#:remoteproxy:Nginx proxy server Remote:1.1: % if HAVESSL == '0': % if HTTPS_REDIRECTION == "1": server { listen ${IP}:80; server_name ${DOMAIN} www.${DOMAIN}; rewrite ^/(.*) https://$host$request_uri permanent; } % else: server { listen ${IP}:80; %if HAVE_DEDICATED_IP == '0': server_name ${DOMAIN} www.${DOMAIN}; % endif %if HAVE_DEDICATED_IP == '1': server_name ${DOMAIN} www.${DOMAIN} ${IP} www.${IP}; % endif # for working on proxy mode set nginx access logs off access_log off; location = /favicon.ico { log_not_found off; } % if TYPE == "main" and USERDIR_STATUS == "1": # userdir enabled location ~ ^/~${USER}(/.*)?$ { alias ${DOCROOT}/$2; autoindex on; try_files $uri $uri/ @userdirproxy; } location @userdirproxy { proxy_pass http://${IP}:${APACHE_HTTP_PORT}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; } % endif % if TYPE == "addon" or TYPE == "parked": access_log /usr/local/apache/domlogs/${PARENT_DOMAIN} combined; access_log /usr/local/apache/domlogs/${PARENT_DOMAIN}-bytes_log bytes_log; %else: access_log /usr/local/apache/domlogs/${DOMAIN} combined; access_log /usr/local/apache/domlogs/${DOMAIN}-bytes_log bytes_log; % endif % if WWW_REDIRECTION == "wwwtonon": # redirect www to non-ww if ($host = 'www.${DOMAIN}' ) { rewrite ^/(.*)$ http://${DOMAIN}/$1 permanent; } % endif % if WWW_REDIRECTION == "nontowww": # redirect non-www to www if ($host = '${DOMAIN}' ) { rewrite ^/(.*)$ http://www.${DOMAIN}/$1 permanent; } % endif % if SLOWLORIS_DOS == "1": # Slowloris Dos Attack Protection client_body_timeout ${CLIENT_BODY_TIMEOUT}; client_header_timeout ${CLIENT_HEADER_TIMEOUT}; % endif keepalive_requests ${KEEPALIVE_REQUEST}; keepalive_timeout ${KEEPALIVE_TIMEOUT}; % if SYMLINK_ATTACK == "on": # Symlink attack disable_symlinks on from=$document_root; % endif % if DIRECTORY_LIST == "1": autoindex on; % else: autoindex off; % endif # Disable direct access to .ht files and folders location ~ /\.ht { deny all; } # Access all cpanel services location ~* ^/(cpanel|webmail|whm|bandwidth|img-sys|java-sys|mailman/archives|pipermail|sys_cpanel|cgi-sys|mailman) { proxy_pass http://${IP}:${APACHE_HTTP_PORT}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } % if MOD_FLV == "1": # Enabled FLV streaming location ~ .flv$ { flv; } % endif %if MOD_MP4 == "1": # Enabled MP4 streaming location ~ .mp4$ { mp4; mp4_buffer_size 4M; mp4_max_buffer_size 10M; } % endif % if LIMIT_CONN == "1": # DDOS Layer 7 protection using ngx_http_limit_conn_module limit_conn perip ${LIMIT_CONN_PERCLIENTIP}; limit_conn perserver ${LIMIT_CONN_PERVIRTUALSERVER}; limit_conn_status 444; % endif % if REQ_MODULE == "1": # DDOS Layer 7 protection using ngx_http_limit_conn_module limit_req zone=reqperip burst=${LIMIT_REQ_PERCLIENTIP} nodelay; limit_req zone=reqperserver burst=${LIMIT_REQ_PERVIRTUALSERVER}; limit_req_status 445; % endif %if HTTP_METHOD_ENABLE == "1": # HTTP LIMIT METHOD PROTECTION ONLY ALLOW GET,POST,HEAD if ($badmethod = 1) { return 444; } % endif %if USER_AGENT_ATTACK_PROTECTION == "1": # Blocking access from bad bots if ($badbot){ return 447; } % endif %if XSS_PROTECTION == "1": # X-XSS protection add_header X-XSS-Protection "1; mode=block"; % endif % if XFRAME_ATTACK_PROTECTION == "1": # X-FRAME attach protection add_header X-Frame-Options "SAMEORIGIN"; % endif %if SCANNER_ATTACK_PROTECTION == "1": # Protect from bad site scanners if ($badscanner = 1){ return 448; } % endif %if REFERRER_SPAM_PROTECHTION == "1": # Protect from bad referer if ($badreferer){ return 449; } % endif % if PROTECT_SQL_INJECTION =="1": # Protect sql injections set $block_sql_injections 0; if ($query_string ~ "union.