From 9ec0e8134116fa35b50a4ad1de6d254f397d6391 Mon Sep 17 00:00:00 2001
From: Kai Moritz <kai@juplo.de>
Date: Tue, 18 Nov 2025 23:06:27 +0100
Subject: [PATCH] WIP:fpm-chatgpt

---
 docker-compose.yml        |  3 ++-
 nginx.conf                | 29 +++++++++++++----------------
 snippets/fastcgi-php.conf | 10 ++++++++++
 snippets/security.conf    | 11 +++++++++++
 4 files changed, 36 insertions(+), 17 deletions(-)
 create mode 100644 snippets/fastcgi-php.conf
 create mode 100644 snippets/security.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index f5350f08..8ad74de8 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,13 +8,14 @@ services:
     volumes:
       - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
       - ./:/usr/share/nginx/html:ro
+      - ./snippets:/etc/nginx/snippets:ro
+      - ./wordpress-fpm:/var/www/html:ro
   wordpress:
     image: wordpress:6.3.2-php8.2-fpm
     read_only: true
     depends_on:
       - mariadb
     environment:
-      SCRIPT_FILENAME: /usr/src/wordpress
       WORDPRESS_DB_HOST: mariadb:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD: I0vAUXKC
diff --git a/nginx.conf b/nginx.conf
index f7cb1d3b..27974372 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -1,28 +1,25 @@
 server {
     listen 80;
-    server_name localhost;
+    server_name _;
+
     root /var/www/html;
+    index index.php index.html index.htm;
 
-    index index.php;
+    include /etc/nginx/snippets/security.conf;
 
     location / {
         try_files $uri $uri/ /index.php?$args;
     }
 
-    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
-
-    location ~ [^/]\.php(/|$) {
-        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-        if (!-f $document_root$fastcgi_script_name) {
-            return 404;
-        }
-
-        include fastcgi_params;
-        fastcgi_pass     wordpress:9000;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO             $fastcgi_path_info;
-        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
+    location ~ \.php$ {
+        include /etc/nginx/snippets/fastcgi-php.conf;
+        fastcgi_pass wordpress:9000;
+    }
 
-        fastcgi_index    index.php; 
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+        expires max;
+        log_not_found off;
     }
+
+    client_max_body_size 64M;
 }
diff --git a/snippets/fastcgi-php.conf b/snippets/fastcgi-php.conf
new file mode 100644
index 00000000..71a5d585
--- /dev/null
+++ b/snippets/fastcgi-php.conf
@@ -0,0 +1,10 @@
+fastcgi_split_path_info ^(.+\.php)(/.+)$;
+fastcgi_index index.php;
+include fastcgi_params;
+
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+fastcgi_param PATH_INFO $fastcgi_path_info;
+
+fastcgi_buffer_size 32k;
+fastcgi_buffers 4 32k;
+fastcgi_busy_buffers_size 64k;
diff --git a/snippets/security.conf b/snippets/security.conf
new file mode 100644
index 00000000..3ea221e0
--- /dev/null
+++ b/snippets/security.conf
@@ -0,0 +1,11 @@
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header X-Content-Type-Options "nosniff" always;
+
+location ~* \.(svn|git|hg|bzr)$ {
+    deny all;
+}
+
+location ~* wp-config.php {
+    deny all;
+}
-- 
2.39.5