Nginx
# --- Port 80: ACME-Challenge zulassen, Rest auf HTTPS umleiten ---
server {
listen 80;
listen [::]:80;
server_name danz.gwsite.ch www.danz.gwsite.ch;
{{root}}
{{nginx_access_log}}
{{nginx_error_log}}
# ACME-Challenge ohne Redirect (für Let's Encrypt)
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
try_files $uri =404;
auth_basic off;
allow all;
access_log off;
}
# Alles andere auf HTTPS umleiten
location / {
return 301 https://$host$request_uri;
}
}
# --- Port 443: HTTPS Frontend ---
server {
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
http2 on;
http3 on;
{{ssl_certificate_key}}
{{ssl_certificate}}
server_name danz.gwsite.ch www.danz.gwsite.ch;
{{root}}
{{nginx_access_log}}
{{nginx_error_log}}
# BEGIN Converter for Media
set $ext_avif ".avif";
if ($http_accept !~* "image/avif") {
set $ext_avif "";
}
set $ext_webp ".webp";
if ($http_accept !~* "image/webp") {
set $ext_webp "";
}
location ~* ^/wp-content/(?<path>.+)\.(?<ext>jpe?g|png|gif|webp)$ {
add_header Vary Accept;
add_header Cache-Control "private";
expires 365d;
try_files
/wp-content/uploads-webpc/$path.$ext$ext_avif
/wp-content/uploads-webpc/$path.$ext$ext_webp
$uri =404;
}
# END Converter for Media
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# ACME auch auf 443
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
try_files $uri =404;
auth_basic off;
allow all;
access_log off;
}
{{settings}}
# Git-Verzeichnisse blockieren
location ~/\.git {
deny all;
}
# XML-RPC blockieren
location = /xmlrpc.php {
deny all;
}
# WordPress Admin-Bereich
location ~/(wp-admin/|wp-login.php) {
# Optional: Basic Auth
#auth_basic "Restricted Area";
#auth_basic_user_file /home/site-user/.htpasswd;
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 120;
proxy_max_temp_file_size 0;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_redirect off;
}
# Statische Dateien direkt servieren
location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf|map)$ {
expires 1y;
add_header Cache-Control "public, immutable";
add_header Access-Control-Allow-Origin "*";
add_header alt-svc 'h3=":443"; ma=86400';
access_log off;
# Fallback zu PHP wenn Datei nicht existiert
try_files $uri @php_backend;
}
# Alle anderen Anfragen zu PHP-Backend
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_connect_timeout 30;
proxy_send_timeout 30;
proxy_read_timeout 60;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
}
# Named Location für statische Datei-Fallbacks
location @php_backend {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# --- Port 8080: Interner PHP-Server ---
server {
listen 8080;
listen [::]:8080;
server_name danz.gwsite.ch www.danz.gwsite.ch;
{{root}}
include /etc/nginx/global_settings;
index index.php index.html;
client_max_body_size 256M;
# Standard WordPress Permalinks
try_files $uri $uri/ /index.php?$args;
# PHP-Handler
location ~ \.php$ {
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
# HTTPS-Parameter für WordPress
fastcgi_param HTTPS "on";
fastcgi_param SERVER_PORT 443;
fastcgi_pass 127.0.0.1:{{php_fpm_port}};
fastcgi_param PHP_VALUE "{{php_settings}}";
}
}