*select.*\(") { set $block_sql_injections 1; } if ($query_string ~ "union.*all.*select.*") { set $block_sql_injections 1; } if ($query_string ~ "concat.*\(") { set $block_sql_injections 1; } if ($block_sql_injections = 1) { return 403; } % endif % if PROTECT_FILE_INJECT == "1": # Protect file injections set $block_file_injections 0; if ($query_string ~ "[a-zA-Z0-9_]=http://") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { set $block_file_injections 1; } if ($block_file_injections = 1) { return 403; } % endif % if PROTECT_COMMON_EXPLOITS == "1": # common exploit protection set $block_common_exploits 0; if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { set $block_common_exploits 1; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "proc/self/environ") { set $block_common_exploits 1; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { set $block_common_exploits 1; } if ($query_string ~ "base64_(en|de)code\(.*\)") { set $block_common_exploits 1; } if ($block_common_exploits = 1) { return 403; } % endif % if HOT_LINK_PROTECTION == "1": # Hot Link protections location ~ \.(jpe?g|png|gif|svg|tiff|bmp|webp|bpg)$ { valid_referers none blocked ${DOMAIN} *.${DOMAIN}; if ($invalid_referer) { return 403; } } % endif %if GOOGLE_PAGE_SPEED == "1": # Enable google Page speed pagespeed on; pagespeed RespectVary on; # Ensure requests for pagespeed optimized resources go to the pagespeed handler and no extraneous headers get set. location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; } location ~ "^/pagespeed_static/" { } location ~ "^/ngx_pagespeed_beacon$" { } location /ngx_pagespeed_statistics { allow 127.0.0.1; deny all; } location /ngx_pagespeed_global_statistics { allow 127.0.0.1; deny all; } location /ngx_pagespeed_message { allow 127.0.0.1; deny all; } location /pagespeed_console { allow 127.0.0.1; deny all; } location ~ ^/pagespeed_admin { allow 127.0.0.1; deny all; } location ~ ^/pagespeed_global_admin { allow 127.0.0.1; deny all; } # filters pagespeed RewriteLevel PassThrough; pagespeed PreserveUrlRelativity on; pagespeed DisableFilters rewrite_css,rewrite_javascript,combine_css,inline_css,rewrite_images; pagespeed EnableFilters fallback_rewrite_css_urls; # Map domain works as a cdn pagespeed Domain http://cpnginxcdn.${DOMAIN}; # Map Original Domains pagespeed MapOriginDomain origin_to_fetch_from origin_specified_in_html [host_header]; # Respect froned Proxy pagespeed RespectXForwardedProto on; % endif referer_hash_bucket_size 512; error_page 404 = @apache; log_not_found off; location @apache { internal; client_max_body_size ${MAX_BODY_SIZE}; client_body_buffer_size ${BODY_BUFFER_SIZE}; proxy_buffering ${PROXY_BUFFERING}; proxy_send_timeout ${PROXY_SEND_TIMEOUT}; proxy_read_timeout ${PROXY_READ_TIMEOUT}; proxy_buffer_size ${PROXY_BUFFER_SIZE}; proxy_buffers ${PROXY_BUFFERS}; proxy_busy_buffers_size ${PROXY_BUSY_BUFFERS_SIZE}; proxy_temp_file_write_size ${PROXY_TEMP_FILE_WRITE_SIZE}; proxy_connect_timeout ${PROXY_CONNECT_TIMEOUT}; proxy_http_version ${PROXY_HTTP_VERSION}; % if RANGE_PROTECTION == "1": proxy_set_header Range ""; % endif % if PROXY_SET_HEADER_CONNECTION == "1": proxy_set_header Connection close; % endif % if PROXY_CACHE == "1": # ---proxy cache configurations start -- #Cache everything by default set $no_cache 0; # Only cache GET requests if ($request_method != GET){ set $no_cache 1; } #Don't cache if the URL contains a query string if ($query_string != ""){ set $no_cache 1; } #Don't cache if there is a cookie called wordpress_logged_in_[hash] if ($http_cookie ~* "wordpress_logged_in_"){ set $no_cache 1; } #Don't cache POST requests if ($request_method = POST) { set $no_cache 1; } #Don't cache the following URLs if ($request_uri ~* "/(wp-login.php|wp-admin|administrator/|login.php|backend|admin)"){ set $no_cache 1; } #Don't cache if there is a cookie called PHPSESSID if ($http_cookie ~* "PHPSESSID") { set $no_cache 1; } # Bypass cache if no-cache cookie is set if ($http_cookie ~* "_mcnc") { set $no_cache "1"; } # Drop no cache cookie if need be if ($no_cache = "1") { add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; add_header X-Microcachable "0"; } proxy_cache_bypass $no_cache; proxy_no_cache $no_cache; proxy_cache PROXYCACHE; userid on; userid_name uid; userid_domain $host; userid_path /; userid_expires 30d; userid_p3p 'policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"'; proxy_cache_key $scheme$host$request_uri$request_method$uid_got; proxy_cache_revalidate ${PROXY_CACHE_REVALIDATE}; proxy_cache_min_uses ${PROXY_CACHE_MIN_USES}; proxy_cache_lock ${PROXY_CACHE_LOCK}; proxy_cache_valid ${PROXY_CACHE_VALID}; % if PROXY_CACHE_USE_STALE == "1": proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; % endif proxy_pass_header Set-Cookie; proxy_ignore_headers Cache-Control Expires Set-Cookie; add_header X-Proxy-Cache $upstream_cache_status; # ----proxy cache configuration end -- % endif proxy_pass http://${IP}:${APACHE_HTTP_PORT}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; } location / { % if HAVE_REWRITE == '1': include /usr/local/nginx/conf/vhost.d/${DOMAIN}.rewrite; % else: # include /usr/local/nginx/conf/vhost.d/${DOMAIN}.rewrite; % endif log_not_found off; client_max_body_size ${MAX_BODY_SIZE}; client_body_buffer_size ${BODY_BUFFER_SIZE}; proxy_buffering ${PROXY_BUFFERING}; proxy_send_timeout ${PROXY_SEND_TIMEOUT}; proxy_read_timeout ${PROXY_READ_TIMEOUT}; proxy_buffer_size ${PROXY_BUFFER_SIZE}; proxy_buffers ${PROXY_BUFFERS}; proxy_busy_buffers_size ${PROXY_BUSY_BUFFERS_SIZE}; proxy_temp_file_write_size ${PROXY_TEMP_FILE_WRITE_SIZE}; proxy_connect_timeout ${PROXY_CONNECT_TIMEOUT}; proxy_http_version ${PROXY_HTTP_VERSION}; % if RANGE_PROTECTION == "1": proxy_set_header Range ""; % endif % if PROXY_SET_HEADER_CONNECTION == "1": proxy_set_header Connection close; % endif % if PROXY_CACHE == "1": # ---proxy cache configurations start -- #Cache everything by default set $no_cache 0; # Only cache GET requests if ($request_method != GET){ set $no_cache 1; } #Don't cache if the URL contains a query string if ($query_string != ""){ set $no_cache 1; } #Don't cache if there is a cookie called wordpress_logged_in_[hash] if ($http_cookie ~* "wordpress_logged_in_"){ set $no_cache 1; } #Don't cache POST requests if ($request_method = POST) { set $no_cache 1; } #Don't cache the following URLs if ($request_uri ~* "/(wp-login.php|wp-admin|administrator/|login.php|backend|admin)"){ set $no_cache 1; } #Don't cache if there is a cookie called PHPSESSID if ($http_cookie ~* "PHPSESSID") { set $no_cache 1; } # Bypass cache if no-cache cookie is set if ($http_cookie ~* "_mcnc") { set $no_cache "1"; } # Drop no cache cookie if need be if ($no_cache = "1") { add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; add_header X-Microcachable "0"; } proxy_cache_bypass $no_cache; proxy_no_cache $no_cache; proxy_cache PROXYCACHE; userid on; userid_name uid; userid_domain $host; userid_path /; userid_expires 30d; userid_p3p 'policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"'; proxy_cache_key $scheme$host$request_uri$request_method$uid_got; proxy_cache_revalidate ${PROXY_CACHE_REVALIDATE}; proxy_cache_min_uses ${PROXY_CACHE_MIN_USES}; proxy_cache_lock ${PROXY_CACHE_LOCK}; proxy_cache_valid ${PROXY_CACHE_VALID}; % if PROXY_CACHE_USE_STALE == "1": proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; % endif proxy_pass_header Set-Cookie; proxy_ignore_headers Cache-Control Expires Set-Cookie; add_header X-Proxy-Cache $upstream_cache_status; # ----proxy cache configuration end -- % endif proxy_pass http://${IP}:${APACHE_HTTP_PORT}; # Remote server modify this line " eg : proxy_pass http://10.0.0.10:80; " proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; } % if HAVE_INCLUE == '1': include /usr/local/nginx/conf/vhost.d/${DOMAIN}.include; % else: # include /usr/local/nginx/conf/vhost.d/${DOMAIN}.include; % endif } % endif % endif %if HAVESSL == '1': server { %if HTTP2 == "1": listen ${IP}:443 ssl http2 ; % else: listen ${IP}:443 ssl; % endif %if HAVE_DEDICATED_IP == '0': server_name ${DOMAIN} www.${DOMAIN}; % endif %if HAVE_DEDICATED_IP == '1': server_name ${DOMAIN} www.${DOMAIN} ${IP} www.${IP}; % endif # for working on proxy mode set nginx access logs off access_log off; ssl on; ssl_certificate /usr/local/nginx/conf/ssl.cert.d/${DOMAIN}_cert; ssl_certificate_key /usr/local/nginx/conf/ssl.key.d/${DOMAIN}_key; ssl_protocols ${SSL_PROTOCOLS}; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; %if OSCP == '1': #.............. Cpnginx OCSP stapling protection for security start .................... ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /usr/local/nginx/conf/ssl.ca.d/${DOMAIN}_ca-bundle; resolver 127.0.0.1 8.8.8.8 4.2.2.1 8.8.4.4 4.2.2.2 valid=300s; resolver_timeout 5s; #.............. Cpnginx OCSP stapling protection for security end.................... % endif location = /favicon.ico { log_not_found off; } % if TYPE == "main" and USERDIR_STATUS == "1": # userdir enabled location ~ ^/~${USER}(/.*)?$ { alias ${DOCROOT}/$2; autoindex on; try_files $uri $uri/ @userdirproxy; } location @userdirproxy { proxy_pass https://${IP}:${APACHE_HTTPS_PORT}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; } % endif % if TYPE == "addon" or TYPE == "parked": access_log /usr/local/apache/domlogs/${PARENT_DOMAIN}-bytes_log bytes_log buffer=32k flush=5m; access_log /usr/local/apache/domlogs/${PARENT_DOMAIN}-ssl_log combined buffer=32k flush=5m; % else: access_log /usr/local/apache/domlogs/${DOMAIN}-bytes_log bytes_log buffer=32k flush=5m; access_log /usr/local/apache/domlogs/${DOMAIN}-ssl_log combined buffer=32k flush=5m; % endif % if WWW_REDIRECTION == "wwwtonon": # redirect www to non-ww if ($host = 'www.${DOMAIN}' ) { rewrite ^/(.*)$ https://${DOMAIN}/$1 permanent; } % endif % if WWW_REDIRECTION == "nontowww": # redirect non-www to www if ($host = '${DOMAIN}' ) { rewrite ^/(.*)$ https://www.