-+ Stable verisons 1.12.x
++ Stable verisons 1.12.x and 1.14.x
 + Mainline versions 1.13.x
 
 For RPM based distros (Fedora, Redhat, CentOS and Amazon Linux AMI), the configuration mentioned in the repo should work. Additional steps may be needed, though. See below for some details!
@@ -57,7 +61,7 @@ For all the steps mentioned below, you need __sudo__ or __root__ privileges!
 
 Step #1 - Install Nginx
 
-You may use the official Nginx repo or just use the Nginx package that comes with the OS. Both would work fine! I will leave the decision to you. Since, the installation process varies across Operating Systems, please refer the official installation docs to complete this step.
+You may use the official Nginx repo or just use the Nginx package that comes with the OS. Both would work fine! I will leave the decision to you. Since, the installation process varies across Operating Systems, please refer the official installation guide to complete this step.
 
 Step #2 - Please backup your existing configuration files. Probably, have /etc under version control!
 
@@ -90,7 +94,7 @@ sudo ln -s ../sites-available/$WP_DOMAIN.conf
 sudo nginx -t && sudo systemctl restart nginx
 ```
 
-### Changes on CentOS
+### Changes on CentOS (and on rpm based distros in general)
 
 CentOS has a different file naming convention, yet simple directory structure, when compared to Debian derivatives. Let me describe them and I'd let you decide upon how you'd want to structure your files and name those files.
 
diff --git a/changelog.txt b/changelog.txt
@@ -1,3 +1,17 @@
+v3.0
+- Released on May 9, 2018
+- Rename wprocket.conf to wp-rocket.conf
+- Rename wpsupercache.conf to wp-super-cache.conf
+- Added Cloudflare support.
+- IPv6 support added.
+- WebP support.
+- Other minor changes.
+
+v2.0
+- released on Dec 20, 2017
+- changed filename globals/common-locations.conf to globals/assets.conf
+- other minor changes
+
 v1.0
 - released on April 23, 2017
 - uniform naming scheme for domain names
diff --git a/conf.d/common.conf b/conf.d/common.conf
@@ -2,10 +2,6 @@
 
 index index.html index.php;
 
-# include globals/pagespeed.conf;
-# include globals/hide-headers.conf;
-# include globals/varnish-as-front-end-compatibility.conf;
-
 # Ref: https://gist.github.com/magnetikonline/11312172
 fastcgi_buffers 32 32k;
 fastcgi_buffer_size 32k;
@@ -29,8 +25,8 @@ server_names_hash_bucket_size 128;
 
 # -------------------------------------------------------------------
 
-# For SSL - WP Super Cache Compatibility
-map $scheme $wpsc_https { default ''; https '-https'; }
+# For SSL Compatibility - WP Super Cache and WP Rocket depend on this
+map $scheme $https_suffix { default ''; https '-https'; }
 
 # -------------------------------------------------------------------
 
@@ -52,3 +48,23 @@ charset       $charset;
 charset_types *;
 
 # -------------------------------------------------------------------
+
+# if you'd like to hide some header info, uncomment this
+# include globals/hide-headers.conf;
+
+# -------------------------------------------------------------------
+#
+# if you'd like to hide some header info, uncomment this
+# include globals/cloudflare.conf;
+
+# -------------------------------------------------------------------
+
+# webp support
+# see: https://docs.ewww.io/article/16-ewww-io-and-webp-images
+
+map $http_accept $webp_suffix {
+  default "";
+  "~*webp" ".webp";
+}
+
+# -------------------------------------------------------------------
diff --git a/globals/assets.conf b/globals/assets.conf
@@ -29,7 +29,7 @@ location ~ \.(?:ttf|ttc|eot|woff|woff2|otf|svg)$ {
 }
 
 # Referers for images
-location ~ \.(?:jpg|jpeg|gif|png|ico)$ {
+location ~ \.(?:gif|ico|webp)$ {
     ### Please change the domainname before uncommenting the following
     # valid_referers none blocked www.example.com example.com;
     # if ($invalid_referer) { return 403; }
@@ -39,6 +39,19 @@ location ~ \.(?:jpg|jpeg|gif|png|ico)$ {
     access_log off;
 }
 
+location ~* ^.+\.(png|jpe?g)$ {
+    ### Please change the domainname before uncommenting the following
+    # valid_referers none blocked www.example.com example.com;
+    # if ($invalid_referer) { return 403; }
+
+    # add_header Vary Accept;
+    # see https://docs.ewww.io/article/16-ewww-io-and-webp-images
+    try_files $uri$webp_suffix $uri =404;
+    expires max;
+    log_not_found off;
+    access_log off;
+}
+
 # Feeds
 location ~ \.(?:rss|atom)$ {
     expires 600s; # 10 minutes
diff --git a/globals/cloudflare-ip-list.conf b/globals/cloudflare-ip-list.conf
@@ -0,0 +1,21 @@
