Cloudpanel Vhost Datei

A Records domain.com auf Root Server IP stellen: TTL 15min vorübergehend
AAAA Record löschen – in 95%+ der Fälle nicht gebraucht
CNAME www.domain.com auf domain.com TTL 15min vorübergehend
30min warten
In Cloudpanel SSL Zertifikat für domain.com und www.domain.com einrichten
Dann Vhost anpassen

Bash

# --- Port 80: ACME-Challenge zulassen, Rest auf HTTPS umleiten ---
server {
    listen 80;
    listen [::]:80;
    server_name styleguide.gwsite.ch www.styleguide.gwsite.ch;
    
    {{root}}
    {{nginx_access_log}}
    {{nginx_error_log}}
    
    # ACME-Challenge ohne Redirect (für Let's Encrypt)
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        try_files $uri =404;
        auth_basic off;
        allow all;
        access_log off;
    }
    
    # Alles andere auf HTTPS umleiten
    location / {
        return 301 https://$host$request_uri;
    }
}

# --- Port 443: HTTPS Frontend ---
server {
    listen 443 quic;
    listen 443 ssl;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    
    http2 on;
    http3 on;
    
    {{ssl_certificate_key}}
    {{ssl_certificate}}
    
    server_name styleguide.gwsite.ch www.styleguide.gwsite.ch;
    {{root}}
    {{nginx_access_log}}
    {{nginx_error_log}}
    
    # Security Headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    
    # ACME auch auf 443
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        try_files $uri =404;
        auth_basic off;
        allow all;
        access_log off;
    }
    
    {{settings}}
    
    # Git-Verzeichnisse blockieren
    location ~/\.git {
        deny all;
    }
    
    # XML-RPC blockieren
    location = /xmlrpc.php {
        deny all;
    }
    
    # WordPress Admin-Bereich
    location ~/(wp-admin/|wp-login.php) {
        # Optional: Basic Auth
        #auth_basic "Restricted Area";
        #auth_basic_user_file /home/site-user/.htpasswd;
        
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto https;
        
        proxy_connect_timeout 30;
        proxy_send_timeout 60;
        proxy_read_timeout 120;
        
        proxy_max_temp_file_size 0;
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
        proxy_redirect off;
    }
    
    # Statische Dateien direkt servieren
    location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf|map)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        add_header Access-Control-Allow-Origin "*";
        add_header alt-svc 'h3=":443"; ma=86400';
        access_log off;
        
        # Fallback zu PHP wenn Datei nicht existiert
        try_files $uri @php_backend;
    }
    
    # Alle anderen Anfragen zu PHP-Backend
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        
        proxy_redirect off;
        proxy_max_temp_file_size 0;
        
        proxy_connect_timeout 30;
        proxy_send_timeout 30;
        proxy_read_timeout 60;
        
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
    }
    
    # Named Location für statische Datei-Fallbacks
    location @php_backend {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

# --- Port 8080: Interner PHP-Server ---
server {
    listen 8080;
    listen [::]:8080;
    server_name styleguide.gwsite.ch www.styleguide.gwsite.ch;
    
    {{root}}
    
    include /etc/nginx/global_settings;
    
    index index.php index.html;
    
    # Standard WordPress Permalinks
    try_files $uri $uri/ /index.php?$args;
    
    # PHP-Handler
    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_intercept_errors on;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        
        try_files $uri =404;
        
        fastcgi_read_timeout 300;
        fastcgi_send_timeout 300;
        
        # HTTPS-Parameter für WordPress
        fastcgi_param HTTPS "on";
        fastcgi_param SERVER_PORT 443;
        
        fastcgi_pass 127.0.0.1:{{php_fpm_port}};
        fastcgi_param PHP_VALUE "{{php_settings}}";
    }
}

Copy

# --- Port 80: ACME-Challenge zulassen, Rest auf HTTPS umleiten ---
server {
    listen 80;
    listen [::]:80;
    server_name styleguide.gwsite.ch www.styleguide.gwsite.ch;
    
    {{root}}
    {{nginx_access_log}}
    {{nginx_error_log}}
    
    # ACME-Challenge ohne Redirect (für Let's Encrypt)
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        try_files $uri =404;
        auth_basic off;
        allow all;
        access_log off;
    }
    
    # Alles andere auf HTTPS umleiten
    location / {
        return 301 https://$host$request_uri;
    }
}

# --- Port 443: HTTPS Frontend ---
server {
    listen 443 quic;
    listen 443 ssl;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    
    http2 on;
    http3 on;
    
    {{ssl_certificate_key}}
    {{ssl_certificate}}
    
    server_name styleguide.gwsite.ch www.styleguide.gwsite.ch;
    {{root}}
    {{nginx_access_log}}
    {{nginx_error_log}}
    
    # Security Headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    
    # ACME auch auf 443
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        try_files $uri =404;
        auth_basic off;
        allow all;
        access_log off;
    }
    
    {{settings}}
    
    # Git-Verzeichnisse blockieren
    location ~/\.git {
        deny all;
    }
    
    # XML-RPC blockieren
    location = /xmlrpc.php {
        deny all;
    }
    
    # WordPress Admin-Bereich
    location ~/(wp-admin/|wp-login.php) {
        # Optional: Basic Auth
        #auth_basic "Restricted Area";
        #auth_basic_user_file /home/site-user/.htpasswd;
        
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto https;
        
        proxy_connect_timeout 30;
        proxy_send_timeout 60;
        proxy_read_timeout 120;
        
        proxy_max_temp_file_size 0;
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
        proxy_redirect off;
    }
    
    # Statische Dateien direkt servieren
    location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf|map)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        add_header Access-Control-Allow-Origin "*";
        add_header alt-svc 'h3=":443"; ma=86400';
        access_log off;
        
        # Fallback zu PHP wenn Datei nicht existiert
        try_files $uri @php_backend;
    }
    
    # Alle anderen Anfragen zu PHP-Backend
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        
        proxy_redirect off;
        proxy_max_temp_file_size 0;
        
        proxy_connect_timeout 30;
        proxy_send_timeout 30;
        proxy_read_timeout 60;
        
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
    }
    
    # Named Location für statische Datei-Fallbacks
    location @php_backend {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

# --- Port 8080: Interner PHP-Server ---
server {
    listen 8080;
    listen [::]:8080;
    server_name styleguide.gwsite.ch www.styleguide.gwsite.ch;
    
    {{root}}
    
    include /etc/nginx/global_settings;
    
    index index.php index.html;
    
    # Standard WordPress Permalinks
    try_files $uri $uri/ /index.php?$args;
    
    # PHP-Handler
    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_intercept_errors on;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        
        try_files $uri =404;
        
        fastcgi_read_timeout 300;
        fastcgi_send_timeout 300;
        
        # HTTPS-Parameter für WordPress
        fastcgi_param HTTPS "on";
        fastcgi_param SERVER_PORT 443;
        
        fastcgi_pass 127.0.0.1:{{php_fpm_port}};
        fastcgi_param PHP_VALUE "{{php_settings}}";
    }
}