Alan Orth
d694616cf3
I realized the other day that due to complex logic in the location blocks, various WordPress static files like images and stylesheets didn't get the HTTP Strict Transport Security header set. We need to include it on each level where we are setting headers, because nginx overwrites headers if you set them again in a child block.
37 lines
1.5 KiB
Django/Jinja
37 lines
1.5 KiB
Django/Jinja
|
|
# try for WordPress index.php in /
|
|
# fall back to index.php + args (passed to php-fpm later)
|
|
# also serves static files from the disk instead of passing to interpreter.
|
|
location / {
|
|
try_files $uri $uri/ /index.php?$args;
|
|
|
|
{% if enable_hsts == True %}
|
|
# Enable this if you want HSTS (recommended, but be careful)
|
|
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
|
|
# See: https://hstspreload.appspot.com/
|
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
|
{% endif %}
|
|
}
|
|
|
|
location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
|
|
add_header Cache-Control "max-age=604800";
|
|
|
|
{% if enable_hsts == True %}
|
|
# Enable this if you want HSTS (recommended, but be careful)
|
|
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
|
|
# See: https://hstspreload.appspot.com/
|
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
|
{% endif %}
|
|
}
|
|
|
|
# Add trailing slash to */wp-admin requests.
|
|
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
|
|
|
|
# Deny access to any files with a .php extension in the uploads directory
|
|
# Works in sub-directory installs and also in multisite network
|
|
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
|
location ~* /(?:uploads|files)/.*\.php$ {
|
|
deny all;
|
|
}
|
|
|