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 104.16.0.0/12;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 131.0.72.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2c0f:f248::/32;
+set_real_ip_from 2a06:98c0::/29;
diff --git a/globals/cloudflare.conf b/globals/cloudflare.conf
@@ -0,0 +1,6 @@
+# make sure you set up a cron to run update-cloudflare-ip-list.sh regularly
+
+include '/etc/nginx/globals/cloudflare-ip-list.conf';
+real_ip_header CF-Connecting-IP;
+real_ip_header CF-Connecting-IP;
+real_ip_recursive on;
diff --git a/globals/wp-fastest-cache.conf b/globals/wp-fastest-cache.conf
@@ -41,7 +41,7 @@ location / {
     #--> all the following would apply, only if the request hits the cache
 
     # add some useful headers
-    add_header "X-Cache" "HIT";
+    add_header "X-Cache" "HIT - WP Fastest Cache";
     add_header "X-CF-Powered-By" "WP Fastest Cache";
     add_header "Vary" "Cookie";
     # include "globals/hsts.conf";
@@ -62,8 +62,7 @@ location @mobileaccess {
     #--> all the following would apply, only if the request hits the cache
 
     # add some useful headers
-    add_header "X-Cache" "HIT - Mobile";
-    add_header "X-CF-Powered-By" "WP Fastest Cache";
+    add_header "X-Cache" "HIT - Mobile - WP Fastest Cache";
     add_header "Vary" "User-Agent, Cookie";
     # include "globals/hsts.conf";
 
diff --git a/globals/wp-rocket.conf b/globals/wp-rocket.conf
@@ -30,18 +30,17 @@ location / {
     if ($http_cookie ~* "comment_author_") { return 418; }
     if ($http_cookie ~* "wp_postpass_") { return 418; }
 
-    # if ($http_user_agent ~* (2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad)) { return 419; }
+    # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }
     # add_header "Vary" "User-Agent";
 
     # uncomment the following if deemed fit
-    # if ($http_user_agent ~* (w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad)) { return 419; }
+    # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }
 
-    try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index$wpsc_https.html" $uri $uri/ /index.php$is_args$args;
+    try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index$https_suffix.html" $uri $uri/ /index.php$is_args$args;
 
     #--> all the following would apply, only if the request hits the cache
 
-    add_header "X-Cache" "HIT - Desktop";
-    add_header "X-CF-Powered-By" "WP Rocket";
+    add_header "X-Cache" "HIT - WP Rocket";
     add_header "Vary" "Cookie";
     # include "globals/hsts.conf";
 
@@ -54,10 +53,9 @@ location / {
 
 location @mobileaccess {
     # try_files $uri $uri/ /index.php$is_args$args;
-    try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index-mobile$wpsc_https.html" $uri $uri/ /index.php$is_args$args;
+    try_files "/wp-content/cache/wp-rocket/$host${uri}$is_args$args/index-mobile$https_suffix.html" $uri $uri/ /index.php$is_args$args;
 
-    add_header "X-Cache" "HIT - Mobile";
-    add_header "X-CF-Powered-By" "WP Rocket";
+    add_header "X-Cache" "HIT - Mobile - WP Rocket";
     add_header "Vary" "User-Agent, Cookie";
     # include "globals/hsts.conf";
 
diff --git a/globals/wp-super-cache.conf b/globals/wp-super-cache.conf
@@ -30,12 +30,12 @@ location / {
     if ($http_cookie ~* "comment_author_") { return 418; }
     if ($http_cookie ~* "wp_postpass_") { return 418; }
 
-    # if ($http_user_agent ~* (2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad)) { return 419; }
+    # if ($http_user_agent ~* "2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|iPad") { return 419; }
 
     # uncomment the following if deemed fit
-    # if ($http_user_agent ~* (w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad)) { return 419; }
+    # if ($http_user_agent ~* "w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-|ipad") { return 419; }
 
-    try_files "/wp-content/cache/supercache/$host${uri}index$wpsc_https.html" $uri $uri/ /index.php$is_args$args;
+    try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix.html" $uri $uri/ /index.php$is_args$args;
 
     #--> all the following would apply, only if the request hits the cache
 
@@ -52,7 +52,7 @@ location / {
 
 location @mobileaccess {
     # try_files $uri $uri/ /index.php$is_args$args;
-    try_files "/wp-content/cache/supercache/$host${uri}index$wpsc_https-mobile.html" $uri $uri/ /index.php$is_args$args;
+    try_files "/wp-content/cache/supercache/$host${uri}index$https_suffix-mobile.html" $uri $uri/ /index.php$is_args$args;
 
     add_header "X-Cache" "HIT - Mobile - WP Super Cache";
     # include "globals/hsts.conf";
