Nginx reverse proxy and wordpress The 2019 Stack Overflow Developer Survey Results Are...
Does a dangling wire really electrocute me if I'm standing in water?
Shouldn't "much" here be used instead of "more"?
Loose spokes after only a few rides
Delete all lines which don't have n characters before delimiter
Did 3000BC Egyptians use meteoric iron weapons?
Origin of "cooter" meaning "vagina"
Can we generate random numbers using irrational numbers like π and e?
Earliest use of the term "Galois extension"?
How come people say “Would of”?
Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?
Are there incongruent pythagorean triangles with the same perimeter and same area?
How technical should a Scrum Master be to effectively remove impediments?
Is there any way to tell whether the shot is going to hit you or not?
Why isn't the circumferential light around the M87 black hole's event horizon symmetric?
Is this app Icon Browser Safe/Legit?
Is an up-to-date browser secure on an out-of-date OS?
Landlord wants to switch my lease to a "Land contract" to "get back at the city"
Why is the maximum length of OpenWrt’s root password 8 characters?
Multiply Two Integer Polynomials
The difference between dialogue marks
Why not take a picture of a closer black hole?
If a Druid sees an animal’s corpse, can they wild shape into that animal?
Can a flute soloist sit?
Am I thawing this London Broil safely?
Nginx reverse proxy and wordpress
The 2019 Stack Overflow Developer Survey Results Are InConfigure php5-fpm for many concurrent usersHow to check Cookie header line and custom cache on Nginxhow to disable varnish X Forwarded For headernginx rewrite throw 404 with last and breaknginx reverse proxy hide login query also on 301 redirect or full qualified urlIs this an nginx proxy_cache bug?CodeIgniter nginx rewrite rules for i8ln URL'sVarnish does not cache .js/.css/.HTML for some wordpress sitesNginx web-cache tweekingNGINX virtual host config for Magento2 in a subfolder
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
Everything working well but I'm getting an issue with WordPress while I'm in the extensions page.
The problem is that plugin icons are not getting displayed and when I click on the plugin icons of the plugin which I want to install, it opens up an empty window which keeps loading forever. But when I click on "install" button, the plugin installs without any issue.
You can look this image to see what happen
Issue Wordpress
Here the config :
Config
Here is the Webserver config:
Front end Nginx
server {
listen 443 ssl;
# SSL
ssl on;
ssl_certificate /etc/ssl/nginx/nginx.crt;
ssl_certificate_key /etc/ssl/nginx/nginx.key;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server_name domaine.tld;
# Proxy Pass to Varnish and Add headers to recognize SSL
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Secure on;
}
}
Backend Nginx
server {
listen 8000;
server_name domaine.tld;
root /var/www/domaine;
index index.php;
# Custom Error Page
error_page 404 403 /page_error/404.html;
# Log
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
try_files $uri $uri/ /index.php?$args;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
# PHP-FPM
location ~ .php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param HTTPS on;
}
}
Varnish Default
DAEMON_OPTS="-a :80
-T localhost:6082
-f /etc/varnish/default.vcl
-S /etc/varnish/secret
-s malloc,256m"
Varnish VCL 4.0
backend default {
.host = "127.0.0.1";
.port = "8000";
.connect_timeout = 600s;
.first_byte_timeout = 600s;
.between_bytes_timeout = 600s;
.max_connections = 800;
}
# Only allow purging from specific IPs
acl purge {
"localhost";
"127.0.0.1";
}
# This function is used when a request is send by a HTTP client (Browser)
sub vcl_recv {
# Redirect to https
if ( (req.http.host ~ "^(?i)www.domaine.tld" || req.http.host ~ "^(?i)domaine.tld") && req.http.X-Forwarded-Proto !~ "(?i)https") {
return (synth(750, ""));
}
# Normalize the header, remove the port (in case you're testing this on various TCP ports)
set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");
# Allow purging from ACL
if (req.method == "PURGE") {
# If not allowed then a error 405 is returned
if (!client.ip ~ purge) {
return(synth(405, "This IP is not allowed to send PURGE requests."));
}
# If allowed, do a cache_lookup -> vlc_hit() or vlc_miss()
return (purge);
}
# Post requests will not be cached
if (req.http.Authorization || req.method == "POST") {
return (pass);
}
# Did not cache .ht* file
if ( req.url ~ ".*htaccess.*" ) {
return(pass);
}
if ( req.url ~ ".*htpasswd.*" ) {
return(pass);
}
# Don't cache phpmyadmin
if ( req.url ~ "/nothingtodo" ) {
return(pass);
}
# --- Wordpress specific configuration
# Did not cache the RSS feed
if (req.url ~ "/feed") {
return (pass);
}
# Don't cache 404 error
if (req.url ~ "^/404") {
return (pass);
}
# Blitz hack
if (req.url ~ "/mu-.*") {
return (pass);
}
# Did not cache the admin and login pages
if (req.url ~ "/wp-(login|admin)") {
return (pass);
}
# Do not cache the WooCommerce pages
### REMOVE IT IF YOU DO NOT USE WOOCOMMERCE ###
if (req.url ~ "/(cart|my-account|checkout|addons|/?add-to-cart=)") {
return (pass);
}
# First remove the Google Analytics added parameters, useless for our backend
if(req.url ~ "(?|&)(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=") {
set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=([A-z0-9_-.%25]+)", "");
set req.url = regsuball(req.url, "?(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=([A-z0-9_-.%25]+)", "?");
set req.url = regsub(req.url, "?&", "?");
set req.url = regsub(req.url, "?$", "");
}
# Remove the "has_js" cookie
set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");
# Remove any Google Analytics based cookies
set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");
# Remove the Quant Capital cookies (added by some plugin, all __qca)
set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", "");
# Remove the wp-settings-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-1=[^;]+(; )?", "");
# Remove the wp-settings-time-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-time-1=[^;]+(; )?", "");
# Remove the wp test cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wordpress_test_cookie=[^;]+(; )?", "");
# remove cookies for comments cookie to make caching better.
set req.http.cookie = regsub(req.http.cookie, "dcd9527364a17bb2ae97db0ead3110ed=[^;]+(; )?", "");
