joecue · September 7, 2022 17:43
diff --git a/.lando.yml b/.lando.yml
 # Replace the entries with {{ }} around them with your customizations.

 name: {{ myproject }}
 recipe: wordpress
 config:
  php: "7.4"
  via: nginx
  config:
    vhosts: config/default.conf.tpl
  webroot: {{ webroot }}
  database: mariadb
  xdebug: true
 services:
  database:
    creds:
      user: {{ db_user }}
      password: {{ db_user_password }}
      database: {{ db_name }}
  phpmyadmin:
    type: phpmyadmin
    user: {{ db_user }}
    password: {{ db_user_password }}
    database: {{ db_name }}
    hosts:
      - database
 proxy:
  phpmyadmin:
    - phpmyadmin.{{ myproject }}.lndo.site
diff --git a/default.conf b/default.conf
 server {
    listen       80;
    server_name  localhost;

    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
 }
diff --git a/default.conf.tpl b/default.conf.tpl
 # WordPress single site rules.
 # Designed to be included in any server {} block.

 # Adding Multisite blog pathing
 # Copied from https://wordpress.org/support/article/nginx/

 map $uri $blogname{
 ~^(?P<blogpath>/[^/]+/)files/(.*) $blogpath ;
 }

 map $blogname $blogid{
 default -999;
 }

 # Upstream to abstract backend connection(s) for php
 upstream php {
  server fpm:9000;
 }

 server {

  listen 80 default_server;
  listen 443 ssl;

  server_name localhost;

  ssl_certificate           /certs/cert.crt;
  ssl_certificate_key       /certs/cert.key;
  ssl_verify_client         off;

  ssl_session_cache    shared:SSL:1m;
  ssl_session_timeout  5m;

  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers  on;

  port_in_redirect off;
  client_max_body_size 100M;

  ## Your only path reference.
  root "{{LANDO_WEBROOT}}";

  ## This should be in your http block and if it is, it's not needed here.
  index index.php;

  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  #replace the following location statement
  #  location / {
    # This is cool because no php is touched for static content.
    # include the "?$args" part so non-default permalinks doesn't break when using query string
    # try_files $uri $uri/ /index.php?$args;
  # }

  # replace with lines 67 to 87 (location statements below)
  # Copied from https://wordpress.org/support/article/nginx/
  
  location ~ ^(/[^/]+/)?files/(.+) {
 	try_files /wp-content/blogs.dir/$blogid/files/$2 /wp-includes/ms-files.php?file=$2 ;
 	access_log off;     log_not_found off; expires max;
  }

  #avoid php readfile()
  location ^~ /blogs.dir {
 	internal;
 	alias /var/www/example.com/htdocs/wp-content/blogs.dir ;
 	access_log off;     log_not_found off; expires max;
  }

  if (!-e $request_filename) {
 	rewrite /wp-admin$ $scheme://$host$request_uri/ permanent;
 	rewrite ^(/[^/]+)?(/wp-.*) $2 last;
 	rewrite ^(/[^/]+)?(/.*\.php) $2 last;
  }

  location / {
 	try_files $uri $uri/ /index.php?$args ;
  }

  location ~ \.php$ {
    #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
    include fastcgi_params;
    fastcgi_intercept_errors on;
    fastcgi_pass php;
    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 32k;
  }

  location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    expires max;
    log_not_found off;
  }
 }
diff --git a/directories to create.txt b/directories to create.txt
 config/conf.d/global
 default.conf placed in root of config/conf.d

 wordpress-mu.conf and wp-restricions.conf placed in root of config/conf.d/global

 config/default.conf
 logs

 place default.conf.tpl (file above) in root of config
diff --git a/lando path.bat b/lando path.bat
 @echo off

 set path=%path%;C:\Program Files\Lando\

 cmd /k
diff --git a/wordpress-mu.conf b/wordpress-mu.conf
 # WordPress multisite subdirectory rules.
 # Designed to be included in any server {} block.

 # This order might seem weird - this is attempted to match last if rules below fail.
 # http://wiki.nginx.org/HttpCoreModule

 location / {
        try_files $uri $uri/ /index.php?$args;
        rewrite ^/(.*/)?sitemap.xml /wp-content/sitemap.php last;
 }

 # Directives to send expires headers and turn off 404 error logging.
 location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires 24h;
        log_not_found off;
 }

 location ~ ^(/[^/]+/)?files/(.+) {
 	try_files /wp-content/blogs.dir/$blogid/files/$2 /wp-includes/ms-files.php?file=$2 ;
 	access_log off;     log_not_found off; expires max;
 }

 #avoid php readfile()
 location ^~ /blogs.dir {
        internal;
        alias /var/www/example.com/htdocs/wp-content/blogs.dir ;
        access_log off; log_not_found off;      expires max;
 }

 # Uncomment one of the lines below for the appropriate caching plugin (if used).
 #include global/wordpress-ms-subdir-wp-super-cache.conf;
 #include global/wordpress-ms-subdir-w3-total-cache.conf;

 # Rewrite multisite '.../wp-.*' and '.../*.php'.
 if (!-e $request_filename) {
 	rewrite /wp-admin$ $scheme://$host$request_uri/ permanent;
 	rewrite ^(/[^/]+)?(/wp-.*) $2 last;
 	rewrite ^(/[^/]+)?(/.*\.php) $2 last;
 }

 # Pass all .php files onto a php-fpm/php-fcgi server.
 location ~ \.php$ {
        # Zero-day exploit defense.
        # http://forum.nginx.org/read.php?2,88845,page=3
        # Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine.  And then cross your fingers that you won't get hack$

        try_files $uri =404;

        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        #fastcgi_split_path_info ^(.+\.php)(.*)$;

        #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

        #fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_pass 127.0.0.1:9000;

        fastcgi_read_timeout 300s;

        fastcgi_index index.php;
        include fastcgi_params;
 	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 }
diff --git a/wp-restrictions.conf b/wp-restrictions.conf
 # Global restrictions configuration file.
 # Designed to be included in any server {} block.</p>
 location = /favicon.ico {
        log_not_found off;
        access_log off;
 }

 location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
 }

 # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
 location ~ /\. {
        deny all;
 }

 # Deny access to any files with a .php extension in the uploads directory
 # Works in sub-directory installs and also in multisite network
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
 location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
 }
	# Replace the entries with {{ }} around them with your customizations.

	name: {{ myproject }}
	recipe: wordpress
	config:
	php: "7.4"
	via: nginx
	config:
	vhosts: config/default.conf.tpl
	webroot: {{ webroot }}
	database: mariadb
	xdebug: true
	services:
	database:
	creds:
	user: {{ db_user }}
	password: {{ db_user_password }}
	database: {{ db_name }}
	phpmyadmin:
	type: phpmyadmin
	user: {{ db_user }}
	password: {{ db_user_password }}
	database: {{ db_name }}
	hosts:
	- database
	proxy:
	phpmyadmin:
	- phpmyadmin.{{ myproject }}.lndo.site
	server {
	listen 80;
	server_name localhost;

	#access_log /var/log/nginx/host.access.log main;

	location / {
	root /usr/share/nginx/html;
	index index.html index.htm;
	}

	#error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root /usr/share/nginx/html;
	}

	# proxy the PHP scripts to Apache listening on 127.0.0.1:80
	#
	#location ~ \.php$ {
	# proxy_pass http://127.0.0.1;
	#}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	# root html;
	# fastcgi_pass 127.0.0.1:9000;
	# fastcgi_index index.php;
	# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
	# include fastcgi_params;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	# deny all;
	#}
	}
	# WordPress single site rules.
	# Designed to be included in any server {} block.

	# Adding Multisite blog pathing
	# Copied from https://wordpress.org/support/article/nginx/

	map $uri $blogname{
	~^(?P<blogpath>/[^/]+/)files/(.*) $blogpath ;
	}

	map $blogname $blogid{
	default -999;
	}

	# Upstream to abstract backend connection(s) for php
	upstream php {
	server fpm:9000;
	}

	server {

	listen 80 default_server;
	listen 443 ssl;

	server_name localhost;

	ssl_certificate /certs/cert.crt;
	ssl_certificate_key /certs/cert.key;
	ssl_verify_client off;

	ssl_session_cache shared:SSL:1m;
	ssl_session_timeout 5m;

	ssl_ciphers HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers on;

	port_in_redirect off;
	client_max_body_size 100M;

	## Your only path reference.
	root "{{LANDO_WEBROOT}}";

	## This should be in your http block and if it is, it's not needed here.
	index index.php;

	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	#replace the following location statement
	# location / {
	# This is cool because no php is touched for static content.
	# include the "?$args" part so non-default permalinks doesn't break when using query string
	# try_files $uri $uri/ /index.php?$args;
	# }

	# replace with lines 67 to 87 (location statements below)
	# Copied from https://wordpress.org/support/article/nginx/

	location ~ ^(/[^/]+/)?files/(.+) {
	try_files /wp-content/blogs.dir/$blogid/files/$2 /wp-includes/ms-files.php?file=$2 ;
	access_log off; log_not_found off; expires max;
	}

	#avoid php readfile()
	location ^~ /blogs.dir {
	internal;
	alias /var/www/example.com/htdocs/wp-content/blogs.dir ;
	access_log off; log_not_found off; expires max;
	}

	if (!-e $request_filename) {
	rewrite /wp-admin$ $scheme://$host$request_uri/ permanent;
	rewrite ^(/[^/]+)?(/wp-.*) $2 last;
	rewrite ^(/[^/]+)?(/.*\.php) $2 last;
	}

	location / {
	try_files $uri $uri/ /index.php?$args ;
	}

	location ~ \.php$ {
	#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
	include fastcgi_params;
	fastcgi_intercept_errors on;
	fastcgi_pass php;
	fastcgi_buffers 16 16k;
	fastcgi_buffer_size 32k;
	}

	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico)$ {
	expires max;
	log_not_found off;
	}
	}
	config/conf.d/global
	default.conf placed in root of config/conf.d

	wordpress-mu.conf and wp-restricions.conf placed in root of config/conf.d/global

	config/default.conf
	logs

	place default.conf.tpl (file above) in root of config
	# WordPress multisite subdirectory rules.
	# Designed to be included in any server {} block.

	# This order might seem weird - this is attempted to match last if rules below fail.
	# http://wiki.nginx.org/HttpCoreModule

	location / {
	try_files $uri $uri/ /index.php?$args;
	rewrite ^/(.*/)?sitemap.xml /wp-content/sitemap.php last;
	}

	# Directives to send expires headers and turn off 404 error logging.
	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico)$ {
	expires 24h;
	log_not_found off;
	}

	location ~ ^(/[^/]+/)?files/(.+) {
	try_files /wp-content/blogs.dir/$blogid/files/$2 /wp-includes/ms-files.php?file=$2 ;
	access_log off; log_not_found off; expires max;
	}

	#avoid php readfile()
	location ^~ /blogs.dir {
	internal;
	alias /var/www/example.com/htdocs/wp-content/blogs.dir ;
	access_log off; log_not_found off; expires max;
	}

	# Uncomment one of the lines below for the appropriate caching plugin (if used).
	#include global/wordpress-ms-subdir-wp-super-cache.conf;
	#include global/wordpress-ms-subdir-w3-total-cache.conf;

	# Rewrite multisite '.../wp-.' and '.../.php'.
	if (!-e $request_filename) {
	rewrite /wp-admin$ $scheme://$host$request_uri/ permanent;
	rewrite ^(/[^/]+)?(/wp-.*) $2 last;
	rewrite ^(/[^/]+)?(/.*\.php) $2 last;
	}

	# Pass all .php files onto a php-fpm/php-fcgi server.
	location ~ \.php$ {
	# Zero-day exploit defense.
	# http://forum.nginx.org/read.php?2,88845,page=3
	# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
	# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hack$

	try_files $uri =404;

	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	#fastcgi_split_path_info ^(.+\.php)(.*)$;

	#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

	#fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
	fastcgi_pass 127.0.0.1:9000;

	fastcgi_read_timeout 300s;

	fastcgi_index index.php;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	}
	# Global restrictions configuration file.
	# Designed to be included in any server {} block.</p>
	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~ /\. {
	deny all;
	}

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}