Improve Nginx fastcgi cache purging rules

etc/nginx/includes/fastcgi_cache.conf

@@ -7,7 +7,7 @@ fastcgi_cache LEMPERCACHE;
 fastcgi_cache_background_update on;
 fastcgi_cache_valid 200 60m;
 fastcgi_cache_valid 301 302 10m;
-fastcgi_cache_valid 404 1m;
+#fastcgi_cache_valid 404 10m;
 fastcgi_cache_valid any 60m;
 fastcgi_cache_min_uses 1;
 fastcgi_cache_lock on;

etc/nginx/includes/rules_fastcgi_cache.conf

@@ -73,26 +73,31 @@ if ($cookie_woocommerce_items_in_cart = "1") {
 
 # Purge URI.
 # Usage: curl -X GET $scheme://$host/$1/purge
-location ~ ^/(.*)/purge {
+location ~ /purge(/.*) {
     allow 127.0.0.1;
-    #allow SERVER_IP;
+    #allow SERVER_IPV4;
+    allow ::1;
+    #allow SERVER_IPV6;
     deny all;
-    #access_log off;
+    access_log off;
     log_not_found off;
-    fastcgi_cache_purge LEMPERCACHE "$scheme$request_method$host/$1";
+    cache_purge_response_type json;
+    fastcgi_cache_purge LEMPERCACHE "$scheme$request_method$host$1";
     #return 301 $scheme://$host/$1;
 }
 
 # Purge all URIs.
-location ~ ^/purgeall {
+location ~* ^/purge-all {
     allow 127.0.0.1;
-    #allow SERVER_IP;
+    #allow SERVER_IPV4;
+    allow ::1;
+    #allow SERVER_IPV6;
     deny all;
-    #access_log off;
+    access_log off;
     log_not_found off;
+    cache_purge_response_type json;
     fastcgi_cache LEMPERCACHE;
-    fastcgi_cache_purge PURGE purge_all from 127.0.0.1;
-    #return 301 $scheme://$host;
+    #fastcgi_cache_purge PURGE purge_all from 127.0.0.1 ::1 allow_SERVER_IP;
 }
 
 ## You may add your own FastCGI cache rules here...

scripts/install_nginx.sh

@@ -1822,8 +1822,18 @@ EOL
                 /etc/nginx/nginx.conf
         fi
 
-        # Allow server IP to fastCGI cache purge rule.
-        run sed -i "s/#allow\ SERVER_IP/allow\ ${SERVER_IP}/g" /etc/nginx/includes/rules_fastcgi_cache.conf
+        # Allow server IP to fastCGI cache purge remotely.
+        ALLOWED_SERVER_IP=$(get_ip_private)
+        run sed -i "s|#allow\ SERVER_IPV4|allow\ ${ALLOWED_SERVER_IP}|g" /etc/nginx/includes/rules_fastcgi_cache.conf
+
+        ALLOWED_SERVER_IPV6=$(get_ipv6_private)
+        if [[ "${ALLOWED_SERVER_IPV6}x" != "x" ]]; then
+            run sed -i "s|#allow\ SERVER_IPV6|allow\ ${ALLOWED_SERVER_IPV6}|g" /etc/nginx/includes/rules_fastcgi_cache.conf
+            ALLOWED_SERVER_IP="${ALLOWED_SERVER_IP} ${ALLOWED_SERVER_IPV6}"
+        fi
+
+        run sed -i "s|allow_SERVER_IP|${ALLOWED_SERVER_IP}|g" /etc/nginx/includes/rules_fastcgi_cache.conf
+        run sed -i "s|#fastcgi_cache_purge\ PURGE|fastcgi_cache_purge\ PURGE|g" /etc/nginx/includes/rules_fastcgi_cache.conf
 
         # Generate Diffie-Hellman parameters.
         local DH_LENGTH=${KEY_HASH_LENGTH:-2048}

scripts/utils.sh

@@ -523,6 +523,29 @@ function get_ip_public() {
     fi
 }
 
+# Get server private IPv6 Address.
+function get_ipv6_private() {
+    local SERVER_IPV6_PRIVATE && \
+    SERVER_IPV6_PRIVATE=$(ip addr | grep 'inet6' | \
+        grep -oE '(::)?[0-9a-fA-F]{1,4}(::?[0-9a-fA-F]{1,4}){1,7}(::)?' | head -1)
+
+    echo "${SERVER_IPV6_PRIVATE}"
+}
+
+# Get server public IPv6 Address.
+function get_ipv6_public() {
+    local SERVER_IPV6_PRIVATE && SERVER_IPV6_PRIVATE=$(get_ipv6_private)
+    local SERVER_IPV6_PUBLIC && \
+    SERVER_IPV6_PUBLIC=$(curl -sk --ipv6 --connect-timeout 10 --retry 3 --retry-delay 0 https://ipecho.net/plain)
+
+    # Ugly hack to detect aws-lightsail public IP address.
+    if [[ "${SERVER_IPV6_PRIVATE}" == "${SERVER_IPV6_PUBLIC}" ]]; then
+        echo "${SERVER_IPV6_PRIVATE}"
+    else
+        echo "${SERVER_IPV6_PUBLIC}"
+    fi
+}
+
 # Make sure only supported distribution can run LEMPer script.
 function preflight_system_check() {
     # Set system distro version.