# remove ?ver=xxxxx strings from urls so css and js files are cached.
set req.url = regsub(req.url, "?ver=.*$", "");
# Remove "replytocom" from requests to make caching better.
set req.url = regsub(req.url, "?replytocom=.*$", "");
# Strip hash, server doesn't need it.
set req.url = regsub(req.url, "#.*$", "");
# Strip trailing ?
set req.url = regsub(req.url, "?$", "");
# Are there cookies left with only spaces or that are empty?
if (req.http.cookie ~ "^ *$") {
unset req.http.cookie;
}
# Drop any cookies sent to Wordpress.
if (!(req.url ~ "wp-(login|admin)")) {
unset req.http.cookie;
}
# Cache the following files extensions
if (req.url ~ ".(css|js|png|gif|jp(e)?g|swf|ico)") {
unset req.http.cookie;
}
# Normalize Accept-Encoding header and compression
# https://www.varnish-cache.org/docs/3.0/tutorial/vary.html
if (req.http.Accept-Encoding) {
# Do no compress compressed files...
if (req.url ~ ".(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
unset req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate") {
set req.http.Accept-Encoding = "deflate";
} else {
unset req.http.Accept-Encoding;
}
}
# Check the cookies for wordpress-specific items
if (req.http.Cookie ~ "wordpress_" || req.http.Cookie ~ "comment_") {
return (pass);
}
if (!req.http.cookie) {
unset req.http.cookie;
}
# --- End of Wordpress specific configuration
# No cache for big video files
if (req.url ~ ".(avi|mp4)") {
return (pass);
}
# Did not cache HTTP authentication and HTTP Cookie
if (req.http.Authorization || req.http.Cookie) {
# Not cacheable by default
return (pass);
}
# Cache all others requests
return (hash);
}
sub vcl_pipe {
# Note that only the first request to the backend will have
# X-Forwarded-For set. If you use X-Forwarded-For and want to
# have it set for all requests, make sure to have:
# set bereq.http.connection = "close";
# here. It is not set by default as it might break some broken web
# applications, like IIS with NTLM authentication.
#set bereq.http.Connection = "Close";
return (pipe);
}
sub vcl_pass {
return (fetch);
}
sub vcl_synth {
if (resp.status == 750) {
set resp.status = 301;
set resp.http.Location = "https://www.paris-vendome.com" + req.url;
return(deliver);
}
}
# The data on which the hashing will take place
sub vcl_hash {
hash_data(req.url);
if (req.http.host) {
hash_data(req.http.host);
} else {
hash_data(server.ip);
}
# hash cookies for requests that have them
if (req.http.Cookie) {
hash_data(req.http.Cookie);
}
# If the client supports compression, keep that in a different cache
if (req.http.Accept-Encoding) {
hash_data(req.http.Accept-Encoding);
}
return (lookup);
}
# This function is used when a request is sent by our backend (Nginx server)
sub vcl_backend_response {
# Remove some headers we never want to see
unset beresp.http.Server;
unset beresp.http.X-Powered-By;
# For static content strip all backend cookies
if (bereq.url ~ ".(css|js|png|gif|jp(e?)g)|swf|ico") {
unset beresp.http.cookie;
}
# Only allow cookies to be set if we're in admin area
if (beresp.http.Set-Cookie && bereq.url !~ "^/wp-(login|admin)") {
unset beresp.http.Set-Cookie;
}
# don't cache response to posted requests or those with basic auth
if ( bereq.method == "POST" || bereq.http.Authorization ) {
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# don't cache search results
if ( bereq.url ~ "?s=" ){
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# only cache status ok
if ( beresp.status != 200 ) {
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# A TTL of 24h
set beresp.ttl = 24h;
# Define the default grace period to serve cached content
set beresp.grace = 30s;
return (deliver);
}
# The routine when we deliver the HTTP request to the user
# Last chance to modify headers that are sent to the client
sub vcl_deliver {
if (obj.hits > 0) {
set resp.http.X-Cache = "cached";
} else {
set resp.http.x-Cache = "uncached";
}
# Remove some headers: PHP version
unset resp.http.X-Powered-By;
# Remove some headers: Apache version & OS
unset resp.http.Server;
# Remove some headers: Varnish
unset resp.http.Via;
unset resp.http.X-Varnish;
unset resp.http.Age;
unset resp.http.Link;
return (deliver);
}
sub vcl_hit {
return (deliver);
}
sub vcl_miss {
return (fetch);
}
sub vcl_init {
return (ok);
}
sub vcl_fini {
return (ok);
}
I think that the issue is not related to varnish, but with the backend, because when I test with this config ( no varnish / no backend ), everything works without any issue:
server {
listen 80;
server_name domaine.tld;
return 301 https://www.domaine.tld$request_uri;
}
server{
listen 443;
ssl on;
ssl_certificate /etc/ssl/nginx/nginx.crt;
ssl_certificate_key /etc/ssl/nginx/nginx.key;
ssl_session_timeout 10m;
root /var/www/domaine;
index index.htm index.html index.php;
server_name domaine.tld;
server_tokens off;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
error_page 404 403 /page_error/404.html;
error_page 500 502 503 504 /page_error/50x.html;
gzip on;
etag off;
location / {
try_files $uri $uri/ =404;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location ~ .php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param HTTPS on;
}
}
If I have missed anything or if you would like more information, please does not hesitate.
Sorry for the big post but I'm desperate.
Hope somebody will help me
Thanks in advance
nginx wordpress
edited Nov 10 '18 at 20:47
TheViralGriffin
34
asked Jun 17 '15 at 10:39
colapsnuxcolapsnux
1063
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
Everything working well but I'm getting an issue with WordPress while I'm in the extensions page.
The problem is that plugin icons are not getting displayed and when I click on the plugin icons of the plugin which I want to install, it opens up an empty window which keeps loading forever. But when I click on "install" button, the plugin installs without any issue.
You can look this image to see what happen
Issue Wordpress
Here the config :
Config
Here is the Webserver config:
Front end Nginx
server {
listen 443 ssl;
# SSL
ssl on;
ssl_certificate /etc/ssl/nginx/nginx.crt;
ssl_certificate_key /etc/ssl/nginx/nginx.key;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server_name domaine.tld;
# Proxy Pass to Varnish and Add headers to recognize SSL
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Secure on;
}
}
Backend Nginx
server {
listen 8000;
server_name domaine.tld;
root /var/www/domaine;
index index.php;
# Custom Error Page
error_page 404 403 /page_error/404.html;
# Log
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
try_files $uri $uri/ /index.php?$args;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
# PHP-FPM
location ~ .php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param HTTPS on;
}
}
Varnish Default
DAEMON_OPTS="-a :80
-T localhost:6082
-f /etc/varnish/default.vcl
-S /etc/varnish/secret
-s malloc,256m"
Varnish VCL 4.0
backend default {
.host = "127.0.0.1";
.port = "8000";
.connect_timeout = 600s;
.first_byte_timeout = 600s;
.between_bytes_timeout = 600s;
.max_connections = 800;
}
# Only allow purging from specific IPs
acl purge {
"localhost";
"127.0.0.1";
}
# This function is used when a request is send by a HTTP client (Browser)
sub vcl_recv {
# Redirect to https
if ( (req.http.host ~ "^(?i)www.domaine.tld" || req.http.host ~ "^(?i)domaine.tld") && req.http.X-Forwarded-Proto !~ "(?i)https") {
return (synth(750, ""));
}
# Normalize the header, remove the port (in case you're testing this on various TCP ports)
set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");
# Allow purging from ACL
if (req.method == "PURGE") {
# If not allowed then a error 405 is returned
if (!client.ip ~ purge) {
return(synth(405, "This IP is not allowed to send PURGE requests."));
}
# If allowed, do a cache_lookup -> vlc_hit() or vlc_miss()
return (purge);
}
# Post requests will not be cached
if (req.http.Authorization || req.method == "POST") {
return (pass);
}
# Did not cache .ht* file
if ( req.url ~ ".*htaccess.*" ) {
return(pass);
}
if ( req.url ~ ".*htpasswd.*" ) {
return(pass);
}
# Don't cache phpmyadmin
if ( req.url ~ "/nothingtodo" ) {
return(pass);
}
# --- Wordpress specific configuration
# Did not cache the RSS feed
if (req.url ~ "/feed") {
return (pass);
}
# Don't cache 404 error
if (req.url ~ "^/404") {
return (pass);
}
# Blitz hack
if (req.url ~ "/mu-.*") {
return (pass);
}
# Did not cache the admin and login pages
if (req.url ~ "/wp-(login|admin)") {
return (pass);
}
# Do not cache the WooCommerce pages
### REMOVE IT IF YOU DO NOT USE WOOCOMMERCE ###
if (req.url ~ "/(cart|my-account|checkout|addons|/?add-to-cart=)") {
return (pass);
}
# First remove the Google Analytics added parameters, useless for our backend
if(req.url ~ "(?|&)(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=") {
set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=([A-z0-9_-.%25]+)", "");
set req.url = regsuball(req.url, "?(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=([A-z0-9_-.%25]+)", "?");
set req.url = regsub(req.url, "?&", "?");
set req.url = regsub(req.url, "?$", "");
}
# Remove the "has_js" cookie
set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");
# Remove any Google Analytics based cookies
set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");
# Remove the Quant Capital cookies (added by some plugin, all __qca)
set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", "");
# Remove the wp-settings-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-1=[^;]+(; )?", "");
# Remove the wp-settings-time-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-time-1=[^;]+(; )?", "");
# Remove the wp test cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wordpress_test_cookie=[^;]+(; )?", "");
# remove cookies for comments cookie to make caching better.
set req.http.cookie = regsub(req.http.cookie, "dcd9527364a17bb2ae97db0ead3110ed=[^;]+(; )?", "");
# remove ?ver=xxxxx strings from urls so css and js files are cached.
set req.url = regsub(req.url, "?ver=.*$", "");
# Remove "replytocom" from requests to make caching better.
set req.url = regsub(req.url, "?replytocom=.*$", "");
# Strip hash, server doesn't need it.
set req.url = regsub(req.url, "#.*$", "");
# Strip trailing ?
set req.url = regsub(req.url, "?$", "");
# Are there cookies left with only spaces or that are empty?
if (req.http.cookie ~ "^ *$") {
unset req.http.cookie;
}
# Drop any cookies sent to Wordpress.
if (!(req.url ~ "wp-(login|admin)")) {
unset req.http.cookie;
}
# Cache the following files extensions
if (req.url ~ ".(css|js|png|gif|jp(e)?g|swf|ico)") {
unset req.http.cookie;
}
# Normalize Accept-Encoding header and compression
# https://www.varnish-cache.org/docs/3.0/tutorial/vary.html
if (req.http.Accept-Encoding) {
# Do no compress compressed files...
if (req.url ~ ".(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
unset req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate") {
set req.http.Accept-Encoding = "deflate";
} else {
unset req.http.Accept-Encoding;
}
}
# Check the cookies for wordpress-specific items
if (req.http.Cookie ~ "wordpress_" || req.http.Cookie ~ "comment_") {
return (pass);
}
if (!req.http.cookie) {
unset req.http.cookie;
}
# --- End of Wordpress specific configuration
# No cache for big video files
if (req.url ~ ".(avi|mp4)") {
return (pass);
}
# Did not cache HTTP authentication and HTTP Cookie
if (req.http.Authorization || req.http.Cookie) {
# Not cacheable by default
return (pass);
}
# Cache all others requests
return (hash);