diff --git a/scripts/update-cloudflare-ip-list.sh b/scripts/update-cloudflare-ip-list.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# script to set Cloudflare IPs (ipv4 and ipv6)
+
+# empty the list
+echo -n > /etc/nginx/globals/cloudflare-ip-list.conf;
+
+# fetch and update ipv4
+for i in `curl -s https://www.cloudflare.com/ips-v4`; do
+    echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf;
+done
+
+# fetch and update ipv6
+for i in `curl -s https://www.cloudflare.com/ips-v6`; do
+    echo "set_real_ip_from $i;" >> /etc/nginx/globals/cloudflare-ip-list.conf;
+done
diff --git a/sites-available/dev.example.com.conf b/sites-available/dev.example.com.conf
@@ -1,7 +1,11 @@
 server {
     listen 80;
+    listen [::]:80; # IPv6 support
     listen 443 ssl http2;
+    listen [::]:443 ssl http2; # IPv6 support
+
     server_name dev.example.com;
+
     index index.php;
 
     # Replace the path with the actual path to WordPress core files
@@ -33,15 +37,21 @@ server {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
 
+        # Mitigate https://httpoxy.org/ vulnerabilities
+        fastcgi_param HTTP_PROXY "";
+
         include                     fastcgi.conf;
         fastcgi_index               index.php;
         fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
         fastcgi_intercept_errors    on;
         fastcgi_pass                fpm-dev;
+
+        add_header "X-Cache" "MISS";
     }
 
     # The rewrite magic
     location / { try_files $uri $uri/ /index.php$is_args$args; }
-    # include "globals/wpsc.conf";
-    # include "globals/wprocket.conf";
+    # include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
+    # include "globals/wp-rocket.conf";  # WP Rocket Cache plugin support
+    # include "globals/wp-fastest-cache.conf";  # WP Rocket Cache plugin support
 }
diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf
@@ -6,12 +6,14 @@
 # you are a fan of micro-optimization, please use the following to redirect www.example.com => example.com (301)
 # server {
     # listen 80;
+    # listen [::]:80; # IPv6 support
     # server_name www.example.com;
     # return 301 $scheme://example.com$request_uri;
 # }
 
 server {
     listen 80;
+    listen [::]:80; # IPv6 support
     server_name example.com;
 
     server_name www.example.com; # hide this line, if you enable the server-level 301 redirect above
@@ -49,11 +51,14 @@ server {
         fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
         fastcgi_index               index.php;
         fastcgi_pass                fpm;
+
+        add_header "X-Cache" "MISS";
     }
 
     ### Enaable only one of the following lines
-    include "globals/wpsc.conf";        # WP Super Cache plugin support
-    # include "globals/wprocket.conf";  # WP Rocket Cache plugin support
+    include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
+    # include "globals/wp-rocket.conf";  # WP Rocket Cache plugin support
+    # include "globals/wp-fastest-cache.conf";  # WP Rocket Cache plugin support
     # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache
 
 }
diff --git a/sites-available/ssl-example.com.conf b/sites-available/ssl-example.com.conf
@@ -1,6 +1,7 @@
 # http => https
 server {
     listen 80;
+    listen [::]:80; # IPv6 support
     server_name example.com www.example.com;
     return 301 https://$host$request_uri;
 }
@@ -9,6 +10,7 @@ server {
 # use it only if you are a fan of micro-optimization
 # server {
     # listen 443 ssl http2;
+    # listen [::]:443 ssl http2; # IPv6 support
     # server_name www.example.com;
     # ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
     # ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
@@ -17,6 +19,7 @@ server {
 
 server {
     listen 443 ssl http2;
+    listen [::]:443 ssl http2; # IPv6 support
     server_name example.com;
 
     # hide the following line, if you enable the server-level 301 redirect above
@@ -58,7 +61,8 @@ server {
     }
 
     ### Enaable only one of the following lines
-    include "globals/wpsc.conf";        # WP Super Cache plugin support
-    # include "globals/wprocket.conf";  # WP Rocket Cache plugin support
+    include "globals/wp-super-cache.conf"; # WP Super Cache plugin support
+    # include "globals/wp-rocket.conf";  # WP Rocket Cache plugin support
+    # include "globals/wp-fastest-cache.conf";  # WP Rocket Cache plugin support
     # location / { try_files $uri $uri/ /index.php$is_args$args; } # the plain-old method - suits Batcache
 }
diff --git a/sites-available/wpfc.example.com.conf b/sites-available/wpfc.example.com.conf
diff --git a/sites-available/wpsc.example.com.conf b/sites-available/wpsc.example.com.conf
