Malin/WPIQ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Additional Nginx tweaks

Browse Source
This commit is contained in:
VirtuBox
2019-08-16 22:57:26 +02:00
parent 5b654b64b3
commit aa1a830c5b
5 changed files with 589 additions and 562 deletions
Download Patch File Download Diff File Expand all files Collapse all files

674
CHANGELOG.md
View File

@@ -1,334 +1,342 @@
# Changelog # Changelog
All notable changes to this project will be documented in this file. All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
## Releases ## Releases
### v3.9.x - [Unreleased] ### v3.9.x - [Unreleased]
### v3.9.8 - 2019-08-16 #### Changed
#### Added - Extra Nginx directives moved from nginx.conf to conf.d/tweaks.conf
- Allow web browser caching for json and webmanifest files #### Fixed
- nginx-core.mustache template used to render nginx.conf during stack setup
- APT Packages configuration step with `wo stack upgrade` to apply new configurations - MySQLTuner installation
- Cloudflare restore real_ip configuration
- WP-Rocket plugin support with the flag `--wprocket` ### v3.9.8 - 2019-08-16
- Cache-Enabler plugin support with the flag `--wpce`
- Install unattended-upgrade and enable automated security updates #### Added
- Enable time synchronization with ntp
- Additional cache exception for woocommerce - Allow web browser caching for json and webmanifest files
- nginx-core.mustache template used to render nginx.conf during stack setup
#### Changed - APT Packages configuration step with `wo stack upgrade` to apply new configurations
- Cloudflare restore real_ip configuration
- Do not force Nginx upgrade if a custom Nginx package compiled with nginx-ee is detected - WP-Rocket plugin support with the flag `--wprocket`
- Gzip enabled again by default with configuration in /etc/nginx/conf.d/gzip.conf - Cache-Enabler plugin support with the flag `--wpce`
- Brotli configuration moved in /etc/nginx/conf.d/brotli.conf.disabled (disabled by default) - Install unattended-upgrade and enable automated security updates
- Moving package configuration in a new plugin stack_pref.py - Enable time synchronization with ntp
- Cleanup templates by removing all doublons (with/without php7) and replacing them with variables - Additional cache exception for woocommerce
- Updated Nginx to v1.16.1 in response to HTTP/2 vulnerabilites discovered
- Disable temporary adding swap feature (not working) #### Changed
- `wo stack upgrade --nginx` is now able to apply new configurations during `wo update`, it highly reduce upgrade duration
- Do not force Nginx upgrade if a custom Nginx package compiled with nginx-ee is detected
#### Fixed - Gzip enabled again by default with configuration in /etc/nginx/conf.d/gzip.conf
- Brotli configuration moved in /etc/nginx/conf.d/brotli.conf.disabled (disabled by default)
- Error in HSTS header syntax - Moving package configuration in a new plugin stack_pref.py
- Cleanup templates by removing all doublons (with/without php7) and replacing them with variables
### v3.9.7.2 - 2019-08-12 - Updated Nginx to v1.16.1 in response to HTTP/2 vulnerabilites discovered
- Disable temporary adding swap feature (not working)
#### Fixed - `wo stack upgrade --nginx` is now able to apply new configurations during `wo update`, it highly reduce upgrade duration
- redis.conf permissions additional fix #### Fixed
### v3.9.7.1 - 2019-08-09 - Error in HSTS header syntax
#### Changed ### v3.9.7.2 - 2019-08-12
- Set WordOps backend password length from 16 to 24 #### Fixed
- Upgrade framework cement to 2.6.0
- Upgrade PyMySQL to 0.9.3 - redis.conf permissions additional fix
- Upgrade Psutil to 5.6.3
### v3.9.7.1 - 2019-08-09
#### Fixed
#### Changed
- Missing import in `wo sync`
- redis.conf incorrect permissions - Set WordOps backend password length from 16 to 24
- Upgrade framework cement to 2.6.0
