Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Nginx.conf rules for Wordfence Falcon Engine Caching when using Nginx and PHP5-FPM

This entry was posted in Wordfence on May 1, 2014 by Mark Maunder   13 Replies

Below you will find a configuration file for nginx web server that contains the rewrite rules that you need to run Falcon with nginx.

So if you’re using Nginx with PHP5-FPM (FastCGI), this will give you a web server that is about as fast as it can be because nginx will serve pre-compressed files from disk using a minimum of stat() operations and while doing very little work. Cache hits don’t even touch PHP or MySQL and are incredibly fast.

We do not try to automatically add these rules to your nginx.conf file because:

  • Most nginx.conf files aren’t writable.
  • We can not possibly determine where to safely insert the rules.

Here are the rules with comments included.

worker_processes 1;
events {
	worker_connections 1024;
}
http {
	include mime.types;
	default_type application/octet-stream;
	log_format main '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time status $status bytes $body_bytes_sent';
	#Uncomment to debug rewrite rules
	#rewrite_log on;
	server {
		listen 80;
		server_name test1.com;
		access_log logs/test1.access.log main;
		#Uncomment to debug rewrite rules
		#error_log logs/rewrite.log notice;
		root /usr/local/test1;
		index index.php;

		# WORDFENCE FALCON ENGINE CODE
		#Match on gzip first because ordering matters.
		location ~ "/site/wp-content/wfcache/.*gzip$" {
			gzip off;
			types {}
			default_type text/html;
			add_header Vary "Accept-Encoding, Cookie";
			add_header Content-Encoding gzip;
		}
		#If the previous matched, the following location won't be executed.
		location ~ /site/wp-content/wfcache/.* {
			add_header Vary "Accept-Encoding, Cookie";
		}
		set $wordfenceCacheOn 1;

		#Don't cache form submissions.
		if ($request_method = POST) {
			set $wordfenceCacheOn 0;
		}

		#Allow caching of /?123=123 because this is a common DDoS to override caches.
		if ($query_string !~ "^(?:d+=d+)?$") {
			set $wordfenceCacheOn 0;
		}

		#Only cache URL's ending in /
		if ($request_uri !~ /$) {
			set $wordfenceCacheOn 0;
		}
		#Don't cache any cookies with this in their names e.g. users who are logged in.
		if ($http_cookie ~* "(comment_author|wp-postpass|wf_logout|wordpress_logged_in|wptouch_switch_toggle|wpmp_switcher)") {
			set $wordfenceCacheOn 0;
		}
		set $wordfenceEncoding "";
		#Oh, you want gzipped content?
		if ($http_accept_encoding ~ gzip) {
			set $wordfenceEncoding _gzip;
		}
		set $wordfenceHTTPS "";
		if ($scheme = 'https'){
			#If you want to ENABLE HTTPS caching, comment out the next line.
			set $wordfenceCacheOn 0; #Comment this line out to enable HTTPS caching.

			set $wordfenceHTTPS '_https'; #Uncomment this line to enable HTTPS caching.
		}
		#The main purpose of this line is to capture the URL components into variables.
		if ($request_uri !~ "^/*(?<wfone>[^/]*)/*(?<wftwo>[^/]*)/*(?<wfthree>[^/]*)/*(?<wffour>[^/]*)/*(?<wffive>[^/]*)(?<wfsix>.*)$"){
			set $wordfenceCacheOn 0;
		}
		#If the file doesn't exist then don't serve from cache.
		if (!-f "$document_root/site/wp-content/wfcache/${http_host}_${wfone}/${wftwo}~${wfthree}~${wffour}~${wffive}~${wfsix}_wfcache${wordfenceHTTPS}.html${wordfenceEncoding}") {
			set $wordfenceCacheOn 0;
		}

		if ($wordfenceCacheOn = 1) {
			rewrite .* "/site/wp-content/wfcache/${http_host}_${wfone}/${wftwo}~${wfthree}~${wffour}~${wffive}~${wfsix}_wfcache${wordfenceHTTPS}.html${wordfenceEncoding}" last;
		}
		# END Wordfence Rules

		location / {
			try_files $uri $uri/ /index.php?$args ;
		}
		location ~ .php$ {
			try_files $uri /index.php;
			include fastcgi_params;
			fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
			fastcgi_pass unix:/var/run/php5-fpm.sock;
		}
	}
}

Did you enjoy this post? Share it!

