Surprisingly this hasn’t been covered more thoroughly considering how many people are running NGINX as a reverse proxy for their back end CMS such as WordPress. This article will show you how to configure NGINX with SSL and redirect to non-www. If your WordPress installation is sitting behind a reverse proxy like NGINX, WordPress won’t be able to see the proper IP address of the client computer for your accurate statistics and reporting. Instead WordPress will show your reverse proxy instead of the correct client IP addresses. If you’re using Cloudflare then there are various plugins to fix that, for NGINX there is not. To show the correct client IP address in your backend logs, you’ll need to add the following at the top of wp-config.php:

 if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
 $xffaddrs = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
 $_SERVER['REMOTE_ADDR'] = $xffaddrs[0];

Here is what the top of your wp-config.php should look like after adding the headers:

<?php
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$xffaddrs = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
$_SERVER['REMOTE_ADDR'] = $xffaddrs[0];
 }
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, WordPress Language, and ABSPATH. You can find more information
 * by visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
 * wp-config.php} Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'yourusername');
/** MySQL database password */
define('DB_PASSWORD', 'yourpassword');
/** MySQL hostname */
define('DB_HOST', 'yourDBhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
 

My setup:

tr-network-diagram2

Nginx boilerplate

Just to mention that this configuration was built on top of h5bp’s Nginx HTTP server boilerplate configs. Very useful Nginx configuration template built with best practices in mind. So you will see file inclusion in main server block which only contains default Nginx settings, so don’t get confused. Anyway i recommend using this boilerplate for server configuration instead of writting your own.

SPDY networking protocol

SPDY has been superseded by HTTP/2 so you should no longer use it in any of your web configurations. Enable HTTP/2 instead. NGINX has supported HTTP/2 ever since September 2015

Since you have SSL certificate i don’t see reason not to include SPDY protocol. It’s implementation exist in almost all browsers (Check out Caniuse), and hopefully it should get its implementation soon also on IE and Opera Mini. If you are feeling it is not yet the right time for SPDY, just remove spdy from configuration file.

Redirect all www connections to non-www

server {
        # Server host
        server_name     www.domain.com;

        # Server ports
        listen          80;
        listen          443 ssl spdy;
        listen          [::]:80;
        listen          [::]:443 ssl spdy;

        # SSL Certificate
        ssl_certificate     /path/to/certs/domain.com.crt;
             ssl_certificate_key /path/to/certs/domain.com.key.nopass;

        # Non-www redirect
        return          301 https://domain.com$request_uri;
} 

Redirect all HTTP to HTTPS

server {
        # Server host
        server_name     domain.com;

        # Server port
        listen          80;
        listen          [::]:80;

        return          301 https://domain.com$request_uri;
} 

Redirect subdomain to HTTPS

server {
  # Server host
  server_name     sub.domain.com;

  # Server port
  listen          80;
  listen          [::]:80;

  location / {
    return          301 https://sub.domain.com$request_uri;
  }

  # Server root folder
  root            /path/to/your/application;

  # Custom locations and settings
  location ~ \.php$ {
    root           /path/to/your/application;
    fastcgi_pass   unix:/var/run/php5-fpm.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  /path/to/your/application$fastcgi_script_name;
    include        fastcgi_params;
  }
}

Main server block configuration

server{
        # Server host
        server_name     domain.com;

        # Server ports
        listen          443 ssl spdy;
        listen          [::]:443 ssl spdy;

        # Server root folder
        root            /path/to/your/application;

        # SSL certificate
        ssl_certificate     /path/to/certs/domain.com.crt;
        ssl_certificate_key /path/to/certs/domain.com.key.nopass;

        # You may want to check [Cipher list](https://cipherli.st/) which provide Strong SSL Security for all modern browsers. (Thanks KnowledgePower Marketing)
        # SSL settings
        ssl_session_cache           shared:SSL:10m;
        ssl_session_timeout         10m;
        ssl_prefer_server_ciphers   on;
        #ssl_stapling                on;
        #resolver                    8.8.8.8;
        ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers                 "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
        add_header                  Strict-Transport-Security 'max-age=604800';

        # Include Nginx Boilerplate default settings
        include         nginx-bp/bootstrap/example.conf;

        # Custom locations and settings
        location ~ \.php$ {
                root           /path/to/your/application;
                fastcgi_pass   unix:/var/run/php5-fpm.sock;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /path/to/your/application$fastcgi_script_name;
                include        fastcgi_params;
        }
}

Conclusion

I hope this post was useful for you, if you have some suggestions or corrections write them down in comments.

Source by Bojan

    Advertisment ad adsense adlogger