}
sub vcl_pipe {
# Note that only the first request to the backend will have
# X-Forwarded-For set. If you use X-Forwarded-For and want to
# have it set for all requests, make sure to have:
# set bereq.http.connection = "close";
# here. It is not set by default as it might break some broken web
# applications, like IIS with NTLM authentication.
#set bereq.http.Connection = "Close";
return (pipe);
}
sub vcl_pass {
return (fetch);
}
sub vcl_synth {
if (resp.status == 750) {
set resp.status = 301;
set resp.http.Location = "https://www.paris-vendome.com" + req.url;
return(deliver);
}
}
# The data on which the hashing will take place
sub vcl_hash {
hash_data(req.url);
if (req.http.host) {
hash_data(req.http.host);
} else {
hash_data(server.ip);
}
# hash cookies for requests that have them
if (req.http.Cookie) {
hash_data(req.http.Cookie);
}
# If the client supports compression, keep that in a different cache
if (req.http.Accept-Encoding) {
hash_data(req.http.Accept-Encoding);
}
return (lookup);
}
# This function is used when a request is sent by our backend (Nginx server)
sub vcl_backend_response {
# Remove some headers we never want to see
unset beresp.http.Server;
unset beresp.http.X-Powered-By;
# For static content strip all backend cookies
if (bereq.url ~ ".(css|js|png|gif|jp(e?)g)|swf|ico") {
unset beresp.http.cookie;
}
# Only allow cookies to be set if we're in admin area
if (beresp.http.Set-Cookie && bereq.url !~ "^/wp-(login|admin)") {
unset beresp.http.Set-Cookie;
}
# don't cache response to posted requests or those with basic auth
if ( bereq.method == "POST" || bereq.http.Authorization ) {
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# don't cache search results
if ( bereq.url ~ "?s=" ){
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# only cache status ok
if ( beresp.status != 200 ) {
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# A TTL of 24h
set beresp.ttl = 24h;
# Define the default grace period to serve cached content
set beresp.grace = 30s;
return (deliver);
}
# The routine when we deliver the HTTP request to the user
# Last chance to modify headers that are sent to the client
sub vcl_deliver {
if (obj.hits > 0) {
set resp.http.X-Cache = "cached";
} else {
set resp.http.x-Cache = "uncached";
}
# Remove some headers: PHP version
unset resp.http.X-Powered-By;
# Remove some headers: Apache version & OS
unset resp.http.Server;
# Remove some headers: Varnish
unset resp.http.Via;
unset resp.http.X-Varnish;
unset resp.http.Age;
unset resp.http.Link;
return (deliver);
}
sub vcl_hit {
return (deliver);
}
sub vcl_miss {
return (fetch);
}
sub vcl_init {
return (ok);
}
sub vcl_fini {
return (ok);
}
I think that the issue is not related to varnish, but with the backend, because when I test with this config ( no varnish / no backend ), everything works without any issue:
server {
listen 80;
server_name domaine.tld;
return 301 https://www.domaine.tld$request_uri;
}
server{
listen 443;
ssl on;
ssl_certificate /etc/ssl/nginx/nginx.crt;
ssl_certificate_key /etc/ssl/nginx/nginx.key;
ssl_session_timeout 10m;
root /var/www/domaine;
index index.htm index.html index.php;
server_name domaine.tld;
server_tokens off;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
error_page 404 403 /page_error/404.html;
error_page 500 502 503 504 /page_error/50x.html;
gzip on;
etag off;
location / {
try_files $uri $uri/ =404;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location ~ .php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param HTTPS on;
}
}
If I have missed anything or if you would like more information, please does not hesitate.
Sorry for the big post but I'm desperate.
Hope somebody will help me
Thanks in advance
nginx wordpress
edited Nov 10 '18 at 20:47
TheViralGriffin
34
asked Jun 17 '15 at 10:39
colapsnuxcolapsnux
1063
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
1
Resolved: I don't know why but it was a problem with the 'add_header Content-Security-Policy'. I just remove it from the http bloc and now everyhtings working great! voila
– colapsnux
Jun 17 '15 at 23:54
add a comment |
Everything working well but I'm getting an issue with WordPress while I'm in the extensions page.
The problem is that plugin icons are not getting displayed and when I click on the plugin icons of the plugin which I want to install, it opens up an empty window which keeps loading forever. But when I click on "install" button, the plugin installs without any issue.
You can look this image to see what happen
Issue Wordpress
Here the config :
Config
Here is the Webserver config:
Front end Nginx
server {
listen 443 ssl;
# SSL
ssl on;
ssl_certificate /etc/ssl/nginx/nginx.crt;
ssl_certificate_key /etc/ssl/nginx/nginx.key;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server_name domaine.tld;
# Proxy Pass to Varnish and Add headers to recognize SSL
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Secure on;
}
}
Backend Nginx
server {
listen 8000;
server_name domaine.tld;
root /var/www/domaine;
index index.php;
# Custom Error Page
error_page 404 403 /page_error/404.html;
# Log
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
try_files $uri $uri/ /index.php?$args;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
# PHP-FPM
location ~ .php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param HTTPS on;
}
}
Varnish Default
DAEMON_OPTS="-a :80
-T localhost:6082
-f /etc/varnish/default.vcl
-S /etc/varnish/secret
-s malloc,256m"
Varnish VCL 4.0
backend default {
.host = "127.0.0.1";
.port = "8000";
.connect_timeout = 600s;
.first_byte_timeout = 600s;
.between_bytes_timeout = 600s;
.max_connections = 800;
}
# Only allow purging from specific IPs
acl purge {
"localhost";
"127.0.0.1";
}
# This function is used when a request is send by a HTTP client (Browser)
sub vcl_recv {
# Redirect to https
if ( (req.http.host ~ "^(?i)www.domaine.tld" || req.http.host ~ "^(?i)domaine.tld") && req.http.X-Forwarded-Proto !~ "(?i)https") {
return (synth(750, ""));
}
# Normalize the header, remove the port (in case you're testing this on various TCP ports)
set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");
# Allow purging from ACL
if (req.method == "PURGE") {
# If not allowed then a error 405 is returned
if (!client.ip ~ purge) {
return(synth(405, "This IP is not allowed to send PURGE requests."));
}
# If allowed, do a cache_lookup -> vlc_hit() or vlc_miss()
return (purge);
}
# Post requests will not be cached
if (req.http.Authorization || req.method == "POST") {
return (pass);
}
# Did not cache .ht* file
if ( req.url ~ ".*htaccess.*" ) {
return(pass);
}
if ( req.url ~ ".*htpasswd.*" ) {
return(pass);
}
# Don't cache phpmyadmin
if ( req.url ~ "/nothingtodo" ) {
return(pass);
}
# --- Wordpress specific configuration
# Did not cache the RSS feed
if (req.url ~ "/feed") {
return (pass);
}
# Don't cache 404 error
if (req.url ~ "^/404") {
return (pass);
}
# Blitz hack
if (req.url ~ "/mu-.*") {
return (pass);
}
# Did not cache the admin and login pages
if (req.url ~ "/wp-(login|admin)") {
return (pass);
}
# Do not cache the WooCommerce pages
### REMOVE IT IF YOU DO NOT USE WOOCOMMERCE ###
if (req.url ~ "/(cart|my-account|checkout|addons|/?add-to-cart=)") {
return (pass);
}
# First remove the Google Analytics added parameters, useless for our backend
if(req.url ~ "(?|&)(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=") {
set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=([A-z0-9_-.%25]+)", "");
set req.url = regsuball(req.url, "?(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=([A-z0-9_-.%25]+)", "?");
set req.url = regsub(req.url, "?&", "?");
set req.url = regsub(req.url, "?$", "");
}
# Remove the "has_js" cookie
set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");
# Remove any Google Analytics based cookies
set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");
# Remove the Quant Capital cookies (added by some plugin, all __qca)
set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", "");
# Remove the wp-settings-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-1=[^;]+(; )?", "");
# Remove the wp-settings-time-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-time-1=[^;]+(; )?", "");
# Remove the wp test cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wordpress_test_cookie=[^;]+(; )?", "");
# remove cookies for comments cookie to make caching better.
set req.http.cookie = regsub(req.http.cookie, "dcd9527364a17bb2ae97db0ead3110ed=[^;]+(; )?", "");
# remove ?ver=xxxxx strings from urls so css and js files are cached.
set req.url = regsub(req.url, "?ver=.*$", "");
# Remove "replytocom" from requests to make caching better.
set req.url = regsub(req.url, "?replytocom=.*$", "");
# Strip hash, server doesn't need it.
set req.url = regsub(req.url, "#.*$", "");
# Strip trailing ?
set req.url = regsub(req.url, "?$", "");
# Are there cookies left with only spaces or that are empty?
if (req.http.cookie ~ "^ *$") {
unset req.http.cookie;
}
# Drop any cookies sent to Wordpress.
if (!(req.url ~ "wp-(login|admin)")) {
unset req.http.cookie;
}
# Cache the following files extensions
if (req.url ~ ".(css|js|png|gif|jp(e)?g|swf|ico)") {
unset req.http.cookie;
}
# Normalize Accept-Encoding header and compression
# https://www.varnish-cache.org/docs/3.0/tutorial/vary.html
if (req.http.Accept-Encoding) {
# Do no compress compressed files...
if (req.url ~ ".(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
unset req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate") {
set req.http.Accept-Encoding = "deflate";
} else {
unset req.http.Accept-Encoding;
}
}
# Check the cookies for wordpress-specific items
if (req.http.Cookie ~ "wordpress_" || req.http.Cookie ~ "comment_") {
return (pass);
}
if (!req.http.cookie) {
unset req.http.cookie;
}
# --- End of Wordpress specific configuration
# No cache for big video files
if (req.url ~ ".(avi|mp4)") {
return (pass);
}
# Did not cache HTTP authentication and HTTP Cookie
if (req.http.Authorization || req.http.Cookie) {
# Not cacheable by default
return (pass);
}
# Cache all others requests
return (hash);
}
sub vcl_pipe {
# Note that only the first request to the backend will have
# X-Forwarded-For set. If you use X-Forwarded-For and want to
# have it set for all requests, make sure to have:
# set bereq.http.connection = "close";
# here. It is not set by default as it might break some broken web
# applications, like IIS with NTLM authentication.
#set bereq.http.Connection = "Close";
return (pipe);
}
sub vcl_pass {
return (fetch);
}
sub vcl_synth {
if (resp.status == 750) {
set resp.status = 301;
set resp.http.Location = "https://www.paris-vendome.com" + req.url;
return(deliver);
}
}
# The data on which the hashing will take place
sub vcl_hash {
hash_data(req.url);
if (req.http.host) {
hash_data(req.http.host);
} else {
hash_data(server.ip);
}
# hash cookies for requests that have them
if (req.http.Cookie) {
hash_data(req.http.Cookie);
}
# If the client supports compression, keep that in a different cache
if (req.http.Accept-Encoding) {
hash_data(req.http.Accept-Encoding);
}
return (lookup);
}
# This function is used when a request is sent by our backend (Nginx server)
sub vcl_backend_response {
# Remove some headers we never want to see
unset beresp.http.Server;
unset beresp.http.X-Powered-By;
# For static content strip all backend cookies
if (bereq.url ~ ".(css|js|png|gif|jp(e?)g)|swf|ico") {
unset beresp.http.cookie;
}
# Only allow cookies to be set if we're in admin area
if (beresp.http.Set-Cookie && bereq.url !~ "^/wp-(login|admin)") {
unset beresp.http.Set-Cookie;
}
# don't cache response to posted requests or those with basic auth
if ( bereq.method == "POST" || bereq.http.Authorization ) {
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# don't cache search results
if ( bereq.url ~ "?s=" ){
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# only cache status ok
if ( beresp.status != 200 ) {
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# A TTL of 24h
set beresp.ttl = 24h;
# Define the default grace period to serve cached content
set beresp.grace = 30s;
return (deliver);
}
# The routine when we deliver the HTTP request to the user
# Last chance to modify headers that are sent to the client
sub vcl_deliver {
if (obj.hits > 0) {
set resp.http.X-Cache = "cached";
} else {
set resp.http.x-Cache = "uncached";
}
# Remove some headers: PHP version
unset resp.http.X-Powered-By;
# Remove some headers: Apache version & OS
unset resp.http.Server;
# Remove some headers: Varnish
unset resp.http.Via;
unset resp.http.X-Varnish;
unset resp.http.Age;
unset resp.http.Link;
return (deliver);
}
sub vcl_hit {
return (deliver);
}
sub vcl_miss {
return (fetch);
}
sub vcl_init {
return (ok);
}
sub vcl_fini {
return (ok);
}
I think that the issue is not related to varnish, but with the backend, because when I test with this config ( no varnish / no backend ), everything works without any issue:
server {
listen 80;
server_name domaine.tld;
return 301 https://www.domaine.tld$request_uri;
}
server{
listen 443;
ssl on;
ssl_certificate /etc/ssl/nginx/nginx.crt;
ssl_certificate_key /etc/ssl/nginx/nginx.key;
ssl_session_timeout 10m;
root /var/www/domaine;
index index.htm index.html index.php;
server_name domaine.tld;
server_tokens off;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
error_page 404 403 /page_error/404.html;
error_page 500 502 503 504 /page_error/50x.html;
gzip on;
etag off;
location / {
try_files $uri $uri/ =404;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location ~ .php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param HTTPS on;
}
}
If I have missed anything or if you would like more information, please does not hesitate.
