✨ Features: - Complete LEMP stack automation - WordPress with WP-CLI - Redis Object Cache (50% performance boost) - Multi-OS support - SSL/Let's Encrypt integration - Security hardening - Enterprise features - Docker testing environment - GitHub Actions CI/CD - Comprehensive documentation 🧪 Fully tested and production-ready Copyright (c) 2025 Sebastian Palencsár
85 lines
2.2 KiB
Django/Jinja
85 lines
2.2 KiB
Django/Jinja
server {
|
|
listen 80;
|
|
server_name {{ domain_name }};
|
|
root /var/www/html;
|
|
index index.php index.html index.htm;
|
|
|
|
# Sicherheits-Headers
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
|
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
|
|
|
# Gzip-Kompression
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_min_length 1024;
|
|
gzip_proxied expired no-cache no-store private auth;
|
|
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/javascript application/xml+rss application/json;
|
|
|
|
# WordPress-spezifische Regeln
|
|
location / {
|
|
try_files $uri $uri/ /index.php?$args;
|
|
}
|
|
|
|
# PHP-Dateien verarbeiten
|
|
location ~ \.php$ {
|
|
include snippets/fastcgi-php.conf;
|
|
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
include fastcgi_params;
|
|
}
|
|
|
|
# WordPress-Admin-Bereich optimieren
|
|
location ~ ^/wp-admin/(.*)$ {
|
|
try_files $uri $uri/ /wp-admin/index.php?$args;
|
|
}
|
|
|
|
# Statische Dateien cachen
|
|
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
access_log off;
|
|
}
|
|
|
|
# WordPress-Uploads-Verzeichnis
|
|
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public";
|
|
}
|
|
|
|
# Sensible Dateien blockieren
|
|
location ~* /(?:uploads|files)/.*\.php$ {
|
|
deny all;
|
|
}
|
|
|
|
location ~ /\. {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
|
|
location ~ ~$ {
|
|
access_log off;
|
|
log_not_found off;
|
|
deny all;
|
|
}
|
|
|
|
# wp-config.php schützen
|
|
location ~ wp-config.php {
|
|
deny all;
|
|
}
|
|
|
|
# xmlrpc.php begrenzen (gegen Brute-Force)
|
|
location = /xmlrpc.php {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
|
|
# Logs
|
|
access_log /var/log/nginx/wordpress_access.log;
|
|
error_log /var/log/nginx/wordpress_error.log;
|
|
}
|