ansible-personal/roles/nginx/templates/vhost.conf.j2

{{ ansible_managed | comment }}

{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name    = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #}
{% set enable_hsts    = item.enable_hsts | default(False) %}
{% set has_wordpress  = item.has_wordpress | default(False) %}
{% set needs_php      = item.needs_php | default(False) %}

# http -> https vhost
server {
    listen 80;
    listen [::]:80;
    server_name {{ domain_name }} {{ domain_aliases }};

    {% include 'well-known.j2' %}

    # redirect http -> https
    location / {
        # ? in rewrite makes sure nginx doesn't append query string again
        # see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite
        rewrite ^ https://{{ domain_name }}$request_uri? permanent;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    {# Allow sites to override the nginx document root #}
    {% if item.document_root is defined %}
    root {{ item.document_root }};
    {% else %}
    root {{ nginx_root_prefix }}/{{ domain_name }};
    {% endif %}

    {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
    server_name {{ domain_name }} {{ domain_aliases }};

    index {% if has_wordpress == True or needs_php == True %}index.php{% else %}index.html{% endif %};

    access_log  /var/log/nginx/{{ domain_name }}-access.log;
    error_log   /var/log/nginx/{{ domain_name }}-error.log;

    {% include 'https.j2' %}

    {% if has_wordpress == True %}
        {% include 'wordpress.j2' %}
    {% endif %}

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    {% if has_wordpress == True or needs_php == True %}
    location ~ [^/]\.php(/|$) {
        # Zero-day exploit defense.
        # http://forum.nginx.org/read.php?2,88845,page=3
        # Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine.  And then cross your fingers that you won't get hacked.
        try_files $uri =404;

        #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        fastcgi_split_path_info ^(.+\.php)(/.+)$;

        # Protect against "HTTPoxy" vulnerability in PHP libraries
        # See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
        # See: https://httpoxy.org/
        fastcgi_param HTTP_PROXY "";

        {# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #}
        {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) %}
        fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
        {% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') %}
        fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock;
        {% elif ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') %}
        fastcgi_pass unix:/run/php/php7.3-fpm-{{ domain_name }}.sock;
        {% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') %}
        fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
        {% else %}
        fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
        {% endif %}
        fastcgi_index index.php;
        # set script path relative to document root in server block
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;

        fastcgi_cache global;
        # Set X-Fastcgi-Cache header to "HIT", "MISS", "BYPASS", etc
        add_header X-Fastcgi-Cache $upstream_cache_status;
        # Don't cache when user shift-refreshes (Pragma: no-cache) or when a user is logged in!
        fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
        fastcgi_no_cache $http_pragma $wordpress_logged_in;

        {% if enable_hsts == True %}
        # Enable this if you want HSTS (recommended, but be careful)
        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
        # See: https://hstspreload.appspot.com/
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
        {% endif %}

        include extra-security.conf;
    }
    {% endif %}

    include extra-security.conf;
}

{% if has_wordpress == True %}
# Check if a user is logged in
# if so, set $wordpress_logged_in = 1
# otherwise, set $wordpress_logged_in = 0
# See: http://jeradbitner.com/2012/02/nginx-do-not-cache-logged-in-drupal-or-wordpress-users/
# See: http://syshero.org/post/50053543196/disable-nginx-cache-based-on-cookies
# See nginx bug: http://trac.nginx.org/nginx/ticket/707
map $http_cookie $wordpress_logged_in {
    default 0;