### v3.9.7 - 2019-08-02 - Upgrade PyMySQL to 0.9.3
- Upgrade Psutil to 5.6.3
#### Added
#### Fixed
- MySQL configuration tuning
- Cronjob to optimize MySQL databases weekly - Missing import in `wo sync`
- WO-kernel systemd service to automatically apply kernel tweaks on server startup - redis.conf incorrect permissions
- Proftpd stack now secured with TLS
- New Nginx package built with Brotli from operating system libraries ### v3.9.7 - 2019-08-02
- Brotli configuration with only well compressible MIME types
- WordPress site url automatically updated to `https://domain.tld` when using `-le/--letsencrypt` flag #### Added
- More informations during certificate issuance about validation mode selected
- `--php72` as alternative for `--php` - MySQL configuration tuning
- Automated removal of the deprecated variable `ssl on;` in previous Nginx ssl.conf - Cronjob to optimize MySQL databases weekly
- Project Contributing guidelines - WO-kernel systemd service to automatically apply kernel tweaks on server startup
- Project Code of conduct - Proftpd stack now secured with TLS
- New Nginx package built with Brotli from operating system libraries
#### Changed - Brotli configuration with only well compressible MIME types
- WordPress site url automatically updated to `https://domain.tld` when using `-le/--letsencrypt` flag
- `wo maintenance` refactored - More informations during certificate issuance about validation mode selected
- Improved debug log - `--php72` as alternative for `--php`
- Updated Nginx configuration process to not overwrite files with custom data (htpasswd-wo, acl.conf etc..) - Automated removal of the deprecated variable `ssl on;` in previous Nginx ssl.conf
- Adminer updated to v4.7.2 - Project Contributing guidelines
- eXtplorer updated to v2.1.13 - Project Code of conduct
- Removed WordOps version from the Nginx header X-Powered-By to avoid possible security issues
- Several code quality improvements to speed up WordOps execution #### Changed
- Few adjustements on PHP-FPM configuration (max_input_time,opcache.consistency_checks)
- Added /dev/urandom & /dev/shm to open_basedir in PHP-FPM configuration - `wo maintenance` refactored
- Improved debug log
#### Fixed - Updated Nginx configuration process to not overwrite files with custom data (htpasswd-wo, acl.conf etc..)
- Adminer updated to v4.7.2
- Kernel tweaks were not applied without server reboot - eXtplorer updated to v2.1.13
- Fail2ban standalone install - Removed WordOps version from the Nginx header X-Powered-By to avoid possible security issues
- `wo stack purge --all` error due to PHP7.3 check - Several code quality improvements to speed up WordOps execution
- Nginx helper configuration during plugin install for Nginx fastcgi_cache and redis-cache - Few adjustements on PHP-FPM configuration (max_input_time,opcache.consistency_checks)
- phpRedisAdmin stack installation - Added /dev/urandom & /dev/shm to open_basedir in PHP-FPM configuration
- Fixed Travis CI build on pull requests
- Nginx `server_names_hash_bucket_size` variable error after WordOps upgrade #### Fixed
### v3.9.6.2 - 2019-07-24 - Kernel tweaks were not applied without server reboot
- Fail2ban standalone install
#### Changed - `wo stack purge --all` error due to PHP7.3 check
- Nginx helper configuration during plugin install for Nginx fastcgi_cache and redis-cache
- Improve `wo update` process duration - phpRedisAdmin stack installation
- Improve package install/upgrade/remove process - Fixed Travis CI build on pull requests
- Nginx `server_names_hash_bucket_size` variable error after WordOps upgrade
#### Fixed
### v3.9.6.2 - 2019-07-24
- phpMyAdmin archive download link archive
- Arguments `--letsencrypt=clean/purge` #### Changed
- Incorrect directory removal during stack upgrade
- Improve `wo update` process duration
### v3.9.6.1 - 2019-07-23 - Improve package install/upgrade/remove process
#### Fixed #### Fixed
- Typo in `--letsencrypt=subdomain` - phpMyAdmin archive download link archive
