ansible-personal/roles/nginx/templates/wordpress.j2


    # try for WordPress index.php in /
    # fall back to index.php + args (passed to php-fpm later)
    # also serves static files from the disk instead of passing to interpreter.
    location / {
        try_files $uri $uri/ /index.php?$args;

        {% if enable_hsts == true %}
        # Enable this if you want HSTS (recommended, but be careful)
        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
        # See: https://hstspreload.appspot.com/
        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
        {% endif %}
    }

    location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
        add_header Cache-Control "max-age=604800";

        {% if enable_hsts == true %}
        # Enable this if you want HSTS (recommended, but be careful)
        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
        # See: https://hstspreload.appspot.com/
        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
        {% endif %}
    }   

    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;

    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
    }
roles/nginx: Tweaks for vhosts with WordPress My WordPress blogs have a /wordpress subdirectory in the document root, but I don't serve from the /wordpress URI. Technically, all we need is the tweaks to the try_files: - `?args` passes query strings to php5-fpm - removing 404 from the vhost's try_files so we don't return 404 when the requested file doesn't exist (obviously not all request URI's in WordPress are actual files on the disk) Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-07 21:51:34 +02:00
			`# try for WordPress index.php in /`
Fix a few references to php5-fpm Unless we really mean php5-fpm, let's just say php-fpm. 2016-04-25 11:33:12 +02:00			`# fall back to index.php + args (passed to php-fpm later)`
roles/nginx: Minor typo in comment 2016-10-19 03:41:46 +02:00			`# also serves static files from the disk instead of passing to interpreter.`
roles/nginx: Tweaks for vhosts with WordPress My WordPress blogs have a /wordpress subdirectory in the document root, but I don't serve from the /wordpress URI. Technically, all we need is the tweaks to the try_files: - `?args` passes query strings to php5-fpm - removing 404 from the vhost's try_files so we don't return 404 when the requested file doesn't exist (obviously not all request URI's in WordPress are actual files on the disk) Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-07 21:51:34 +02:00			`location / {`
			`try_files $uri $uri/ /index.php?$args;`
roles/nginx: Make sure to set HSTS headers on WordPress static files I realized the other day that due to complex logic in the location blocks, various WordPress static files like images and stylesheets didn't get the HTTP Strict Transport Security header set. We need to include it on each level where we are setting headers, because nginx overwrites headers if you set them again in a child block. 2016-11-20 16:22:47 +01:00
roles: strict truthy values According to Ansible we can use yes, true, True, "or any quoted st- ring" for a boolean true, but ansible-lint wants us to use either true or false. See: https://chronicler.tech/red-hat-ansible-yes-no-and/ 2022-09-10 21:33:19 +02:00			`{% if enable_hsts == true %}`
roles/nginx: Make sure to set HSTS headers on WordPress static files I realized the other day that due to complex logic in the location blocks, various WordPress static files like images and stylesheets didn't get the HTTP Strict Transport Security header set. We need to include it on each level where we are setting headers, because nginx overwrites headers if you set them again in a child block. 2016-11-20 16:22:47 +01:00			`# Enable this if you want HSTS (recommended, but be careful)`
			`# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store`
			`# See: https://hstspreload.appspot.com/`
roles/nginx: Parameterize HSTS header This parameterizes the HTTP Strict Transport Security header so we can use it consistently across all templates. Also, it updates the max-age to be ~1 year in seconds, which is recommended by Google. See: https://hstspreload.org/ 2021-03-23 14:36:28 +01:00			`add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;`
roles/nginx: Make sure to set HSTS headers on WordPress static files I realized the other day that due to complex logic in the location blocks, various WordPress static files like images and stylesheets didn't get the HTTP Strict Transport Security header set. We need to include it on each level where we are setting headers, because nginx overwrites headers if you set them again in a child block. 2016-11-20 16:22:47 +01:00			`{% endif %}`
roles/nginx: Tweaks for vhosts with WordPress My WordPress blogs have a /wordpress subdirectory in the document root, but I don't serve from the /wordpress URI. Technically, all we need is the tweaks to the try_files: - `?args` passes query strings to php5-fpm - removing 404 from the vhost's try_files so we don't return 404 when the requested file doesn't exist (obviously not all request URI's in WordPress are actual files on the disk) Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-07 21:51:34 +02:00			`}`

roles/nginx: Add cache control header for SVG images Signed-off-by: Alan Orth <alan.orth@gmail.com> 2016-03-12 18:17:40 +01:00			`location ~* \.(?:ico\|css\|js\|gif\|jpe?g\|png\|svg)$ {`
roles/nginx: Remove 'public' from Cache-Control header If a max-age is specified the 'public' is implicit. See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching 2016-11-14 06:58:46 +01:00			`add_header Cache-Control "max-age=604800";`
roles/nginx: Make sure to set HSTS headers on WordPress static files I realized the other day that due to complex logic in the location blocks, various WordPress static files like images and stylesheets didn't get the HTTP Strict Transport Security header set. We need to include it on each level where we are setting headers, because nginx overwrites headers if you set them again in a child block. 2016-11-20 16:22:47 +01:00
roles: strict truthy values According to Ansible we can use yes, true, True, "or any quoted st- ring" for a boolean true, but ansible-lint wants us to use either true or false. See: https://chronicler.tech/red-hat-ansible-yes-no-and/ 2022-09-10 21:33:19 +02:00			`{% if enable_hsts == true %}`
roles/nginx: Make sure to set HSTS headers on WordPress static files I realized the other day that due to complex logic in the location blocks, various WordPress static files like images and stylesheets didn't get the HTTP Strict Transport Security header set. We need to include it on each level where we are setting headers, because nginx overwrites headers if you set them again in a child block. 2016-11-20 16:22:47 +01:00			`# Enable this if you want HSTS (recommended, but be careful)`
			`# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store`
			`# See: https://hstspreload.appspot.com/`
roles/nginx: Parameterize HSTS header This parameterizes the HTTP Strict Transport Security header so we can use it consistently across all templates. Also, it updates the max-age to be ~1 year in seconds, which is recommended by Google. See: https://hstspreload.org/ 2021-03-23 14:36:28 +01:00			`add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;`
roles/nginx: Make sure to set HSTS headers on WordPress static files I realized the other day that due to complex logic in the location blocks, various WordPress static files like images and stylesheets didn't get the HTTP Strict Transport Security header set. We need to include it on each level where we are setting headers, because nginx overwrites headers if you set them again in a child block. 2016-11-20 16:22:47 +01:00			`{% endif %}`
roles/nginx: Add expires to static files Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-10-10 10:05:42 +02:00			`}`

roles/nginx: Tweaks for vhosts with WordPress My WordPress blogs have a /wordpress subdirectory in the document root, but I don't serve from the /wordpress URI. Technically, all we need is the tweaks to the try_files: - `?args` passes query strings to php5-fpm - removing 404 from the vhost's try_files so we don't return 404 when the requested file doesn't exist (obviously not all request URI's in WordPress are actual files on the disk) Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-07 21:51:34 +02:00			`# Add trailing slash to */wp-admin requests.`
			`rewrite /wp-admin$ $scheme://$host$uri/ permanent;`

roles/nginx: Add protection for PHP scripts in uploads directory By the way, :? starts a non-capturing group (ie, don't save the back references). Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-02-26 15:05:50 +01:00			`# Deny access to any files with a .php extension in the uploads directory`
			`# Works in sub-directory installs and also in multisite network`
			`# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)`
			`location ~* /(?:uploads\|files)/.*\.php$ {`
			`deny all;`
			`}`