Sorry for the big post but I'm desperate.
Hope somebody will help me
Thanks in advance
nginx wordpress
edited Nov 10 '18 at 20:47
TheViralGriffin
34
asked Jun 17 '15 at 10:39
colapsnuxcolapsnux
1063
Everything working well but I'm getting an issue with WordPress while I'm in the extensions page.
The problem is that plugin icons are not getting displayed and when I click on the plugin icons of the plugin which I want to install, it opens up an empty window which keeps loading forever. But when I click on "install" button, the plugin installs without any issue.
You can look this image to see what happen
Issue Wordpress
Here the config :
Config
Here is the Webserver config:
Front end Nginx
server {
listen 443 ssl;
# SSL
ssl on;
ssl_certificate /etc/ssl/nginx/nginx.crt;
ssl_certificate_key /etc/ssl/nginx/nginx.key;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server_name domaine.tld;
# Proxy Pass to Varnish and Add headers to recognize SSL
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Secure on;
}
}
Backend Nginx
server {
listen 8000;
server_name domaine.tld;
root /var/www/domaine;
index index.php;
# Custom Error Page
error_page 404 403 /page_error/404.html;
# Log
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
try_files $uri $uri/ /index.php?$args;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
# PHP-FPM
location ~ .php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param HTTPS on;
}
}
Varnish Default
DAEMON_OPTS="-a :80
-T localhost:6082
-f /etc/varnish/default.vcl
-S /etc/varnish/secret
-s malloc,256m"
Varnish VCL 4.0
backend default {
.host = "127.0.0.1";
.port = "8000";
.connect_timeout = 600s;
.first_byte_timeout = 600s;
.between_bytes_timeout = 600s;
.max_connections = 800;
}
# Only allow purging from specific IPs
acl purge {
"localhost";
"127.0.0.1";
}
# This function is used when a request is send by a HTTP client (Browser)
sub vcl_recv {
# Redirect to https
if ( (req.http.host ~ "^(?i)www.domaine.tld" || req.http.host ~ "^(?i)domaine.tld") && req.http.X-Forwarded-Proto !~ "(?i)https") {
return (synth(750, ""));
}
# Normalize the header, remove the port (in case you're testing this on various TCP ports)
set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");
# Allow purging from ACL
if (req.method == "PURGE") {
# If not allowed then a error 405 is returned
if (!client.ip ~ purge) {
return(synth(405, "This IP is not allowed to send PURGE requests."));
}
# If allowed, do a cache_lookup -> vlc_hit() or vlc_miss()
return (purge);
}
# Post requests will not be cached
if (req.http.Authorization || req.method == "POST") {
return (pass);
}
# Did not cache .ht* file
if ( req.url ~ ".*htaccess.*" ) {
return(pass);
}
if ( req.url ~ ".*htpasswd.*" ) {
return(pass);
}
# Don't cache phpmyadmin
if ( req.url ~ "/nothingtodo" ) {
return(pass);
}
# --- Wordpress specific configuration
# Did not cache the RSS feed
if (req.url ~ "/feed") {
return (pass);
}
# Don't cache 404 error
if (req.url ~ "^/404") {
return (pass);
}
# Blitz hack
if (req.url ~ "/mu-.*") {
return (pass);
}
# Did not cache the admin and login pages
if (req.url ~ "/wp-(login|admin)") {
return (pass);
}
# Do not cache the WooCommerce pages
### REMOVE IT IF YOU DO NOT USE WOOCOMMERCE ###
if (req.url ~ "/(cart|my-account|checkout|addons|/?add-to-cart=)") {
return (pass);
}
# First remove the Google Analytics added parameters, useless for our backend
if(req.url ~ "(?|&)(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=") {
set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=([A-z0-9_-.%25]+)", "");
set req.url = regsuball(req.url, "?(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=([A-z0-9_-.%25]+)", "?");
set req.url = regsub(req.url, "?&", "?");
set req.url = regsub(req.url, "?$", "");
}
# Remove the "has_js" cookie
set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");
# Remove any Google Analytics based cookies
set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");
# Remove the Quant Capital cookies (added by some plugin, all __qca)
set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", "");
# Remove the wp-settings-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-1=[^;]+(; )?", "");
# Remove the wp-settings-time-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-time-1=[^;]+(; )?", "");
# Remove the wp test cookie
set req.http.Cookie = regsuball(req.http.Cookie, "wordpress_test_cookie=[^;]+(; )?", "");
# remove cookies for comments cookie to make caching better.
set req.http.cookie = regsub(req.http.cookie, "dcd9527364a17bb2ae97db0ead3110ed=[^;]+(; )?", "");
# remove ?ver=xxxxx strings from urls so css and js files are cached.
set req.url = regsub(req.url, "?ver=.*$", "");
# Remove "replytocom" from requests to make caching better.
set req.url = regsub(req.url, "?replytocom=.*$", "");
# Strip hash, server doesn't need it.
set req.url = regsub(req.url, "#.*$", "");
# Strip trailing ?
set req.url = regsub(req.url, "?$", "");
# Are there cookies left with only spaces or that are empty?
if (req.http.cookie ~ "^ *$") {
unset req.http.cookie;
}
# Drop any cookies sent to Wordpress.
if (!(req.url ~ "wp-(login|admin)")) {
unset req.http.cookie;
}
# Cache the following files extensions
if (req.url ~ ".(css|js|png|gif|jp(e)?g|swf|ico)") {
unset req.http.cookie;
}
# Normalize Accept-Encoding header and compression
# https://www.varnish-cache.org/docs/3.0/tutorial/vary.html
if (req.http.Accept-Encoding) {
# Do no compress compressed files...
if (req.url ~ ".(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
unset req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate") {
set req.http.Accept-Encoding = "deflate";
} else {
unset req.http.Accept-Encoding;
}
}
# Check the cookies for wordpress-specific items
if (req.http.Cookie ~ "wordpress_" || req.http.Cookie ~ "comment_") {
return (pass);
}
if (!req.http.cookie) {
unset req.http.cookie;
}
# --- End of Wordpress specific configuration
# No cache for big video files
if (req.url ~ ".(avi|mp4)") {
return (pass);
}
# Did not cache HTTP authentication and HTTP Cookie
if (req.http.Authorization || req.http.Cookie) {
# Not cacheable by default
return (pass);
}
# Cache all others requests
return (hash);