- phpMyAdmin upgrade archive extraction - Arguments `--letsencrypt=clean/purge`
- Error in the command `wo update`. Please `wo update --beta` as workaround - Incorrect directory removal during stack upgrade
### v3.9.6 - 2019-07-20 ### v3.9.6.1 - 2019-07-23
#### Added #### Fixed
- New Nginx package on Ubuntu with Cloudflare HTTP/2 HPACK and Dynamic TLS records - Typo in `--letsencrypt=subdomain`
- phpMyAdmin upgrade with `wo stack upgrade --phpmyadmin` - phpMyAdmin upgrade archive extraction
- Wildcard SSL Certificates support with DNS validation - Error in the command `wo update`. Please `wo update --beta` as workaround
- Let's Encrypt DNS API support (Cloudflare, DigitalOcean, etc ..) on domain, subdomain, and wildcard
- Flag `--letsencrypt=clean` to purge a previous SSL configuration ### v3.9.6 - 2019-07-20
- Support for Debian 10 buster (testing - not ready for production)
- Fail2ban with custom jails to secure WordPress & SSH #### Added
- Variable `keylength` in /etc/wo/wo.conf to define letsencrypt certificate keylenght
- ProFTPd stack with UFW & Fail2ban configurationz - New Nginx package on Ubuntu with Cloudflare HTTP/2 HPACK and Dynamic TLS records
- Beta branch and command `wo update --beta` for beta releases - phpMyAdmin upgrade with `wo stack upgrade --phpmyadmin`
- Extra directives in wp-config.php (limit posts revisions, set max_memory, enable auto-update for minor-releases) - Wildcard SSL Certificates support with DNS validation
- Let's Encrypt DNS API support (Cloudflare, DigitalOcean, etc ..) on domain, subdomain, and wildcard
#### Fixed - Flag `--letsencrypt=clean` to purge a previous SSL configuration
- Support for Debian 10 buster (testing - not ready for production)
- Nginx was not reloaded after enabling HSTS - Fail2ban with custom jails to secure WordPress & SSH
- Netdata, Composer & Fail2Ban stack remove and purge - Variable `keylength` in /etc/wo/wo.conf to define letsencrypt certificate keylenght
- WordPress not installed by `wo site update` with basic php73 sites - ProFTPd stack with UFW & Fail2ban configurationz
- Beta branch and command `wo update --beta` for beta releases
### v3.9.5.4 - 2019-07-13 - Extra directives in wp-config.php (limit posts revisions, set max_memory, enable auto-update for minor-releases)
#### Added #### Fixed
- New Nginx package on Ubuntu with TLS v1.3 support (OpenSSL 1.1.1c) - Nginx was not reloaded after enabling HSTS
- Netdata upgrade with `wo stack upgrade --netdata` - Netdata, Composer & Fail2Ban stack remove and purge
- Netdata stack remove/purge - WordPress not installed by `wo site update` with basic php73 sites
#### Changed ### v3.9.5.4 - 2019-07-13
- phpRedisAdmin is now installed with the stack `--admin` #### Added
- Remove memcached - not required anymore
- New Nginx package on Ubuntu with TLS v1.3 support (OpenSSL 1.1.1c)
#### Fixed - Netdata upgrade with `wo stack upgrade --netdata`
- Netdata stack remove/purge
- phpRedisAdmin installation
- Duplicated locations /robots.txt after upgrade to v3.9.5.3 #### Changed
- Let's Encrypt stack `wo site update --letsencrypt/--letsencrypt=off`
- pt-query-advisor dead link - phpRedisAdmin is now installed with the stack `--admin`
- Netdata persistant configuration - Remove memcached - not required anymore
### v3.9.5.3 - 2019-06-18 #### Fixed
#### Added - phpRedisAdmin installation
- Duplicated locations /robots.txt after upgrade to v3.9.5.3
- Argument `--preserve` with the command `wo update` to keep current Nginx configuration - Let's Encrypt stack `wo site update --letsencrypt/--letsencrypt=off`
- pt-query-advisor dead link
#### Fixed - Netdata persistant configuration
- Nginx upgrade failure when running wo update ### v3.9.5.3 - 2019-06-18
