Features: - PHP 8.4 support (from 8.3) - WordPress 7.0 (auto-update via WP-CLI) - Modern TLS 1.3 cipher suites (2026 best practices) - Fail2Ban security integration (5 jails: SSH, Nginx, WordPress, recidive) - Auto-update cron job for WordPress (weekly Minor updates) - Debian 14 Forky support (testing) - Ubuntu 25.04 support - Python 3.12 in GitHub Actions Security: - Fail2Ban with SSH brute force protection (24h ban) - WordPress wp-login.php protection (2h ban) - Nginx bot scanner protection - Recidive jail for repeat offenders (1 week ban) - Modern TLS ciphers (AEAD only) - HSTS 2 years for preload Documentation: - docs/autoupdate.md - WordPress auto-update guide - docs/fail2ban.md - Fail2Ban configuration guide - docs/troubleshooting.md - Updated with php_version variable Breaking changes: - PHP 8.4 is now the default (requires Ubuntu 20.04+ or Debian 11+)
85 lines
2.2 KiB
Django/Jinja
Executable File
85 lines
2.2 KiB
Django/Jinja
Executable File
server {
|
|
listen 80;
|
|
server_name {{ domain_name }};
|
|
root /var/www/html;
|
|
index index.php index.html index.htm;
|
|
|
|
# Sicherheits-Headers
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
|
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
|
|
|
# Gzip-Kompression
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_min_length 1024;
|
|
gzip_proxied expired no-cache no-store private auth;
|
|
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/javascript application/xml+rss application/json;
|
|
|
|
# WordPress-spezifische Regeln
|
|
location / {
|
|
try_files $uri $uri/ /index.php?$args;
|
|
}
|
|
|
|
# PHP-Dateien verarbeiten
|
|
location ~ \.php$ {
|
|
include snippets/fastcgi-php.conf;
|
|
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
include fastcgi_params;
|
|
}
|
|
|
|
# WordPress-Admin-Bereich optimieren
|
|
location ~ ^/wp-admin/(.*)$ {
|
|
try_files $uri $uri/ /wp-admin/index.php?$args;
|
|
}
|
|
|
|
# Statische Dateien cachen
|
|
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
access_log off;
|
|
}
|
|
|
|
# WordPress-Uploads-Verzeichnis
|
|
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public";
|
|
}
|
|
|
|
# Sensible Dateien blockieren
|
|
location ~* /(?:uploads|files)/.*\.php$ {
|
|
deny all;
|
|
}
|
|
|
|
location ~ /\. {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
|
|
location ~ ~$ {
|
|
access_log off;
|
|
log_not_found off;
|
|
deny all;
|
|
}
|
|
|
|
# wp-config.php schützen
|
|
location ~ wp-config.php {
|
|
deny all;
|
|
}
|
|
|
|
# xmlrpc.php begrenzen (gegen Brute-Force)
|
|
location = /xmlrpc.php {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
|
|
# Logs
|
|
access_log /var/log/nginx/wordpress_access.log;
|
|
error_log /var/log/nginx/wordpress_error.log;
|
|
}
|