    ~wordpress_logged_in 1;
}
{% endif %}
Adjust ansible_managed to use comment filter We don't need to comment the ansible_managed block manually. 2019-01-10 11:50:54 +01:00			`{{ ansible_managed \| comment }}`
roles/nginx: Add "ansible managed" string to configs Generates a placeholder text to say that the file is managed by ansible. 2016-06-27 16:50:49 +02:00
roles/nginx: Add comments about defaults in templates It would be bettwe to set these defaults in the role's defaults, but we can't because they exist in dicts for each of the host's sites. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-09 22:29:33 +01:00			`{# helper variables and per-site defaults that we can't set in role defaults #}`
Rename nginx_* variables underneath nginx_vhosts It's just deduplication, since it's already obvious that the dict is for nginx-related vars: - nginx_domain_name→domain_name - nginx_domain_aliases→domain_aliases - nginx_enable_https→enable_https - nginx_enable_hsts→enable_hsts Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-09 23:25:44 +01:00			`{% set domain_name = item.domain_name %}`
			`{% set domain_aliases = item.domain_aliases \| default("") %}`
roles/nginx: Update comment for option variables 2016-09-13 13:51:49 +02:00			`{# assume optional features are off unless a vhost explicitly sets them #}`
roles/nginx: Use explicity booleans for tests instead of "yes" and "no" Better to be explict with booleans rather than being confused when you mix up yes and "yes" with Ansible/Python testing of conditionals. 2016-08-17 11:55:14 +02:00			`{% set enable_hsts = item.enable_hsts \| default(False) %}`
			`{% set has_wordpress = item.has_wordpress \| default(False) %}`
roles/nginx: Add new variable "needs_php" Used to indicate if a vhost needs PHP configuration or not, like for a static site. Set in the hosts's nginx_vhosts block. Defaults to "False" if unset. 2016-09-13 13:53:12 +02:00			`{% set needs_php = item.needs_php \| default(False) %}`
roles/nginx: Use template to configure nginx vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 19:03:34 +02:00
roles/nginx: Re-work vhost template to support HTTPS Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-06 20:32:37 +02:00			`# http -> https vhost`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00			`server {`
roles/nginx: Use template to configure nginx vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 19:03:34 +02:00			`listen 80;`
roles/nginx: Add initial IPv6 support to vhost template Still need to add ip6tables rules Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-05-21 22:31:41 +02:00			`listen [::]:80;`
roles/nginx: Re-work vhost template to support HTTPS Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-06 20:32:37 +02:00			`server_name {{ domain_name }} {{ domain_aliases }};`

roles/nginx: Switch to acme.sh for Let's Encrypt The certbot-auto client that I've been using for a long time is now only supported if you install it using snap. I don't use snap on my systems so I decided to switch to the acme.sh client, which is imp- lemented in POSIX shell with no dependencies. One bonus of this is that I can start using ECC certificates. This also configures the .well-known directory so we can use webroot when installing and renewing certificates. I have yet to understand how the renewal works with regards to webroot, though. I may have to update the systemd timers to point to /var/lib/letsencrypt/.well-known. 2021-03-19 22:39:30 +01:00			`{% include 'well-known.j2' %}`

roles/nginx: Re-work vhost template to support HTTPS Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-06 20:32:37 +02:00			`# redirect http -> https`
			`location / {`
			`# ? in rewrite makes sure nginx doesn't append query string again`
			`# see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite`
			`rewrite ^ https://{{ domain_name }}$request_uri? permanent;`
			`}`
			`}`

			`server {`
roles/nginx: Remove "enable_https" config logic Everything is HTTPS now, whether self-signed or otherwise, so it doesn't make sense to have a config switch for this. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-09 23:38:53 +01:00			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00
roles/nginx: Allow sites to override the root 2020-12-28 21:53:32 +01:00			`{# Allow sites to override the nginx document root #}`
			`{% if item.document_root is defined %}`
			`root {{ item.document_root }};`
			`{% else %}`
roles/nginx: Use template to configure nginx vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 19:03:34 +02:00			`root {{ nginx_root_prefix }}/{{ domain_name }};`
roles/nginx: Allow sites to override the root 2020-12-28 21:53:32 +01:00			`{% endif %}`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00
roles/nginx: Remove "enable_https" config logic Everything is HTTPS now, whether self-signed or otherwise, so it doesn't make sense to have a config switch for this. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-09 23:38:53 +01:00			`{# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}`
			`server_name {{ domain_name }} {{ domain_aliases }};`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00
roles/nginx: Only use index.php on hosts that need it Otherwise, use index.html. 2016-09-13 14:58:40 +02:00			`index {% if has_wordpress == True or needs_php == True %}index.php{% else %}index.html{% endif %};`
roles/nginx: Add index to vhost config Without this, all requests to directory URIs throw 403 errors due to directory listings not being allowed. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-28 11:27:24 +02:00
roles/nginx: Per-vhost logs Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 19:26:12 +02:00			`access_log /var/log/nginx/{{ domain_name }}-access.log;`
			`error_log /var/log/nginx/{{ domain_name }}-error.log;`

