Updates to nginx proxy

Author: thejimbirch

CLAUDE.md

@@ -140,21 +140,28 @@ The `ddev db-refresh` command includes intelligent backup management:
 
 ## Asset Proxy System
 
-The add-on includes an intelligent asset proxy system that automatically serves missing uploads and files from your hosting provider:
+The add-on includes an intelligent nginx-based asset proxy system that automatically serves missing uploads and files from your hosting provider:
 
 ### How It Works:
 - **Local First**: Always tries to serve files locally from `wp-content/uploads/`
-- **Automatic Fallback**: If file doesn't exist locally, proxies from remote hosting provider
+- **Nginx Proxy**: If file doesn't exist locally, nginx directly proxies from remote hosting provider using `proxy_pass`
 - **Provider Support**: Works with Pantheon, WPEngine, and Kinsta
 - **Transparent**: No configuration needed - works automatically after setup
 
+### Technical Implementation:
+- **Complete nginx Configuration**: Uses `nginx-site-main.conf` template to override DDEV's default WordPress configuration
+- **Template-Based**: `PROXY_URL_PLACEHOLDER` and `HOST_PLACEHOLDER` are replaced during `ddev project-configure`
+- **Native nginx Performance**: Uses nginx's built-in `proxy_pass` directive for optimal performance
+- **Configuration Location**: Creates `.ddev/nginx_full/nginx-site.conf` to take full control of nginx configuration
+
 ### Configuration:
 - **Automatic**: `PROXY_URL` is automatically configured based on your hosting provider during `ddev project-configure`
 - **Pantheon**: `https://dev-sitename.pantheonsite.io` (uses configured environment)
 - **WPEngine**: `https://sitename.wpengine.com` (uses install name)
 - **Kinsta**: `https://env-username-environment.kinsta.cloud` (e.g., `https://env-outandequalorg-build.kinsta.cloud`)
 
 ### Benefits:
+- ✅ **Native nginx Performance**: Direct proxy without PHP processing overhead
 - ✅ **Faster Development**: No need to download all uploads from production
 - ✅ **Automatic Updates**: New uploads appear automatically without syncing
 - ✅ **Bandwidth Efficient**: Only downloads files when actually needed
@@ -314,7 +321,10 @@ While maintaining consistency, respect platform differences:
 ## Testing Notes
 - Always test changes to install.yaml thoroughly across all providers
 - Test multi-provider scenarios to ensure compatibility
-- Validate nginx proxy configuration for each hosting platform
+- Validate nginx proxy configuration for each hosting platform:
+  - Test that `nginx-site-main.conf` template properly replaces placeholders
+  - Verify proxy functionality with missing uploads from each provider
+  - Confirm that complete nginx configuration overrides DDEV's default
 - Run integration tests before major releases
 - Tests pre-configure environment variables to avoid interactive prompts
 - Test changes in both add-ons when making cross-repository updates

commands/host/project-configure

@@ -399,22 +399,35 @@ if [ -n "$PROXY_URL" ]; then
     mkdir -p .ddev/nginx
 
     # Extract hostname from PROXY_URL for Host header
-    PROXY_HOST=$(echo "$PROXY_URL" | sed 's|https\?://||' | sed 's|/.*||')
+    PROXY_HOST=$(echo "$PROXY_URL" | sed 's|https\://||' | sed 's|http://||' | sed 's|/.*||')
 
     # Process nginx configuration template - use the current add-on source if available
-    NGINX_TEMPLATE=""
+    NGINX_MAIN_TEMPLATE=""
+    NGINX_SNIPPET_TEMPLATE=""
+
+    # Try to find the templates in various locations
+    if [ -f ".ddev/addon-metadata/ddev-kanopi-wp/config/nginx/nginx-site-main.conf" ]; then
+        NGINX_MAIN_TEMPLATE=".ddev/addon-metadata/ddev-kanopi-wp/config/nginx/nginx-site-main.conf"
+    elif [ -f "/Users/thejimbirch/Projects/ddev-kanopi-wp/config/nginx/nginx-site-main.conf" ]; then
+        NGINX_MAIN_TEMPLATE="/Users/thejimbirch/Projects/ddev-kanopi-wp/config/nginx/nginx-site-main.conf"
+    fi
 
-    # Try to find the template in various locations
     if [ -f ".ddev/addon-metadata/ddev-kanopi-wp/config/nginx/nginx-site.conf" ]; then
-        NGINX_TEMPLATE=".ddev/addon-metadata/ddev-kanopi-wp/config/nginx/nginx-site.conf"
+        NGINX_SNIPPET_TEMPLATE=".ddev/addon-metadata/ddev-kanopi-wp/config/nginx/nginx-site.conf"
     elif [ -f "/Users/thejimbirch/Projects/ddev-kanopi-wp/config/nginx/nginx-site.conf" ]; then
-        NGINX_TEMPLATE="/Users/thejimbirch/Projects/ddev-kanopi-wp/config/nginx/nginx-site.conf"
+        NGINX_SNIPPET_TEMPLATE="/Users/thejimbirch/Projects/ddev-kanopi-wp/config/nginx/nginx-site.conf"
     fi
 
