Gentlemen, can you help with NGINX configs?

D

Dmitry2020-07-14 22:18:30

Nginx

Dmitry, 2020-07-14 22:18:30

Gentlemen, good day!
Please don't drink too much. In my free time, I study Linux, HTML, CSS, and of course I apply my knowledge by creating several simple sites, using pure HTML+CSS and CMS.
Sites are hosted on VPS, managed by ISP manager, but I really want to move to a "clean" hosting without any control panels.
So, the question is:
I'm trying to make a more or less universal config suitable for HTML sites and for sites running CMS (WordPress + DLE). I conceived the following implementation - to make a basic config, and, if necessary, connect configs for some CMS to it, for example.
I did, but got strange glitches. They are expressed as follows:
1. There is no access to phpMyAdmin, the page is being updated, there are no errors in the logs. I suspect that PHP
2 does not work. Scripts do not work in the CMS WP control panel
3. I feel that in the WP config I got such a hit that PPC.
Once again, please don't drink too much. I had more or less business with .htaccess, but in this configuration (Linux, Nginx, php-fpm) I set up the server for the first time.

nginx config:

spoiler

user                 www-data;
pid                  /run/nginx.pid;
worker_processes     auto;
worker_rlimit_nofile 65535;

events {
    multi_accept       on;
    worker_connections 65535;
}

http {
    charset              utf-8;
    sendfile             on;
    tcp_nopush           on;
    tcp_nodelay          on;
    server_tokens        off;
    types_hash_max_size  2048;
    client_max_body_size 32M;

    # MIME
    include              mime.types;
    default_type         application/octet-stream;

    # Logging
    access_log           /var/log/nginx/access.log;
    error_log            /var/log/nginx/error.log warn;

    # SSL
    ssl_session_timeout  1d;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_tickets  off;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam          /etc/ssl/private/dhparam.pem;

    # Mozilla Intermediate configuration
    ssl_protocols        TLSv1.2 TLSv1.3;
    ssl_ciphers          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # OCSP Stapling
    ssl_stapling         on;
    ssl_stapling_verify  on;
    resolver             1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout     2s;

    # Load configs
    include              /etc/nginx/conf.d/*.conf;
    include              /etc/nginx/sites-enabled/*;
}

Website config in HTML, phpMyAdmin will be connected to it:

spoiler

# Default server. Any request to IP will be redirected to this host
server {
    listen 80;
    server_name 256.256.256.256;
    return 302 $scheme://domain.name$request_uri;
}
server {
    listen 443;
    server_name 256.256.256.256;
    return 302 $scheme://domain.name$request_uri;

    ssl_certificate         /etc/letsencrypt/live/domain.name/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/domain.name/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.name/chain.pem;
}

# HTTP redirect
server {
    listen                  80;
    listen                  [::]:80;
    server_name             domain.name *.domain.name;
    include                 templates/letsencrypt.conf;

    location / {
        return 301 https://domain.name$request_uri;
    }
}

server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             domain.name;
    set                     $base /var/www/domain.name;
    root                    $base/;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/domain.name/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/domain.name/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.name/chain.pem;

    # security --- uncomment this only AFTER receive ssl cert
    include                 templates/security.conf;

    # logging
    access_log              /var/log/nginx/domain.name.access.log;
    error_log               /var/log/nginx/domain.name.error.log warn;

    # CMS settings
#    include                 templates/wordpress.conf;

    # phpMyAdmin
#    include                 templates/phpmyadmin.conf;

    # index
    index                   index.php index.html index.htm;

    # redirect index.php(html) -> /
    if ($request_uri ~ "^(.*)index\.(?:php|html)") {
        return 301 $1;
    }

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # additional config
    include                 templates/general.conf;

    # handle .php
    location ~ \.php$ {
        include             templates/php_fastcgi.conf;
    }
}

# subdomains redirect
server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             *.domain.name;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/domain.name/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/domain.name/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.name/chain.pem;
    return                  301 https://domain.name$request_uri;
}

WordPress site config:

spoiler

# КОНФИГ ДО УСТАНОВКИ SSL:
server {
    listen                  80;
    listen                  [::]:80;
    server_name             domain.name *.domain.name;
    include                 templates/letsencrypt.conf;

    set                     $base /var/www/domain.name;
    root                    $base/;
}


# КОНФИГ ПОСЛЕ УСТАНОВКИ SSL:
# HTTP redirect
server {
    listen                  80;
    listen                  [::]:80;
    server_name             domain.name *.domain.name;
    include                 templates/letsencrypt.conf;

    location / {
        return 301 https://domain.name$request_uri;
    }
}

server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             domain.name;
    set                     $base /var/www/domain.name;
    root                    $base/;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/domain.name/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/domain.name/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.name/chain.pem;

    # security --- uncomment this only AFTER receive ssl cert
    include                 templates/security.conf;

    # logging
    access_log              /var/log/nginx/domain.name.access.log;
    error_log               /var/log/nginx/domain.name.error.log warn;

    # CMS settings
    include                 templates/wordpress.conf;

    # phpMyAdmin
#    include                 templates/phpmyadmin.conf;

    # index
    index                   index.php index.html index.htm;

    # redirect index.php(html) -> /
    if ($request_uri ~ "^(.*)index\.(?:php|html)") {
        return 301 $1;
    }

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # additional config
    include                 templates/general.conf;

    # handle .php
    location ~ \.php$ {
        include             templates/php_fastcgi.conf;
    }
}

# subdomains redirect
server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             *.domain.name;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/domain.name/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/domain.name/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.name/chain.pem;
    return                  301 https://domain.name$request_uri;
}