roles/nginx: Remove "enable_https" config logic Everything is HTTPS now, whether self-signed or otherwise, so it doesn't make sense to have a config switch for this. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-09 23:38:53 +01:00			`{% include 'https.j2' %}`
roles/nginx: Re-work vhost template to support HTTPS Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-06 20:32:37 +02:00
roles/nginx: Use explicity booleans for tests instead of "yes" and "no" Better to be explict with booleans rather than being confused when you mix up yes and "yes" with Ansible/Python testing of conditionals. 2016-08-17 11:55:14 +02:00			`{% if has_wordpress == True %}`
roles/nginx: Tweaks for vhosts with WordPress My WordPress blogs have a /wordpress subdirectory in the document root, but I don't serve from the /wordpress URI. Technically, all we need is the tweaks to the try_files: - `?args` passes query strings to php5-fpm - removing 404 from the vhost's try_files so we don't return 404 when the requested file doesn't exist (obviously not all request URI's in WordPress are actual files on the disk) Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-07 21:51:34 +02:00			`{% include 'wordpress.j2' %}`
			`{% endif %}`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00
			`error_page 500 502 503 504 /50x.html;`
			`location = /50x.html {`
			`root /usr/share/nginx/html;`
			`}`

roles/nginx: Only add PHP configuration on vhosts that need it 2016-09-13 14:59:24 +02:00			`{% if has_wordpress == True or needs_php == True %}`
roles/nginx: Update location regex for PHP scripts Just use the same one as the Nginx wiki and some other resources. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-02-26 14:40:38 +01:00			`location ~ [^/]\.php(/\|$) {`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00			`# Zero-day exploit defense.`
			`# http://forum.nginx.org/read.php?2,88845,page=3`
			`# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.`
			`# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked.`
			`try_files $uri =404;`

			`#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini`
			`fastcgi_split_path_info ^(.+\.php)(/.+)$;`

roles/nginx: Add mitigation for HTTPoxy vulnerability Malicious requests including the HTTP_PROXY value will be able to manipulate some server-side libraries. Better to just block them in nginx. See: https://httpoxy.org/ See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ 2016-07-21 13:45:41 +02:00			`# Protect against "HTTPoxy" vulnerability in PHP libraries`
			`# See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/`
			`# See: https://httpoxy.org/`
			`fastcgi_param HTTP_PROXY "";`

