server {
root /var/www/wp;
index index.php index.html index.htm index.nginx-debian.html;
server_name wp.example.com;
access_log /var/log/nginx/wp.access.log;
error_log /var/log/nginx/wp.error.log;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires 1d;
add_header Cache-Control "public, no-transform";
log_not_found off;
}
listen 443 http2 ssl; # managed by Certbot, let's encrypt
ssl_certificate /etc/letsencrypt/live/wp.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wp.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header X-Frame-Options SAMEORIGIN; # CORS header, same origin
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Last-Modified $date_gmt;
}
server {
listen 80;
server_name wp.example.com;
rewrite ^/(.*) https://wp.example.com/$1 permanent;
}