}
sub vcl_pipe {
# Note that only the first request to the backend will have
# X-Forwarded-For set. If you use X-Forwarded-For and want to
# have it set for all requests, make sure to have:
# set bereq.http.connection = "close";
# here. It is not set by default as it might break some broken web
# applications, like IIS with NTLM authentication.
#set bereq.http.Connection = "Close";
return (pipe);
}
sub vcl_pass {
return (fetch);
}
sub vcl_synth {
if (resp.status == 750) {
set resp.status = 301;
set resp.http.Location = "https://www.paris-vendome.com" + req.url;
return(deliver);
}
}
# The data on which the hashing will take place
sub vcl_hash {
hash_data(req.url);
if (req.http.host) {
hash_data(req.http.host);
} else {
hash_data(server.ip);
}
# hash cookies for requests that have them
if (req.http.Cookie) {
hash_data(req.http.Cookie);
}
# If the client supports compression, keep that in a different cache
if (req.http.Accept-Encoding) {
hash_data(req.http.Accept-Encoding);
}
return (lookup);
}
# This function is used when a request is sent by our backend (Nginx server)
sub vcl_backend_response {
# Remove some headers we never want to see
unset beresp.http.Server;
unset beresp.http.X-Powered-By;
# For static content strip all backend cookies
if (bereq.url ~ ".(css|js|png|gif|jp(e?)g)|swf|ico") {
unset beresp.http.cookie;
}
# Only allow cookies to be set if we're in admin area
if (beresp.http.Set-Cookie && bereq.url !~ "^/wp-(login|admin)") {
unset beresp.http.Set-Cookie;
}
# don't cache response to posted requests or those with basic auth
if ( bereq.method == "POST" || bereq.http.Authorization ) {
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# don't cache search results
if ( bereq.url ~ "?s=" ){
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# only cache status ok
if ( beresp.status != 200 ) {
set beresp.uncacheable = true;
set beresp.ttl = 120s;
return (deliver);
}
# A TTL of 24h
set beresp.ttl = 24h;
# Define the default grace period to serve cached content
set beresp.grace = 30s;
return (deliver);
}
# The routine when we deliver the HTTP request to the user
# Last chance to modify headers that are sent to the client
sub vcl_deliver {
if (obj.hits > 0) {
set resp.http.X-Cache = "cached";
} else {
set resp.http.x-Cache = "uncached";
}
# Remove some headers: PHP version
unset resp.http.X-Powered-By;
# Remove some headers: Apache version & OS
unset resp.http.Server;
# Remove some headers: Varnish
unset resp.http.Via;
unset resp.http.X-Varnish;
unset resp.http.Age;
unset resp.http.Link;
return (deliver);
}
sub vcl_hit {
return (deliver);
}
sub vcl_miss {
return (fetch);
}
sub vcl_init {
return (ok);
}
sub vcl_fini {
return (ok);
}
I think that the issue is not related to varnish, but with the backend, because when I test with this config ( no varnish / no backend ), everything works without any issue:
server {
listen 80;
server_name domaine.tld;
return 301 https://www.domaine.tld$request_uri;
}
server{
listen 443;
ssl on;
ssl_certificate /etc/ssl/nginx/nginx.crt;
ssl_certificate_key /etc/ssl/nginx/nginx.key;
ssl_session_timeout 10m;
root /var/www/domaine;
index index.htm index.html index.php;
server_name domaine.tld;
server_tokens off;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
error_page 404 403 /page_error/404.html;
error_page 500 502 503 504 /page_error/50x.html;
gzip on;
etag off;
location / {
try_files $uri $uri/ =404;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location ~ .php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param HTTPS on;
}
}
If I have missed anything or if you would like more information, please does not hesitate.
Sorry for the big post but I'm desperate.
Hope somebody will help me
Thanks in advance
nginx wordpress
nginx wordpress
edited Nov 10 '18 at 20:47
TheViralGriffin
34
asked Jun 17 '15 at 10:39
colapsnuxcolapsnux
1063
edited Nov 10 '18 at 20:47
TheViralGriffin
34
asked Jun 17 '15 at 10:39
colapsnuxcolapsnux
1063
edited Nov 10 '18 at 20:47
TheViralGriffin
34
edited Nov 10 '18 at 20:47
TheViralGriffin
34
edited Nov 10 '18 at 20:47
TheViralGriffin
34
34
asked Jun 17 '15 at 10:39
colapsnuxcolapsnux
1063
asked Jun 17 '15 at 10:39
colapsnuxcolapsnux
1063
asked Jun 17 '15 at 10:39
colapsnuxcolapsnux
1063
1063
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
1
Resolved: I don't know why but it was a problem with the 'add_header Content-Security-Policy'. I just remove it from the http bloc and now everyhtings working great! voila
– colapsnux
Jun 17 '15 at 23:54
add a comment |
1
Resolved: I don't know why but it was a problem with the 'add_header Content-Security-Policy'. I just remove it from the http bloc and now everyhtings working great! voila
– colapsnux
Jun 17 '15 at 23:54
1
1
Resolved: I don't know why but it was a problem with the 'add_header Content-Security-Policy'. I just remove it from the http bloc and now everyhtings working great! voila
– colapsnux
Jun 17 '15 at 23:54
Resolved: I don't know why but it was a problem with the 'add_header Content-Security-Policy'. I just remove it from the http bloc and now everyhtings working great! voila
– colapsnux
Jun 17 '15 at 23:54
add a comment |
1 Answer
1
active
oldest
votes
To answer your comment:
Resolved: I don't know why but it was a problem with the
add_header Content-Security-Policy. I just remove it from the http bloc and now everyhtings working great! voila
The proxy_pass directive (inside your Varnish location block) passes the request to an upstream server in the (internal host) network. That means that you are not on the Nginx server anymore, but in the Varnish server, listening on port 9000 in the network. When you now define a Content-Security-Policy and don't allow access to your own network, you will get locked out as your server becomes an overprotective parent.