roles/nginx: Fix PHP-FPM socket location on Debian 9 Debian 9 and Ubuntu 16.04 use the same PHP-FPM configuration so we can make use of that here. 2017-06-18 10:04:30 +02:00			`{# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #}`
Use version() instad of version_compare() This changed in Ansible 2.5 apparently. See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html 2020-03-09 14:20:51 +01:00			`{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) %}`
roles/nginx: Fix for path to PHP-FPM socket on Ubuntu 16.04 2016-04-22 17:19:30 +02:00			`fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;`
Use version() instad of version_compare() This changed in Ansible 2.5 apparently. See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html 2020-03-09 14:20:51 +01:00			`{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') %}`
roles/nginx: Use correct php-fpm socket on Ubuntu 18.04 2018-03-20 21:42:39 +01:00			`fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock;`
Use version() instad of version_compare() This changed in Ansible 2.5 apparently. See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html 2020-03-09 14:20:51 +01:00			`{% elif ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') %}`
roles/nginx: Fix php7.3-fpm socket location on Debian 10 2019-09-15 14:55:42 +02:00			`fastcgi_pass unix:/run/php/php7.3-fpm-{{ domain_name }}.sock;`
Add PHP 7.4 FPM support 2020-07-13 22:25:32 +02:00			`{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') %}`
			`fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;`
roles/nginx: Fix for path to PHP-FPM socket on Ubuntu 16.04 2016-04-22 17:19:30 +02:00			`{% else %}`
roles/nginx: Use template to configure nginx vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 19:03:34 +02:00			`fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;`
roles/nginx: Fix for path to PHP-FPM socket on Ubuntu 16.04 2016-04-22 17:19:30 +02:00			`{% endif %}`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00			`fastcgi_index index.php;`
			`# set script path relative to document root in server block`
			`fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;`
			`include fastcgi_params;`
roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-02-10 21:04:28 +01:00
			`fastcgi_cache global;`
			`# Set X-Fastcgi-Cache header to "HIT", "MISS", "BYPASS", etc`
			`add_header X-Fastcgi-Cache $upstream_cache_status;`
			`# Don't cache when user shift-refreshes (Pragma: no-cache) or when a user is logged in!`
roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-03-11 11:51:48 +01:00			`fastcgi_cache_bypass $http_pragma $wordpress_logged_in;`
			`fastcgi_no_cache $http_pragma $wordpress_logged_in;`
roles/nginx: Add HTTP Strict Transport Security headers to PHP block nginx blocks inherit headers set in blocks above them UNLESS the current level also sets headers[0]. This was causing PHP requests to not have STS headers because of the FastCGI cache header which is set in that block. [0] http://nginx.org/en/docs/http/ngx_http_headers_module.html Fixes GitHub #7. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-03-19 07:25:28 +01:00
roles/nginx: Use explicity booleans for tests instead of "yes" and "no" Better to be explict with booleans rather than being confused when you mix up yes and "yes" with Ansible/Python testing of conditionals. 2016-08-17 11:55:14 +02:00			`{% if enable_hsts == True %}`
roles/nginx: Add HTTP Strict Transport Security headers to PHP block nginx blocks inherit headers set in blocks above them UNLESS the current level also sets headers[0]. This was causing PHP requests to not have STS headers because of the FastCGI cache header which is set in that block. [0] http://nginx.org/en/docs/http/ngx_http_headers_module.html Fixes GitHub #7. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-03-19 07:25:28 +01:00			`# Enable this if you want HSTS (recommended, but be careful)`
roles/nginx: Use stronger HSTS header Include subdomains in the HTTP Strict Transport Security header, and include the "preload" verb to inform Google we want to be pre- loaded into the HSTS preload. See: https://hstspreload.appspot.com/ Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-05-13 17:30:28 +02:00			`# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store`
			`# See: https://hstspreload.appspot.com/`
roles/nginx: Remove extra semi colon in HSTS preload header Google's preload check application pointed out that there was an extra semi colon in the HTTP header: $ hstspreload checkdomain alaninkenya.org Warning: 1. Syntax warning: Header includes an empty directive or extra semicolon. The tool can be downloaded here: https://github.com/chromium/hstspreload Signed-off-by: Alan Orth <alan.orth@gmail.com> 2016-03-31 12:34:05 +02:00			`add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;`
roles/nginx: Add HTTP Strict Transport Security headers to PHP block nginx blocks inherit headers set in blocks above them UNLESS the current level also sets headers[0]. This was causing PHP requests to not have STS headers because of the FastCGI cache header which is set in that block. [0] http://nginx.org/en/docs/http/ngx_http_headers_module.html Fixes GitHub #7. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-03-19 07:25:28 +01:00			`{% endif %}`
roles/nginx: Add extra-security headers to PHP block nginx inherits headers from higher-level blocks UNLESS we also set headers in the current block. In this case the FastCGI cache header was being set, so we weren't getting the extra-security ones. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-03-19 07:32:06 +01:00
			`include extra-security.conf;`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00			`}`
roles/nginx: Only add PHP configuration on vhosts that need it 2016-09-13 14:59:24 +02:00			`{% endif %}`
roles/nginx: Add HTTP headers for web application security See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-01-24 11:05:42 +01:00
			`include extra-security.conf;`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00			`}`
roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-02-10 21:04:28 +01:00
roles/nginx: Only check WordPress variables is vhost is using WordPress This variable is used to control the FastCGI cache, and doesn't need to be checked if the vhost isn't using WordPress. 2016-09-12 19:57:10 +02:00			`{% if has_wordpress == True %}`
roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-02-10 21:04:28 +01:00			`# Check if a user is logged in`
roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-03-11 11:51:48 +01:00			`# if so, set $wordpress_logged_in = 1`
			`# otherwise, set $wordpress_logged_in = 0`
roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-02-10 21:04:28 +01:00			`# See: http://jeradbitner.com/2012/02/nginx-do-not-cache-logged-in-drupal-or-wordpress-users/`
			`# See: http://syshero.org/post/50053543196/disable-nginx-cache-based-on-cookies`
			`# See nginx bug: http://trac.nginx.org/nginx/ticket/707`
roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-03-11 11:51:48 +01:00			`map $http_cookie $wordpress_logged_in {`
roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-02-10 21:04:28 +01:00			`default 0;`

			`~wordpress_logged_in 1;`
			`}`
roles/nginx: Only check WordPress variables is vhost is using WordPress This variable is used to control the FastCGI cache, and doesn't need to be checked if the vhost isn't using WordPress. 2016-09-12 19:57:10 +02:00			`{% endif %}`