wordpress/templates/configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "wordpress-nginx.fullname" . }}-nginx-config
  labels:
    {{- include "wordpress-nginx.labels" . | nindent 4 }}
data:
  default.conf: |
    upstream php {
        server 127.0.0.1:9000;
    }

    {{- if .Values.nginx.forwardRealIP.enabled }}
    # 実IPアドレスの抽出（X-Forwarded-Forから最初のIPを取得）
    map $http_x_forwarded_for $real_ip {
        ~^(\d+\.\d+\.\d+\.\d+) $1;
        default $remote_addr;
    }
    {{- end }}

    # HTTPSプロトコルの判定
    map $http_x_forwarded_proto $fastcgi_https {
        default '';
        https on;
    }

    server {
        listen 80;
        server_name _;

        root /var/www/html;
        index index.php index.html;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        client_max_body_size 64M;

        {{- if .Values.nginx.forwardRealIP.enabled }}
        # 信頼できるプロキシからのX-Forwarded-Forヘッダーを使用
        real_ip_header X-Forwarded-For;
        {{- range .Values.nginx.forwardRealIP.trustedProxies }}
        set_real_ip_from {{ . }};
        {{- end }}
        real_ip_recursive on;
        {{- end }}

        location = /favicon.ico {
            log_not_found off;
            access_log off;
        }

        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        # WordPressのパーマリンク対応
        location / {
            try_files $uri $uri/ /index.php?$args;
        }

        # PHPファイルの処理
        location ~ \.php$ {
            # ファイルが存在しない場合は404
            try_files $uri =404;
            
            # FastCGI設定
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            
            # FastCGIパラメータの読み込み
            include fastcgi_params;

            # 基本的なFastCGIパラメータ
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;

            # HTTPS対応（重要: WordPressのis_ssl()判定に必要）
            fastcgi_param HTTPS $fastcgi_https if_not_empty;

            {{- if .Values.nginx.forwardRealIP.enabled }}
            # プロキシ経由のリクエスト情報をPHPに伝える（リアルIP取得有効時）
            fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
            fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
            fastcgi_param HTTP_X_REAL_IP $real_ip;
            fastcgi_param REMOTE_ADDR $real_ip;
            {{- else }}
            # プロキシ経由のリクエスト情報をPHPに伝える（リアルIP取得無効時）
            fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
            fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
            fastcgi_param REMOTE_ADDR $remote_addr;
            {{- end }}
            
            # タイムアウト設定
            fastcgi_read_timeout 300;
            fastcgi_send_timeout 300;
            fastcgi_connect_timeout 300;
            
            # バッファ設定
            fastcgi_buffers 16 16k;
            fastcgi_buffer_size 32k;
        }

        # 静的ファイルのキャッシュ
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|otf)$ {
            expires 1y;
            add_header Cache-Control "public, immutable";
            log_not_found off;
            access_log off;
        }

        # wp-config.phpへの直接アクセス拒否
        location ~* /wp-config\.php {
            deny all;
        }

        # 隠しファイルへのアクセス拒否
        location ~ /\. {
            deny all;
            access_log off;
            log_not_found off;
        }

        # XML-RPC DDoS対策（必要に応じてコメント解除）
        # location = /xmlrpc.php {
        #     deny all;
        # }
    }