Xeckt/default-site.nginx

## default-site.nginx
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name something.com
	return 301 https://$host$request_uri;
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name something.com
	root /var/www/;

	index index.php index.html index.htm;

	# SSL config #
	ssl on;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_certificate ssl/www.something.crt;
	ssl_certificate_key ssl/www.something.key;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
	# SSL Config#

	# Security configuration #
	server_tokens off;
	add_header X-Frame-Options "SAMEORIGIN";
    	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
    	add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
    	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options nosniff;
	# Security configuration #

	location / {
		try_files $uri $uri/ /index.php?$query_string;
        	gzip_static on;
	}

	location ~ \.php$ {
		try_files $uri =404;
		include fastcgi_params;
		fastcgi_index index.php;
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass fpm-server:9000;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
	}

	location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
        	expires 365d;
  	}

	location ~* \.(?:eot|woff|woff2|ttf|svg|otf) {
		expires 365d;

   		access_log        off;
    		log_not_found     off;

    		add_header        Cache-Control "public";
    		add_header        Access-Control-Allow-Origin *;

    		types     {font/opentype otf;}
    		types     {application/vnd.ms-fontobject eot;}
    		types     {font/truetype ttf;}
    		types     {application/font-woff woff;}
    		types     {font/x-woff woff2;}
  	}

	location ~ /\.ht {
		deny all;
	}
}
	server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name something.com
	return 301 https://$host$request_uri;
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name something.com
	root /var/www/;

	index index.php index.html index.htm;

	# SSL config #
	ssl on;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_certificate ssl/www.something.crt;
	ssl_certificate_key ssl/www.something.key;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
	# SSL Config#

	# Security configuration #
	server_tokens off;
	add_header X-Frame-Options "SAMEORIGIN";
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
	add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options nosniff;
	# Security configuration #

	location / {
	try_files $uri $uri/ /index.php?$query_string;
	gzip_static on;
	}

	location ~ \.php$ {
	try_files $uri =404;
	include fastcgi_params;
	fastcgi_index index.php;
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass fpm-server:9000;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;
	}

	location ~* \.(jpg\|jpeg\|png\|gif\|ico\|css\|js)$ {
	expires 365d;
	}

	location ~* \.(?:eot\|woff\|woff2\|ttf\|svg\|otf) {
	expires 365d;

	access_log off;
	log_not_found off;

	add_header Cache-Control "public";
	add_header Access-Control-Allow-Origin *;

	types {font/opentype otf;}
	types {application/vnd.ms-fontobject eot;}
	types {font/truetype ttf;}
	types {application/font-woff woff;}
	types {font/x-woff woff2;}
	}

	location ~ /\.ht {
	deny all;
	}
	}