${DOMAIN}/$1 permanent; } % endif % if SLOWLORIS_DOS == "1": # Slowloris Dos Attack Protection client_body_timeout ${CLIENT_BODY_TIMEOUT}; client_header_timeout ${CLIENT_HEADER_TIMEOUT}; % endif keepalive_requests ${KEEPALIVE_REQUEST}; keepalive_timeout ${KEEPALIVE_TIMEOUT}; % if SYMLINK_ATTACK == "on": # Symlink attack disable_symlinks on from=$document_root; % endif % if DIRECTORY_LIST == "1": autoindex on; % else: autoindex off; % endif # Disable direct access to .ht files and folders location ~ /\.ht { deny all; } # Access all cpanel services location ~* ^/(cpanel|webmail|whm|bandwidth|img-sys|java-sys|mailman/archives|pipermail|sys_cpanel|cgi-sys|mailman) { proxy_pass http://${IP}:${APACHE_HTTP_PORT}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } % if MOD_FLV == "1": # Enabled FLV streaming location ~ .flv$ { flv; } % endif %if MOD_MP4 == "1": # Enabled MP4 streaming location ~ .mp4$ { mp4; mp4_buffer_size 4M; mp4_max_buffer_size 10M; } % endif % if LIMIT_CONN == "1": # DDOS Layer 7 protection using ngx_http_limit_conn_module limit_conn perip ${LIMIT_CONN_PERCLIENTIP}; limit_conn perserver ${LIMIT_CONN_PERVIRTUALSERVER}; limit_conn_status 444; % endif % if REQ_MODULE == "1": # DDOS Layer 7 protection using ngx_http_limit_conn_module limit_req zone=reqperip burst=${LIMIT_REQ_PERCLIENTIP} nodelay; limit_req zone=reqperserver burst=${LIMIT_REQ_PERVIRTUALSERVER}; limit_req_status 445; % endif %if HTTP_METHOD_ENABLE == "1": # HTTP LIMIT METHOD PROTECTION ONLY ALLOW GET,POST,HEAD if ($badmethod = 1) { return 444; } % endif %if USER_AGENT_ATTACK_PROTECTION == "1": # Blocking access from bad bots if ($badbot){ return 447; } % endif %if XSS_PROTECTION == "1": # X-XSS protection add_header X-XSS-Protection "1; mode=block"; % endif % if XFRAME_ATTACK_PROTECTION == "1": # X-FRAME attach protection add_header X-Frame-Options "SAMEORIGIN"; % endif %if SCANNER_ATTACK_PROTECTION == "1": # Protect from bad site scanners if ($badscanner = 1){ return 448; } % endif %if REFERRER_SPAM_PROTECHTION == "1": # Protect from bad referer if ($badreferer){ return 449; } % endif % if PROTECT_SQL_INJECTION =="1": # Protect sql injections set $block_sql_injections 0; if ($query_string ~ "union.*select.*\(") { set $block_sql_injections 1; } if ($query_string ~ "union.*all.*select.*") { set $block_sql_injections 1; } if ($query_string ~ "concat.*\(") { set $block_sql_injections 1; } if ($block_sql_injections = 1) { return 403; } % endif % if PROTECT_FILE_INJECT == "1": # Protect file injections set $block_file_injections 0; if ($query_string ~ "[a-zA-Z0-9_]=http://") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { set $block_file_injections 1; } if ($block_file_injections = 1) { return 403; } % endif % if PROTECT_COMMON_EXPLOITS == "1": # common exploit protection set $block_common_exploits 0; if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { set $block_common_exploits 1; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "proc/self/environ") { set $block_common_exploits 1; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { set $block_common_exploits 1; } if ($query_string ~ "base64_(en|de)code\(.*\)") { set $block_common_exploits 1; } if ($block_common_exploits = 1) { return 403; } % endif % if HOT_LINK_PROTECTION == "1": # Hot Link protections location ~ \.(jpe?g|png|gif|svg|tiff|bmp|webp|bpg)$ { valid_referers none blocked ${DOMAIN} *.