# default.conf # redirect to HTTPS server { listen 80; listen [::]:80; server_name $host; location / { # update port as needed for host mapped https rewrite ^ https://$host:443$request_uri? permanent; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name $host; index index.php index.html index.htm; root /var/www/html; server_tokens off; client_max_body_size 75M; # update ssl files as required by your deployment ssl_certificate /etc/ssl/fullchain.pem; ssl_certificate_key /etc/ssl/privkey.pem; # logging access_log /var/log/nginx/wordpress.access.log; error_log /var/log/nginx/wordpress.error.log; # some security headers ( optional ) add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { try_files $uri $uri/ /index.php$is_args$args; } location ~ /.well-known { root /usr/share/nginx; allow all; } location ~ \.php$ { try_files $uri = 404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass wordpress:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; } location ~ /\.ht { deny all; } location = /favicon.ico { log_not_found off; access_log off; } location = /favicon.svg { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; allow all; } location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ { expires max; log_not_found off; } # avoid attack through POST to xml rpc of wordpress location ^~ /xmlrpc.php { deny all; } }