-
Notifications
You must be signed in to change notification settings - Fork 278
/
Copy pathnginx.inc.conf
186 lines (158 loc) · 4.79 KB
/
nginx.inc.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
#
# Set HTTPS env var if the Heroku router used SSL or if we get a CloudFlare SSL
# header. Remove the second to stop trusting the CF request header.
#
set $https_forwarded "$https";
if ( $http_x_forwarded_proto = https ) {
set $https_forwarded on;
}
if ( $http_cf_visitor ~* '"scheme":"https"' ) {
set $https_forwarded on;
}
#
# Parse out the real client IPs from LBs
#
# Recursively process X-Forwarded-For header
real_ip_recursive on;
real_ip_header X-Forwarded-For;
# Allow for internal Heroku router - 10.x.x.x
set_real_ip_from 10.0.0.0/8;
# Allow for external CloudFlare proxies - https://www.cloudflare.com/ips
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
# CloudFlare IPv6 addresses however Heroku does not support this yet
# set_real_ip_from 2400:cb00::/32;
# set_real_ip_from 2405:8100::/32;
# set_real_ip_from 2405:b500::/32;
# set_real_ip_from 2606:4700::/32;
# set_real_ip_from 2803:f800::/32;
# set_real_ip_from 2a06:98c0::/29;
# set_real_ip_from 2c0f:f248::/32;
#
# Pull in rewrite customizations
#
include /app/support/nginx.rewrites.conf;
#
# Set index files for dirs
#
index index.php index.html index.htm;
#
# Set gzip settings
#
gzip on;
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 6;
gzip_min_length 1500;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
#
# Allow large file uploads
#
client_max_body_size 64m;
#
# Set defaults for all paths not matched more specificaly
#
location = / {
# Unless we have /index.html send '/' directly to WP
try_files index.html @wordpress;
}
location / {
# Serve up real files or send to WP
try_files $uri $uri/ @wordpress;
}
# We don't care if there's no favicon.ico
location = /favicon.ico {
log_not_found off;
access_log off;
}
# Also don't care if there's no robots.txt
location = /robots.txt {
log_not_found off;
access_log off;
}
# Access to an info file
location = /.heroku-wp {
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
#
# Cache feeds for 1 hour
#
location ~* \.(rss|atom)$ {
log_not_found on;
access_log off;
expires 1h;
}
#
# Cache CSS/JS files for 7 days
#
location ~* \.(js|css)$ {
log_not_found on;
access_log off;
expires 7d;
}
#
# Cache media files for 28 days
#
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
log_not_found on;
access_log off;
expires 28d;
}
# Handle URIs that have .php in it
location ~ \.php {
# Be explicit don't cache PHP let scripts set cache headers if needed
expires -1;
# Parse file vs. path info parts
fastcgi_split_path_info ^((?U).*\.php)(.*)$;
# Save our path info before trying the file http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
# Make sure file is real otherwise hand it off to WP
try_files $fastcgi_script_name @wordpress;
# Set ENV vars for PHP
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param PATH_INFO $path_info if_not_empty;
fastcgi_param SERVER_PORT $http_x_forwarded_port;
fastcgi_param HTTPS $https_forwarded if_not_empty;
# Execute PHP
fastcgi_pass heroku-fcgi;
}
# Frontend WP
location @wordpress {
# Set ENV vars for PHP
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
fastcgi_param SCRIPT_NAME /index.php;
fastcgi_param SERVER_PORT $http_x_forwarded_port;
fastcgi_param HTTPS $https_forwarded if_not_empty;
# Execute PHP
fastcgi_pass heroku-fcgi;
}