Files
ansible-lemp-wordpress/templates/wordpress.nginx.j2
Sebastian Palencsar dffd8e3b76 feat: v2.5.0 - Complete Technology & Security Update
Features:
- PHP 8.4 support (from 8.3)
- WordPress 7.0 (auto-update via WP-CLI)
- Modern TLS 1.3 cipher suites (2026 best practices)
- Fail2Ban security integration (5 jails: SSH, Nginx, WordPress, recidive)
- Auto-update cron job for WordPress (weekly Minor updates)
- Debian 14 Forky support (testing)
- Ubuntu 25.04 support
- Python 3.12 in GitHub Actions

Security:
- Fail2Ban with SSH brute force protection (24h ban)
- WordPress wp-login.php protection (2h ban)
- Nginx bot scanner protection
- Recidive jail for repeat offenders (1 week ban)
- Modern TLS ciphers (AEAD only)
- HSTS 2 years for preload

Documentation:
- docs/autoupdate.md - WordPress auto-update guide
- docs/fail2ban.md - Fail2Ban configuration guide
- docs/troubleshooting.md - Updated with php_version variable

Breaking changes:
- PHP 8.4 is now the default (requires Ubuntu 20.04+ or Debian 11+)
2026-05-04 19:37:27 +02:00

85 lines
2.2 KiB
Django/Jinja
Executable File

server {
listen 80;
server_name {{ domain_name }};
root /var/www/html;
index index.php index.html index.htm;
# Sicherheits-Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# Gzip-Kompression
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/javascript application/xml+rss application/json;
# WordPress-spezifische Regeln
location / {
try_files $uri $uri/ /index.php?$args;
}
# PHP-Dateien verarbeiten
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# WordPress-Admin-Bereich optimieren
location ~ ^/wp-admin/(.*)$ {
try_files $uri $uri/ /wp-admin/index.php?$args;
}
# Statische Dateien cachen
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
}
# WordPress-Uploads-Verzeichnis
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ {
expires 1y;
add_header Cache-Control "public";
}
# Sensible Dateien blockieren
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ ~$ {
access_log off;
log_not_found off;
deny all;
}
# wp-config.php schützen
location ~ wp-config.php {
deny all;
}
# xmlrpc.php begrenzen (gegen Brute-Force)
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
}
# Logs
access_log /var/log/nginx/wordpress_access.log;
error_log /var/log/nginx/wordpress_error.log;
}