Putting it all together
Here's the complete server block with everything included:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mysite.com;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mysite.com/chain.pem;
root /var/www/mysite.com/public_html;
access_log /var/log/nginx/mysite.access.log;
error_log /var/log/nginx/mysite.error.log;
client_max_body_size 8M;
# --- Bludit directory protection ---
include bludit_security.conf;
# --- Sitemap plugin alias ---
location = /sitemap.xml {
alias /var/www/mysite.com/public_html/bl-content/workspaces/sitemap/sitemap.xml;
}
# --- Bludit front controller ---
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
# --- Housekeeping ---
include drop.conf;
# --- Static caching ---
include static_caching.conf;
# --- PHP processing ---
include php.conf;
}Step 8: Redirect www to non-www (or vice versa)
In a separate server block:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.mysite.com;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
return 301 https://mysite.com$request_uri;
}
# Also redirect plain HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name mysite.com www.mysite.com;
return 301 https://mysite.com$request_uri;
}Step 9: Run the Bludit installer
Visit https://mysite.com and Bludit's installer will walk you through setting up an admin user. No database credentials needed — it's all flat files from here.
Optional: Behind Cloudflare
If you use Cloudflare, install the ngx_http_realip_module and add this to your nginx.conf to restore real visitor IPs in your access logs and Bludit's analytics:
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
# ... (full Cloudflare IP list at https://www.cloudflare.com/ips/)
real_ip_header CF-Connecting-IP;Then in your server block, conditionally skip logging for your own IP:
map $remote_addr $log_ip {
default 1;
127.0.0.1 0;
::1 0;
# Add your home/office IPs here with "0" to skip them
}
access_log /var/log/nginx/mysite.access.log combined if=$log_ip;That's it. Bludit is now running behind Nginx with sensible security defaults, clean URLs, and aggressive static caching — all with flat files and no database.
This guide is maintained as part of a modular, SSL-first framework. Each configuration is audited for production stability and modern security standards.
Compatibility: Tested against current stable releases. While optimized for the stack above, core logic remains relevant for Nginx 1.26+ and PHP 8.2+ environments.