Instead of blindly trusting everything that a server delivers, CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources. Even if an attacker can find a hole through which to inject script, the script won’t match the whitelist, and therefore won’t be executed.
Since we trust
apis.google.comto deliver valid code, and we trust ourselves to do the same, let’s define a policy that only allows script to execute when it comes from one of those two sources:
Content-Security-Policy: script-src 'self' https://apis.google.com
… As you probably guessed,
script-srcis a directive that controls a set of script-related privileges for a specific page. We’ve specified'self'as one valid source of script, andhttps://apis.google.comas another. The browser will dutifully download and execute JavaScript fromapis.google.comover HTTPS, as well as from the current page’s origin.
Quote source: HTML5Rocks
answered Feb 17 '16 at 0:35
kaiserkaiser
92511323
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f699619%2fnginx-reverse-proxy-and-wordpress%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
To answer your comment:
Resolved: I don't know why but it was a problem with the
add_header Content-Security-Policy. I just remove it from the http bloc and now everyhtings working great! voila
The proxy_pass directive (inside your Varnish location block) passes the request to an upstream server in the (internal host) network. That means that you are not on the Nginx server anymore, but in the Varnish server, listening on port 9000 in the network. When you now define a Content-Security-Policy and don't allow access to your own network, you will get locked out as your server becomes an overprotective parent.
Instead of blindly trusting everything that a server delivers, CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources. Even if an attacker can find a hole through which to inject script, the script won’t match the whitelist, and therefore won’t be executed.
Since we trust
apis.google.comto deliver valid code, and we trust ourselves to do the same, let’s define a policy that only allows script to execute when it comes from one of those two sources:
Content-Security-Policy: script-src 'self' https://apis.google.com
… As you probably guessed,
script-srcis a directive that controls a set of script-related privileges for a specific page. We’ve specified'self'as one valid source of script, andhttps://apis.google.comas another. The browser will dutifully download and execute JavaScript fromapis.google.comover HTTPS, as well as from the current page’s origin.
Quote source: HTML5Rocks
answered Feb 17 '16 at 0:35
kaiserkaiser
92511323
add a comment |
To answer your comment:
Resolved: I don't know why but it was a problem with the
add_header Content-Security-Policy. I just remove it from the http bloc and now everyhtings working great! voila
The proxy_pass directive (inside your Varnish location block) passes the request to an upstream server in the (internal host) network. That means that you are not on the Nginx server anymore, but in the Varnish server, listening on port 9000 in the network. When you now define a Content-Security-Policy and don't allow access to your own network, you will get locked out as your server becomes an overprotective parent.
Instead of blindly trusting everything that a server delivers, CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources. Even if an attacker can find a hole through which to inject script, the script won’t match the whitelist, and therefore won’t be executed.
Since we trust
apis.google.comto deliver valid code, and we trust ourselves to do the same, let’s define a policy that only allows script to execute when it comes from one of those two sources:
Content-Security-Policy: script-src 'self' https://apis.google.com
… As you probably guessed,
script-srcis a directive that controls a set of script-related privileges for a specific page. We’ve specified'self'as one valid source of script, andhttps://apis.google.comas another. The browser will dutifully download and execute JavaScript fromapis.google.comover HTTPS, as well as from the current page’s origin.
Quote source: HTML5Rocks
answered Feb 17 '16 at 0:35
kaiserkaiser
92511323
add a comment |
To answer your comment:
Resolved: I don't know why but it was a problem with the
add_header Content-Security-Policy. I just remove it from the http bloc and now everyhtings working great! voila
The proxy_pass directive (inside your Varnish location block) passes the request to an upstream server in the (internal host) network. That means that you are not on the Nginx server anymore, but in the Varnish server, listening on port 9000 in the network. When you now define a Content-Security-Policy and don't allow access to your own network, you will get locked out as your server becomes an overprotective parent.
Instead of blindly trusting everything that a server delivers, CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources. Even if an attacker can find a hole through which to inject script, the script won’t match the whitelist, and therefore won’t be executed.
Since we trust
apis.google.comto deliver valid code, and we trust ourselves to do the same, let’s define a policy that only allows script to execute when it comes from one of those two sources:
Content-Security-Policy: script-src 'self' https://apis.google.com
… As you probably guessed,
script-srcis a directive that controls a set of script-related privileges for a specific page. We’ve specified'self'as one valid source of script, andhttps://apis.google.comas another. The browser will dutifully download and execute JavaScript fromapis.google.comover HTTPS, as well as from the current page’s origin.
Quote source: HTML5Rocks
answered Feb 17 '16 at 0:35
kaiserkaiser
92511323
To answer your comment:
Resolved: I don't know why but it was a problem with the
add_header Content-Security-Policy. I just remove it from the http bloc and now everyhtings working great! voila
The proxy_pass directive (inside your Varnish location block) passes the request to an upstream server in the (internal host) network. That means that you are not on the Nginx server anymore, but in the Varnish server, listening on port 9000 in the network. When you now define a Content-Security-Policy and don't allow access to your own network, you will get locked out as your server becomes an overprotective parent.
Instead of blindly trusting everything that a server delivers, CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources. Even if an attacker can find a hole through which to inject script, the script won’t match the whitelist, and therefore won’t be executed.
Since we trust
apis.google.comto deliver valid code, and we trust ourselves to do the same, let’s define a policy that only allows script to execute when it comes from one of those two sources:
Content-Security-Policy: script-src 'self' https://apis.google.com
… As you probably guessed,
script-srcis a directive that controls a set of script-related privileges for a specific page. We’ve specified'self'as one valid source of script, andhttps://apis.google.comas another. The browser will dutifully download and execute JavaScript fromapis.google.comover HTTPS, as well as from the current page’s origin.
Quote source: HTML5Rocks
answered Feb 17 '16 at 0:35
kaiserkaiser
92511323
answered Feb 17 '16 at 0:35
kaiserkaiser
92511323
answered Feb 17 '16 at 0:35
kaiserkaiser
92511323
answered Feb 17 '16 at 0:35
kaiserkaiser
92511323
92511323
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f699619%2fnginx-reverse-proxy-and-wordpress%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Resolved: I don't know why but it was a problem with the 'add_header Content-Security-Policy'. I just remove it from the http bloc and now everyhtings working great! voila
– colapsnux
Jun 17 '15 at 23:54