### v3.9.5.2 - 2019-06-17 #### Added
#### Added - Argument `--preserve` with the command `wo update` to keep current Nginx configuration
- Non-interactive install/upgrade #### Fixed
- Argument `--force` with the command `wo update`
- Argument `-s|--silent` to perform non interactive installation - Nginx upgrade failure when running wo update
#### Changed ### v3.9.5.2 - 2019-06-17
- robots.txt location block moved from locations-wo.conf to wpcommon(-php7).php #### Added
#### Fixed - Non-interactive install/upgrade
- Argument `--force` with the command `wo update`
- WP_CACHE_KEY_SALT set twice with wpredis - Argument `-s|--silent` to perform non interactive installation
- WordOps version check when using `wo update`
- robots.txt file download if not created #### Changed
- PHP-FPM socket path in stub_status.conf : PR [#82](https://github.com/WordOps/WordOps/pull/82)
- robots.txt location block moved from locations-wo.conf to wpcommon(-php7).php
### v3.9.5.1 - 2019-05-10
#### Fixed
#### Fixed
- WP_CACHE_KEY_SALT set twice with wpredis
- Adminer download link - WordOps version check when using `wo update`
- robots.txt file download if not created
### v3.9.5 - 2019-05-02 - PHP-FPM socket path in stub_status.conf : PR [#82](https://github.com/WordOps/WordOps/pull/82)
#### Added ### v3.9.5.1 - 2019-05-10
- IPv6 support with HTTPS #### Fixed
- Brotli support in Nginx
- Let's Encrypt support with --proxy - Adminer download link
- Install script handle migration from EEv3
- load-balancing on unix socket for php-fpm ### v3.9.5 - 2019-05-02
- stub_status vhost for metrics
- `--letsencrypt=subdomain` option #### Added
- opcache optimization for php-fpm
- EasyEngine configuration backup before migration - IPv6 support with HTTPS
- EasyEngine configuration cleanup after migration - Brotli support in Nginx
- WordOps configuration backup before upgrade - Let's Encrypt support with --proxy
- Previous acme.sh certs migration - Install script handle migration from EEv3
- "wo maintenance" command to perform server package update & cleanup - load-balancing on unix socket for php-fpm
- Support for Netdata on backend : https://server.hostname:22222/netdata/ - stub_status vhost for metrics
- New Stacks : composer and netdata - `--letsencrypt=subdomain` option
- additional argument for letsencrypt : --hsts - opcache optimization for php-fpm
- Clean Theme for adminer - EasyEngine configuration backup before migration
- Credits for tools shipped with WordOps - EasyEngine configuration cleanup after migration
- Cache exception for Easy Digital Download - WordOps configuration backup before upgrade
- Additional cache exceptions for Woocommerce - Previous acme.sh certs migration
- MySQL monitoring with Netdata - "wo maintenance" command to perform server package update & cleanup
- WordOps-dashboard on 22222, can be installed with `wo stack install` - Support for Netdata on backend : https://server.hostname:22222/netdata/
- Extplorer filemanager in WordOps backend - New Stacks : composer and netdata
- Enable OSCP Stapling with Let's Encrypt - additional argument for letsencrypt : --hsts
- Compress database backup with pigz (faster than gzip) before updating sites - Clean Theme for adminer
- Support for Ubuntu 19.04 (disco) - few php extensions missing - Credits for tools shipped with WordOps
- Support for Raspbian 9 (stretch) - tested on Raspberry Pi 3b+ - Cache exception for Easy Digital Download
- backup letsencrypt certificate before upgrade - Additional cache exceptions for Woocommerce
- directives emergency_restart_threshold & emergency_restart_interval to restart php-fpm in case of failure - MySQL monitoring with Netdata
- EasyEngine cronjob removal during install - WordOps-dashboard on 22222, can be installed with `wo stack install`
- Kernel tweaks via systctl.conf - Extplorer filemanager in WordOps backend
- open_basedir on php-fpm process to forbid access with php outside of /var/www & /run/nginx-cache - Enable OSCP Stapling with Let's Encrypt
- Compress database backup with pigz (faster than gzip) before updating sites
#### Changed - Support for Ubuntu 19.04 (disco) - few php extensions missing
- Support for Raspbian 9 (stretch) - tested on Raspberry Pi 3b+
- letsencrypt stack refactored with acme.sh - backup letsencrypt certificate before upgrade
- letsencrypt validation with webroot folder - directives emergency_restart_threshold & emergency_restart_interval to restart php-fpm in case of failure
- hardened nginx ssl_ecdh_curve - EasyEngine cronjob removal during install
- Update phpredisadmin - Kernel tweaks via systctl.conf
- Increase MySQL root password size to 24 characters - open_basedir on php-fpm process to forbid access with php outside of /var/www & /run/nginx-cache
- Increase MySQL users password size to 24 characters
- Nginx locations template is the same for php7.2 & 7.3 #### Changed
- backend SSL configuration now stored in /var/www/22222/conf/nginx/ssl.conf
- Install Netdata with static pre-built binaries instead of having to compile it from source - letsencrypt stack refactored with acme.sh
- Nginx updated to new stable release (1.16.0) - letsencrypt validation with webroot folder
- New packages (phpmyadmin, adminer, composer) are not download in /tmp anymore - hardened nginx ssl_ecdh_curve
- Update phpredisadmin
#### Fixed - Increase MySQL root password size to 24 characters
- Increase MySQL users password size to 24 characters
- PHP 7.3 extras when php 7.2 isn't installed - Nginx locations template is the same for php7.2 & 7.3
- acme.sh installation - backend SSL configuration now stored in /var/www/22222/conf/nginx/ssl.conf
- acme.sh alias with config home variable - Install Netdata with static pre-built binaries instead of having to compile it from source
- deb.sury.org repository gpg key - Nginx updated to new stable release (1.16.0)
- Nginx upgrade from previous WordOps release - New packages (phpmyadmin, adminer, composer) are not download in /tmp anymore
- Force new Nginx templates during update
- Error message about missing my.cnf file during upgrade #### Fixed
- PHP 7.2 & PHP 7.3 pool configuration during upgrade
- WordOps backup directory creation before upgrade - PHP 7.3 extras when php 7.2 isn't installed
- EasyEngine database sync during migration - acme.sh installation
- fix command "wo info" - acme.sh alias with config home variable
- phpmyadmin install with composer - deb.sury.org repository gpg key
- command "wo clean --memcached" - Nginx upgrade from previous WordOps release
- phpredisadmin setup - Force new Nginx templates during update
- --hsts flag with basic html site - Error message about missing my.cnf file during upgrade
- hsts flag on site not secure with letsencrypt - PHP 7.2 & PHP 7.3 pool configuration during upgrade
- fix import of previous acme.sh certificate - WordOps backup directory creation before upgrade
- fix proxy webroot folder creation - EasyEngine database sync during migration
- fix command "wo info"
### v3.9.4 - 2019-03-15 - phpmyadmin install with composer
- command "wo clean --memcached"
#### Added - phpredisadmin setup
- --hsts flag with basic html site
- Nginx module nginx_vts - hsts flag on site not secure with letsencrypt
- Migration script from nginx-ee to nginx-wo - fix import of previous acme.sh certificate
- Support for Debian 9 (testing) - fix proxy webroot folder creation
- New Nginx build v1.14.2
### v3.9.4 - 2019-03-15
#### Changed
#### Added
- Update WP-CLI version to 2.1.0
- Update Adminer to 4.6.2 - Nginx module nginx_vts
- Update predis to v1.1.1 - Migration script from nginx-ee to nginx-wo
- Refactored nginx.conf - Support for Debian 9 (testing)
- Removed HHVM Stack - New Nginx build v1.14.2
- Removed old linux distro checks
- Replace wo-acme-sh by acme.sh #### Changed
#### Fixed - Update WP-CLI version to 2.1.0
- Update Adminer to 4.6.2
- Outdated Nginx ssl_ciphers suite - Update predis to v1.1.1
- Debian 9 nginx build - Refactored nginx.conf
- Removed HHVM Stack
### v3.9.3 - 2019-03-07 - Removed old linux distro checks
- Replace wo-acme-sh by acme.sh
#### Changed
#### Fixed
- Updated Nginx fastcgi_cache templates
- Updated Nginx redis_cache templates - Outdated Nginx ssl_ciphers suite
- Updated Nginx wp-super-cache templates - Debian 9 nginx build
- Updated Nginx configuration for WordPress 5.0
- remove --experimental args ### v3.9.3 - 2019-03-07
- MariaDB version bumped to 10.3
- Refactored Changelog #### Changed
- Updated WO manual
- Updated WO bash_completion - Updated Nginx fastcgi_cache templates
- Refactored README.md - Updated Nginx redis_cache templates
- Updated Nginx wp-super-cache templates
#### Added - Updated Nginx configuration for WordPress 5.0
- remove --experimental args
- Add WebP image support with Nginx mapping - MariaDB version bumped to 10.3
- Add PHP 7.3 support - Refactored Changelog
- WordPress $skip_cache variable mapping - Updated WO manual
- Updated WO bash_completion
#### Fixed - Refactored README.md
- Nginx variable $webp_suffix on fresh install ([#21](https://github.com/WordOps/WordOps/issues/21)) #### Added
- wo update command ([#7](https://github.com/WordOps/WordOps/issues/7))
- Fix php services management ([#12](https://github.com/WordOps/WordOps/issues/12)) - Add WebP image support with Nginx mapping
- Fix WP-CLI install - Add PHP 7.3 support
- WordPress $skip_cache variable mapping
### v3.9.2 - 2018-11-30
#### Fixed
#### Changed
- Nginx variable $webp_suffix on fresh install ([#21](https://github.com/WordOps/WordOps/issues/21))
- Re-branded the fork to WordOps - wo update command ([#7](https://github.com/WordOps/WordOps/issues/7))
- Codebase cleanup - Fix php services management ([#12](https://github.com/WordOps/WordOps/issues/12))
- Set PHP 7.2 as the default - Fix WP-CLI install
- Included support for newer OS releases
- Reworked the HTTPS configuration ### v3.9.2 - 2018-11-30
- Added more automated testing with Redis
- Replaced Postfix with smtp-cli #### Changed
- Dropped mail services
- Re-branded the fork to WordOps
- Codebase cleanup
- Set PHP 7.2 as the default
- Included support for newer OS releases
- Reworked the HTTPS configuration
- Added more automated testing with Redis
- Replaced Postfix with smtp-cli
- Dropped mail services
- Dropped w3tc support - Dropped w3tc support

8
wo/cli/plugins/stack_pref.py
View File

@@ -179,6 +179,14 @@ def post_pref(self, apt_packages, packages):
(data), 'brotli.mustache', out=wo_nginx) (data), 'brotli.mustache', out=wo_nginx)
wo_nginx.close() wo_nginx.close()
Log.debug(self, 'Writting the nginx configuration to '
'file /etc/nginx/conf.d/tweaks.conf')
wo_nginx = open('/etc/nginx/conf.d/tweaks.conf',
encoding='utf-8', mode='w')
self.app.render(
(data), 'tweaks.mustache', out=wo_nginx)
wo_nginx.close()
# Fix for white screen death with NGINX PLUS # Fix for white screen death with NGINX PLUS
if not WOFileUtils.grep(self, '/etc/nginx/fastcgi_params', if not WOFileUtils.grep(self, '/etc/nginx/fastcgi_params',
'SCRIPT_FILENAME'): 'SCRIPT_FILENAME'):

267
wo/cli/templates/nginx-core.mustache
View File

@@ -1,143 +1,124 @@
user www-data; user www-data;
worker_processes auto; worker_processes auto;
worker_cpu_affinity auto; worker_cpu_affinity auto;
worker_rlimit_nofile 100000; worker_rlimit_nofile 100000;
pid /run/nginx.pid; pid /run/nginx.pid;
pcre_jit on; pcre_jit on;
events { events {
multi_accept on; multi_accept on;
worker_connections 50000; worker_connections 50000;
accept_mutex on; accept_mutex on;
use epoll; use epoll;
} }
http { http {
##
# WordOps Settings ##
## # WordOps Settings
##
sendfile on;
sendfile_max_chunk 512k; # Nginx AIO : See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
# http://nginx.org/en/docs/http/ngx_http_core_module.html#aio
tcp_nopush on; aio threads;
tcp_nodelay on;
server_tokens off;
keepalive_timeout 8; reset_timedout_connection on;
keepalive_requests 500; more_set_headers "X-Powered-By : WordOps";
keepalive_disable msie6;
# Limit Request
lingering_time 20s; limit_req_status 403;
lingering_timeout 5s; limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
# Nginx AIO : See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ # Proxy Settings
# http://nginx.org/en/docs/http/ngx_http_core_module.html#aio # set_real_ip_from proxy-server-ip;
aio threads; # real_ip_header X-Forwarded-For;
server_tokens off; fastcgi_read_timeout 300;
reset_timedout_connection on; client_max_body_size 100m;
more_set_headers "X-Powered-By : WordOps";
# ngx_vts_module
open_file_cache max=50000 inactive=60s; vhost_traffic_status_zone;
open_file_cache_errors off;
open_file_cache_min_uses 2; # tls dynamic records patch directive
open_file_cache_valid 120s; ssl_dyn_rec_enable on;
open_log_file_cache max=10000 inactive=30s min_uses=2;
##
# Limit Request # SSL Settings
limit_req_status 403; ##
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
ssl_session_timeout 1d;
# Proxy Settings ssl_session_cache shared:SSL:50m;
# set_real_ip_from proxy-server-ip; ssl_session_tickets off;
# real_ip_header X-Forwarded-For; ssl_prefer_server_ciphers on;
{{#tls13}}ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
fastcgi_read_timeout 300; ssl_protocols TLSv1.2 TLSv1.3;{{/tls13}}
client_max_body_size 100m; ssl_ecdh_curve X25519:P-521:P-384:P-256;
# Previous TLS v1.2 configuration
# ngx_vts_module {{^tls13}}ssl_protocols TLSv1.2;
vhost_traffic_status_zone; ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;{{/tls13}}
# tls dynamic records patch directive # Common security headers
ssl_dyn_rec_enable on; more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
## more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
# SSL Settings more_set_headers "X-Download-Options : noopen";
##
# oscp settings
ssl_session_timeout 1d; resolver 8.8.8.8 1.1.1.1 8.8.4.4 1.0.0.1 valid=300s;
ssl_session_cache shared:SSL:50m; resolver_timeout 10;
ssl_session_tickets off; ssl_stapling on;
ssl_prefer_server_ciphers on;
{{#tls13}}ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20'; ##
ssl_protocols TLSv1.2 TLSv1.3;{{/tls13}} # Basic Settings
ssl_ecdh_curve X25519:P-521:P-384:P-256; ##
# Previous TLS v1.2 configuration # server_names_hash_bucket_size 64;
{{^tls13}}ssl_protocols TLSv1.2; # server_name_in_redirect off;
ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;{{/tls13}}
include /etc/nginx/mime.types;
# Common security headers default_type application/octet-stream;
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block"; ##
more_set_headers "X-Content-Type-Options : nosniff"; # Logging Settings
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; ##
more_set_headers "X-Download-Options : noopen";
access_log off;
# oscp settings error_log /var/log/nginx/error.log;
resolver 8.8.8.8 1.1.1.1 8.8.4.4 1.0.0.1 valid=300s;
resolver_timeout 10; # Log format Settings
ssl_stapling on; log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
## '"$http_referer" "$http_user_agent" "$server_protocol"';
# Basic Settings
## ##
# server_names_hash_bucket_size 64; # Virtual Host Configs
# server_name_in_redirect off; ##
include /etc/nginx/mime.types; include /etc/nginx/conf.d/*.conf;
default_type application/octet-stream; include /etc/nginx/sites-enabled/*;
}
##
# Logging Settings
## #mail {
# # See sample authentication script at:
access_log off; # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
error_log /var/log/nginx/error.log; #
# # auth_http localhost/auth.php;
# Log format Settings # # pop3_capabilities "TOP" "USER";
log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' # # imap_capabilities "IMAP4rev1" "UIDPLUS";
'$http_host "$request" $status $body_bytes_sent ' #
