Page MenuHomeSealhub
Files F877781

aspazja.conf
Public
Actions

Authored By
kuba-orlik
Jun 23 2024, 23:40
Size
5 KB
Referenced Files
None
Subscribers
None

aspazja.conf
View Options

server {
listen 80;
listen 443 ssl;
server_name www.beta.aspazja.pl beta.aspazja.pl;
# general vhost settings
access_log /var/log/nginx/aspazja.pl.access.log combined;
error_log /var/log/nginx/aspazja.pl.error.log error;
ssl_certificate /etc/letsencrypt/live/beta.aspazja.pl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/beta.aspazja.pl/privkey.pem;
# TLS settings
# can't set headers in an if that is *not* in a location,
# so we need to work around this
add_header Strict-Transport-Security "max-age=31536000";
# TLS letsencrypt stateless acme config
# no need for webroot and stuff
#
# this is described for acme.sh,
# but should work with any LE client
# https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
default_type text/plain;
return 200 "$1.<ACME_THUMBPRINT>";
}
# basic proxy params
include snippets/proxy_headers_general.conf;
# proxy zone
proxy_cache fasada;
# use stale cached resources in case upstream is not available for some reason
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_cache_background_update on;
proxy_cache_revalidate on;
proxy_cache_lock on;
# reasonable default
proxy_cache_valid 200 10s;
# admin area *has to* be uncached; blocking here,
# should be made available on admin.domain.tld
location ~* ^/(wp-admin|admin|login|wp-login|signin).* {
add_header X-Proxy-Cache $upstream_cache_status;
proxy_cache off;
proxy_pass http://127.0.0.1:8080;
}
# Static resources
location ~* ^/dist/.* {
# forced cache
include snippets/proxy_headers_caching.conf;
# generic settings we need to re-include due to the above using `proxy_set_header`
# and thus invalidating the parent block-level use of it
include snippets/proxy_headers_general.conf;
# settings for this location block
add_header Cache-Control "public";
proxy_cache_valid 200 301 302 303 307 308 30m;
proxy_cache_valid 404 30s;
expires 30m;
# no need for access log for these
access_log off;
proxy_pass http://127.0.0.1:8080;
}
# robots.txt, favicons, apple icons, etc
location ~* .*/(robots\.txt|favicon\.ico|apple-touch-icon\.png|apple-touch-icon-precomposed\.png)$ {
# forced cache
include snippets/proxy_headers_caching.conf;
# generic settings we need to re-include due to the above using `proxy_set_header`
# and thus invalidating the parent block-level use of it
include snippets/proxy_headers_general.conf;
# settings for this location block
add_header Cache-Control "public";
proxy_cache_valid 200 301 302 303 307 308 5h;
proxy_cache_valid 404 30s;
expires 5h;
# no need for access log for these
access_log off;
proxy_pass http://127.0.0.1:8080;
}
# images and other static resources
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|json|woff|woff2|ttf|otf|bmp|cur|gz|svgz|mp4|ogg|ogv|webm|htc|mp4|mpeg|mp3|txt|pdf)$ {
# forced cache
include snippets/proxy_headers_caching.conf;
# generic settings we need to re-include due to the above using `proxy_set_header`
# and thus invalidating the parent block-level use of it
include snippets/proxy_headers_general.conf;
# settings for this location block
add_header Cache-Control "public";
proxy_cache_valid 200 301 302 303 307 308 15m;
proxy_cache_valid 404 30s;
expires 15m;
proxy_pass http://127.0.0.1:8080;
}
# reverse proxy to upstream, for *everything else*
# caching for 1 minute
location / {
# if redirect_fbclid map is active, do 301 to the new url
if ( $redirect_fbclid ) {
return 301 $redirect_fbclid;
}
# if we have the wordpress admin cookie set, no caching please
#
# this makes previews work and fixes the admin interface
# (by allowing /wp-json/ requests to be uncached and have cookies on them)
#
# using an error page hack because nginx config is lacking in this area
# ref:
# - https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
# - https://serverfault.com/a/811981
# - https://wordpress.stackexchange.com/questions/218588/post-preview-mechanism-architecture
error_page 418 = @uncached;
if ( $http_cookie ~* ".*sealious-session.+" ) {
return 418;
}
# forced cache
include snippets/proxy_headers_caching.conf;
# generic settings we need to re-include due to the above using `proxy_set_header`
# and thus invalidating the parent block-level use of it
include snippets/proxy_headers_general.conf;
# settings for this location block
add_header Cache-Control "no-store";
proxy_cache_valid 200 301 302 303 307 308 20s;
proxy_cache_valid 404 20s;
# some basic security headers
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options SAMEORIGIN;
proxy_pass http://127.0.0.1:8080;
}
# explicitly uncached
location @uncached {
add_header X-Proxy-Cache-Status $upstream_cache_status;
proxy_cache off;
proxy_pass http://127.0.0.1:8080;
}
}

File Metadata

Mime Type
text/plain
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
497203
Default Alt Text
aspazja.conf (5 KB)

Event Timeline

kuba-orlik changed the visibility from "All Users" to "Public (No Login Required)".Jun 23 2024, 23:44