Link Search Menu Expand Document

Configure NGINX for a Single-Site Wordpress

server {
        root /var/www/wp;
        index index.php index.html index.htm index.nginx-debian.html;
        server_name wp.example.com;

        access_log /var/log/nginx/wp.access.log;
        error_log /var/log/nginx/wp.error.log;

        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        }

        location ~ /\.ht {
                deny all;
        }

        location = /favicon.ico {
                log_not_found off; access_log off;
        }
        location = /robots.txt {
                log_not_found off; access_log off; allow all;
        }

        location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
                expires 1d;
                add_header Cache-Control "public, no-transform";
                log_not_found off;
        }

        listen 443 http2 ssl; # managed by Certbot, let's encrypt
        ssl_certificate /etc/letsencrypt/live/wp.example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/wp.example.com/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        add_header X-Frame-Options SAMEORIGIN; # CORS header, same origin
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header Last-Modified $date_gmt;

}

server {
        listen 80;
        server_name wp.example.com;
        rewrite ^/(.*) https://wp.example.com/$1 permanent;
}