${DOMAIN}; if ($invalid_referer) { return 403; } } % endif %if GOOGLE_PAGE_SPEED == "1": # Enable google Page speed pagespeed on; pagespeed RespectVary on; # Ensure requests for pagespeed optimized resources go to the pagespeed handler and no extraneous headers get set. location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; } location ~ "^/pagespeed_static/" { } location ~ "^/ngx_pagespeed_beacon$" { } location /ngx_pagespeed_statistics { allow 127.0.0.1; deny all; } location /ngx_pagespeed_global_statistics { allow 127.0.0.1; deny all; } location /ngx_pagespeed_message { allow 127.0.0.1; deny all; } location /pagespeed_console { allow 127.0.0.1; deny all; } location ~ ^/pagespeed_admin { allow 127.0.0.1; deny all; } location ~ ^/pagespeed_global_admin { allow 127.0.0.1; deny all; } # filters pagespeed RewriteLevel PassThrough; pagespeed PreserveUrlRelativity on; pagespeed DisableFilters rewrite_css,rewrite_javascript,combine_css,inline_css,rewrite_images; pagespeed EnableFilters fallback_rewrite_css_urls; # Map domain works as a cdn pagespeed Domain https://cpnginxcdn.${DOMAIN}; # Map Original Domains pagespeed MapOriginDomain origin_to_fetch_from origin_specified_in_html [host_header]; # Respect froned Proxy pagespeed RespectXForwardedProto on; % endif referer_hash_bucket_size 512; error_page 404 = @apache; log_not_found off; location @apache { internal; client_max_body_size ${MAX_BODY_SIZE}; client_body_buffer_size ${BODY_BUFFER_SIZE}; proxy_buffering ${PROXY_BUFFERING}; proxy_send_timeout ${PROXY_SEND_TIMEOUT}; proxy_read_timeout ${PROXY_READ_TIMEOUT}; proxy_buffer_size ${PROXY_BUFFER_SIZE}; proxy_buffers ${PROXY_BUFFERS}; proxy_busy_buffers_size ${PROXY_BUSY_BUFFERS_SIZE}; proxy_temp_file_write_size ${PROXY_TEMP_FILE_WRITE_SIZE}; proxy_connect_timeout ${PROXY_CONNECT_TIMEOUT}; proxy_http_version ${PROXY_HTTP_VERSION}; % if RANGE_PROTECTION == "1": proxy_set_header Range ""; % endif % if PROXY_SET_HEADER_CONNECTION == "1": proxy_set_header Connection close; % endif % if PROXY_CACHE == "1": # ---proxy cache configurations start -- #Cache everything by default set $no_cache 0; # Only cache GET requests if ($request_method != GET){ set $no_cache 1; } #Don't cache if the URL contains a query string if ($query_string != ""){ set $no_cache 1; } #Don't cache if there is a cookie called wordpress_logged_in_[hash] if ($http_cookie ~* "wordpress_logged_in_"){ set $no_cache 1; } #Don't cache POST requests if ($request_method = POST) { set $no_cache 1; } #Don't cache the following URLs if ($request_uri ~* "/(wp-login.php|wp-admin|administrator/|login.php|backend|admin)"){ set $no_cache 1; } #Don't cache if there is a cookie called PHPSESSID if ($http_cookie ~* "PHPSESSID") { set $no_cache 1; } # Bypass cache if no-cache cookie is set if ($http_cookie ~* "_mcnc") { set $no_cache "1"; } # Drop no cache cookie if need be if ($no_cache = "1") { add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; add_header X-Microcachable "0"; } proxy_cache_bypass $no_cache; proxy_no_cache $no_cache; proxy_cache PROXYCACHE; userid on; userid_name uid; userid_domain $host; userid_path /; userid_expires 30d; userid_p3p 'policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"'; proxy_cache_key $scheme$host$request_uri$request_method$uid_got; proxy_cache_revalidate ${PROXY_CACHE_REVALIDATE}; proxy_cache_min_uses ${PROXY_CACHE_MIN_USES}; proxy_cache_lock ${PROXY_CACHE_LOCK}; proxy_cache_valid ${PROXY_CACHE_VALID}; % if PROXY_CACHE_USE_STALE == "1": proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; % endif proxy_pass_header Set-Cookie; proxy_ignore_headers Cache-Control Expires Set-Cookie; add_header X-Proxy-Cache $upstream_cache_status; # ----proxy cache configuration end -- % endif proxy_pass https://${IP}:${APACHE_HTTPS_PORT}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; } location / { % if HAVE_SSL_REWRITE == '1': include /usr/local/nginx/conf/vhost.ssl.d/${DOMAIN}.rewrite; % else: # include /usr/local/nginx/conf/vhost.ssl.d/${DOMAIN}.rewrite; % endif log_not_found off; client_max_body_size ${MAX_BODY_SIZE}; client_body_buffer_size ${BODY_BUFFER_SIZE}; proxy_buffering ${PROXY_BUFFERING}; proxy_send_timeout ${PROXY_SEND_TIMEOUT}; proxy_read_timeout ${PROXY_READ_TIMEOUT}; proxy_buffer_size ${PROXY_BUFFER_SIZE}; proxy_buffers ${PROXY_BUFFERS}; proxy_busy_buffers_size ${PROXY_BUSY_BUFFERS_SIZE}; proxy_temp_file_write_size ${PROXY_TEMP_FILE_WRITE_SIZE}; proxy_connect_timeout ${PROXY_CONNECT_TIMEOUT}; proxy_http_version ${PROXY_HTTP_VERSION}; % if RANGE_PROTECTION == "1": proxy_set_header Range ""; % endif % if PROXY_SET_HEADER_CONNECTION == "1": proxy_set_header Connection close; % endif % if PROXY_CACHE == "1": # ---proxy cache configurations start -- #Cache everything by default set $no_cache 0; # Only cache GET requests if ($request_method != GET){ set $no_cache 1; } #Don't cache if the URL contains a query string if ($query_string != ""){ set $no_cache 1; } #Don't cache if there is a cookie called wordpress_logged_in_[hash] if ($http_cookie ~* "wordpress_logged_in_"){ set $no_cache 1; } #Don't cache POST requests if ($request_method = POST) { set $no_cache 1; } #Don't cache the following URLs if ($request_uri ~* "/(wp-login.php|wp-admin|administrator/|login.php|backend|admin)"){ set $no_cache 1; } #Don't cache if there is a cookie called PHPSESSID if ($http_cookie ~* "PHPSESSID") { set $no_cache 1; } # Bypass cache if no-cache cookie is set if ($http_cookie ~* "_mcnc") { set $no_cache "1"; } # Drop no cache cookie if need be if ($no_cache = "1") { add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; add_header X-Microcachable "0"; } proxy_cache_bypass $no_cache; proxy_no_cache $no_cache; proxy_cache PROXYCACHE; userid on; userid_name uid; userid_domain $host; userid_path /; userid_expires 30d; userid_p3p 'policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"'; proxy_cache_key $scheme$host$request_uri$request_method$uid_got; proxy_cache_revalidate ${PROXY_CACHE_REVALIDATE}; proxy_cache_min_uses ${PROXY_CACHE_MIN_USES}; proxy_cache_lock ${PROXY_CACHE_LOCK}; proxy_cache_valid ${PROXY_CACHE_VALID}; % if PROXY_CACHE_USE_STALE == "1": proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; % endif proxy_pass_header Set-Cookie; proxy_ignore_headers Cache-Control Expires Set-Cookie; add_header X-Proxy-Cache $upstream_cache_status; # ----proxy cache configuration end -- % endif proxy_pass https://${IP}:${APACHE_HTTPS_PORT}; # Remote server modify this line " eg : proxy_pass https://10.0.0.10:443; " proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; } % if HAVE_SSL_INCLUE == '1': include /usr/local/nginx/conf/vhost.ssl.d/${DOMAIN}.include; % else: # include /usr/local/nginx/conf/vhost.ssl.d/${DOMAIN}.include; % endif } % endif