'"$http_referer" "$http_user_agent" "$server_protocol"'; # server {
# listen localhost:110;
## # protocol pop3;
# Virtual Host Configs # proxy on;
## # }
#
include /etc/nginx/conf.d/*.conf; # server {
include /etc/nginx/sites-enabled/*; # listen localhost:143;
} # protocol imap;
# proxy on;
# }
#mail { #}
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

30
wo/cli/templates/tweaks.mustache Normal file
View File

@@ -0,0 +1,30 @@
# NGINX Tweaks - WO v3.9.8
directio 4m;
directio_alignment 512;
http2_max_field_size 16k;
http2_max_header_size 32k;
large_client_header_buffers 8 64k;
postpone_output 1460;
proxy_buffers 8 32k;
proxy_buffer_size 64k;
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 8;
keepalive_requests 500;
keepalive_disable msie6;
lingering_time 20s;
lingering_timeout 5s;
open_file_cache max=50000 inactive=60s;
open_file_cache_errors off;
open_file_cache_min_uses 2;
open_file_cache_valid 120s;
open_log_file_cache max=10000 inactive=30s min_uses=2;

172
wo/cli/templates/upstream.mustache
View File

@@ -1,86 +1,86 @@
# NGINX UPSTREAM CONFIGURATION - WO v3.9.7 # NGINX UPSTREAM CONFIGURATION - WO v3.9.8
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
#------------------------------- #-------------------------------
# PHP 5.6 # PHP 5.6
#------------------------------- #-------------------------------
upstream php { upstream php {
server 127.0.0.1:{{php}}; server 127.0.0.1:{{php}};
} }
upstream debug { upstream debug {
server 127.0.0.1:{{debug}}; server 127.0.0.1:{{debug}};
} }
#------------------------------- #-------------------------------
# PHP 7.0 # PHP 7.0
#------------------------------- #-------------------------------
upstream php7 { upstream php7 {
server 127.0.0.1:{{php7}}; server 127.0.0.1:{{php7}};
} }
upstream debug7 { upstream debug7 {
# Debug Pool # Debug Pool
server 127.0.0.1:{{debug7}}; server 127.0.0.1:{{debug7}};
} }
#------------------------------- #-------------------------------
# PHP 7.2 # PHP 7.2
#------------------------------- #-------------------------------
# PHP 7.2 upstream with load-balancing on two unix sockets # PHP 7.2 upstream with load-balancing on two unix sockets
upstream php72 { upstream php72 {
least_conn; least_conn;
server unix:/var/run/php/php72-fpm.sock; server unix:/var/run/php/php72-fpm.sock;
server unix:/var/run/php/php72-two-fpm.sock; server unix:/var/run/php/php72-two-fpm.sock;
keepalive 5; keepalive 5;
} }
# PHP 7.2 debug # PHP 7.2 debug
upstream debug72 { upstream debug72 {
# Debug Pool # Debug Pool
server 127.0.0.1:9172; server 127.0.0.1:9172;
} }
#------------------------------- #-------------------------------
# PHP 7.3 # PHP 7.3
#------------------------------- #-------------------------------
# PHP 7.3 upstream with load-balancing on two unix sockets # PHP 7.3 upstream with load-balancing on two unix sockets
upstream php73 { upstream php73 {
least_conn; least_conn;
server unix:/var/run/php/php73-fpm.sock; server unix:/var/run/php/php73-fpm.sock;
server unix:/var/run/php/php73-two-fpm.sock; server unix:/var/run/php/php73-two-fpm.sock;
keepalive 5; keepalive 5;
} }
# PHP 7.3 debug # PHP 7.3 debug
upstream debug73 { upstream debug73 {
# Debug Pool # Debug Pool
server 127.0.0.1:9173; server 127.0.0.1:9173;
} }
#------------------------------- #-------------------------------
# Netdata # Netdata
#------------------------------- #-------------------------------
# Netdata Monitoring Upstream # Netdata Monitoring Upstream
upstream netdata { upstream netdata {
server 127.0.0.1:19999; server 127.0.0.1:19999;
keepalive 64; keepalive 64;
} }
#------------------------------- #-------------------------------
# Redis # Redis
#------------------------------- #-------------------------------
# Redis cache upstream # Redis cache upstream
upstream redis { upstream redis {
server 127.0.0.1:6379; server 127.0.0.1:6379;
keepalive 10; keepalive 10;
} }