-    if [ -n "$NGINX_TEMPLATE" ]; then
+    if [ -n "$NGINX_MAIN_TEMPLATE" ]; then
+        # Create complete nginx configuration to override DDEV's default
+        sed "s|PROXY_URL_PLACEHOLDER|$PROXY_URL|g; s|HOST_PLACEHOLDER|$PROXY_HOST|g" \
+            "$NGINX_MAIN_TEMPLATE" > ".ddev/nginx_full/nginx-site.conf"
+        echo "  ✅ Complete nginx proxy configuration created"
+    elif [ -n "$NGINX_SNIPPET_TEMPLATE" ]; then
+        # Fallback to snippet approach
         sed "s|PROXY_URL_PLACEHOLDER|$PROXY_URL|g; s|HOST_PLACEHOLDER|$PROXY_HOST|g" \
-            "$NGINX_TEMPLATE" > ".ddev/nginx/nginx-site.conf"
-        echo "  ✅ Nginx proxy configuration created"
+            "$NGINX_SNIPPET_TEMPLATE" > ".ddev/nginx/nginx-site.conf"
+        echo "  ✅ Nginx proxy snippet created"
     else
         echo "  ⚠️  Nginx template not found - proxy configuration not updated"
     fi

config/nginx/nginx-site-main.conf

@@ -0,0 +1,115 @@
+#ddev-generated
+# ddev wordpress config with Kanopi proxy support
+# https://developer.wordpress.org/advanced-administration/server/web-server/nginx/
+
+# Much of this config is adapted from
+# https://codex.wordpress.org/Nginx
+
+server {
+    listen 80 default_server;
+    listen 443 ssl default_server;
+
+    root /var/www/html/public;
+
+    ssl_certificate /etc/ssl/certs/master.crt;
+    ssl_certificate_key /etc/ssl/certs/master.key;
+
+    include /etc/nginx/monitoring.conf;
+
+    index index.php index.htm index.html;
+
+    # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
+    sendfile off;
+    error_log /dev/stdout info;
+    access_log /var/log/nginx/access.log;
+
+    # From wordpress demo global_restrictions.conf
+    # Global restrictions configuration file.
+    # Designed to be included in any server {} block.
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
+    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+    location ~ /\. {
+        deny all;
+    }
+
+    # Deny access to any files with a .php extension in the uploads directory
+    # Works in sub-directory installs and also in multisite network
+    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+    location ~* /(?:uploads|files)/.*\.php$ {
+        deny all;
+    }
+
+    # Image proxy configuration for wp-content/uploads
+    location ~ ^/wp-content/uploads/.* {
+        try_files $uri @proxy;
+    }
+
+    location @proxy {
+        # Proxy missing uploads to hosting provider environment
+        resolver 8.8.8.8;
+        proxy_pass PROXY_URL_PLACEHOLDER$request_uri;
+        proxy_set_header Host HOST_PLACEHOLDER;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_ssl_verify off;
+        proxy_intercept_errors on;
+    }
+
+    location / {
+        absolute_redirect off;
+        # This is cool because no php is touched for static content.
+        # include the "?$args" part so non-default permalinks doesn't break when using query string
+        try_files $uri $uri/ /index.php?$args;
+    }
+
+    # pass the PHP scripts to FastCGI server listening on socket
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/run/php-fpm.sock;
+        fastcgi_buffers 16 16k;
+        fastcgi_buffer_size 32k;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_intercept_errors off;
+        # fastcgi_read_timeout should match max_execution_time in php.ini
+        fastcgi_read_timeout 10m;
+        fastcgi_param SERVER_NAME $host;
+        fastcgi_param HTTPS $fcgi_https;
+        # Pass the X-Accel-* headers to facilitate testing.
+        fastcgi_pass_header "X-Accel-Buffering";
+        fastcgi_pass_header "X-Accel-Charset";
+        fastcgi_pass_header "X-Accel-Expires";
+        fastcgi_pass_header "X-Accel-Limit-Rate";
+        fastcgi_pass_header "X-Accel-Redirect";
+    }
+
+    # Expire rules for static content
+
+    # Media: images, icons, video, audio, HTC (exclude wp-content/uploads which has proxy)
+    location ~* ^(?!/wp-content/uploads).*\.(jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|webp|htc)$ {
+        expires max;
+        log_not_found off;
+        try_files $uri /index.php$is_args$args;
+    }
+    location ~* \.(js|css)$ {
+        expires -1;
+        log_not_found off;
+    }
+    include /etc/nginx/common.d/*.conf;
+    include /mnt/ddev_config/nginx/*.conf;
+}

install.yaml

@@ -232,8 +232,8 @@ removal_actions:
   
   # Remove specific config files
   echo "🔧 Removing config files..."
-  rm -f config/nginx/nginx-common.conf 2>/dev/null || true
   rm -f config/nginx/nginx-site.conf 2>/dev/null || true
+  rm -f config/nginx/nginx-site-main.conf 2>/dev/null || true
   rm -f config/wp/block-template/block.json 2>/dev/null || true
 
   # Remove specific script files