13 Comments on "Nginx.conf rules for Wordfence Falcon Engine Caching when using Nginx and PHP5-FPM"

Salahudin July 13, 2014 at 7:01 am

Hi.

I keep getting this error while trying to restart nginx after inserting the falcon engine code for my site:

Restarting nginx: [emerg]: unknown "wfone" variable

Can you please help me with this one.

Regards,
Salko

Toni July 27, 2014 at 12:25 pm

Could not get it to work. Are you sure this should be inside the nginx.conf file? This looks more like site.conf or default.conf...

Paul Scollon November 11, 2014 at 2:52 am

Works for me by adding to default.conf

Andrew Ensley August 28, 2014 at 4:11 pm

I'm using Apache2 with mod_fastcgi and PHP5-FPM. I was sent to this page when I tried to enable Falcon Engine.

Not sure where to go from here. Do you have equivalent instructions for Apache2 + fastcgi + PHP5-FPM?

Alex December 8, 2014 at 9:09 am

I have the same problem as Andrew. What shall we do with an Apache Server?

action_Turtle December 22, 2014 at 11:36 pm

If you copied the WordFence code out of there and just tried to paste it into your config then you need to define a server...

should be like this

server {
word fence code
}

you can add it to the default config file but then you will have to re-add for every server block...

It makes much more sense to make a file called wf.conf and put it in the conf.d folder... Then you only have to do it once... just make sure to define the server...

Apache people... Sorry this is for a Nginx config... I know they both can use FastCGI but I think you are looking to mod your .htaccess file not nginx config files...

Felipe August 10, 2015 at 6:57 am

Link for Txt file have 404 error.

mark August 10, 2015 at 2:05 pm

Thanks Felipe, this has been fixed.

zebus October 28, 2015 at 5:37 am

Need edit "site" in the paths?... or $document_root/wp-content/etc...? or dont need edit any code?. Only copy paste?. Thanks.

lokar December 21, 2015 at 2:29 am

I have tried every imaginable way of applying that nginx rules you have provided but wordpress just wont serve cached files. I can see wordfence is generating them inside wp-content directory, but it doesn't serve them.

I am using nginx 1.8.0 along with PHP 7.0.0 on CentOS 7.

Allen May 2, 2016 at 11:05 pm

If you have WordPress installed as the root of your website, make sure you remove /site from the paths, and change them from "/site/wp-content..." to "/wp-content..."

Nicolai September 29, 2016 at 7:07 am

Hi guys,

A few (hopefully) helpful pointers from one Linux noob to help other Linux noobs implement this easier:

1) /etc/nginx/nginx.conf contains an include call that means it will automatically include all config files in /etc/nginx/conf.d/*.conf. Usually, that means that you would be inserting this into either a new file in that folder, or into the config file you made for your site and placed in that folder. I prefer the later option to ensure that there are no conflicts by having A in one file and B in another.

2) A good place if you're putting it into your existing config file, would be after "index index.php;" and before the location stuff immediately after. Although it may not seem entirely clear, most of the content in the code snippet above is essentially a duplicate of what you'd already have, and will lead to conflict. So see 3 below before you paste.

3) You essentially only need the part between # WORDFENCE FALCON ENGINE CODE and # END Wordfence Rules. Copying only this part in will avoid several conflicts (for example, the root directory in the code snippet above is not coherent with the root dir of a normal Nginx installation and will thus result in 404. (Code snippet is /usr/local/variable where Nginx webroot is /usr/share/nginx/html/).

4) Remember to edit the variables in the paths. They include "/site/" which would be if you placed your Wordpress installation in a subfolder of your web root. If that's not the case, replace "/site/" with "/". If you did place it in a subfolder, obviously replace "site" with the exact folder name, and remember case sensitivity.

5) Finally, if you're using HTTPS, notice the section "set $wordfenceHTTPS". It seems to contain an oversight; there are two set-commands in there, with instructions to comment the first one out, and uncomment the second one to enable HTTPS caching. The odd thing is, that the first one is commented out and the second one is not, so while it implies that both would need a certain state, as it's written in the code snippet above, it's sorta undecided.

I hope these few pointers from a Linux noob helps you through implementing this a bit easier. :)

Nicolai

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates