# {{ ansible_managed }} {# helper variables and per-site defaults that we can't set in role defaults #} {% set domain_name = item.domain_name %} {% set domain_aliases = item.domain_aliases | default("") %} {# assume optional features are off unless a vhost explicitly sets them #} {% set enable_hsts = item.enable_hsts | default(False) %} {% set has_wordpress = item.has_wordpress | default(False) %} {% set needs_php = item.needs_php | default(False) %} # http -> https vhost server { listen 80; listen [::]:80; server_name {{ domain_name }} {{ domain_aliases }}; # redirect http -> https location / { # ? in rewrite makes sure nginx doesn't append query string again # see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite rewrite ^ https://{{ domain_name }}$request_uri? permanent; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; root {{ nginx_root_prefix }}/{{ domain_name }}; {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #} server_name {{ domain_name }} {{ domain_aliases }}; index index.php index.html; access_log /var/log/nginx/{{ domain_name }}-access.log; error_log /var/log/nginx/{{ domain_name }}-error.log; {% include 'https.j2' %} {% if has_wordpress == True %} {% include 'wordpress.j2' %} {% endif %} error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } location ~ [^/]\.php(/|$) { # Zero-day exploit defense. # http://forum.nginx.org/read.php?2,88845,page=3 # Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi. # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked. try_files $uri =404; #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini fastcgi_split_path_info ^(.+\.php)(/.+)$; # Protect against "HTTPoxy" vulnerability in PHP libraries # See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ # See: https://httpoxy.org/ fastcgi_param HTTP_PROXY ""; {% if ansible_distribution_version == '16.04' %} fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock; {% else %} fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock; {% endif %} fastcgi_index index.php; # set script path relative to document root in server block fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; fastcgi_cache global; # Set X-Fastcgi-Cache header to "HIT", "MISS", "BYPASS", etc add_header X-Fastcgi-Cache $upstream_cache_status; # Don't cache when user shift-refreshes (Pragma: no-cache) or when a user is logged in! fastcgi_cache_bypass $http_pragma $wordpress_logged_in; fastcgi_no_cache $http_pragma $wordpress_logged_in; {% if enable_hsts == True %} # Enable this if you want HSTS (recommended, but be careful) # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # See: https://hstspreload.appspot.com/ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; {% endif %} include extra-security.conf; } include extra-security.conf; } {% if has_wordpress == True %} # Check if a user is logged in # if so, set $wordpress_logged_in = 1 # otherwise, set $wordpress_logged_in = 0 # See: http://jeradbitner.com/2012/02/nginx-do-not-cache-logged-in-drupal-or-wordpress-users/ # See: http://syshero.org/post/50053543196/disable-nginx-cache-based-on-cookies # See nginx bug: http://trac.nginx.org/nginx/ticket/707 map $http_cookie $wordpress_logged_in { default 0; ~wordpress_logged_in 1; } {% endif %}