default nginx + php-fastcgi vhost (win/linux)

default.loc

# Creates unlimited ".loc" domains as long as you add the 
# entry to /etc/hosts and create the matching $host folder
server {
	listen 80 default;
	server_name _;
	root /home/user/www/$host;
	index index.html index.php;
	
	# Directives to send expires headers and turn off 404 error logging.
	#location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
	#	expires 24h;
	#	log_not_found off;
	#}

	# Route all requests for non-existent files to index.php
	location / {
		try_files $uri $uri/ /index.php$is_args$args;
	}

	# Pass PHP scripts to php-fastcgi listening on port 9000
	location ~ \.php$ {

		# Zero-day exploit defense.
		# http://forum.nginx.org/read.php?2,88845,page=3
		# Won't work properly (404 error) if the file is not stored on 
		# this server,  which is entirely possible with php-fpm/php-fcgi.
		# Comment the 'try_files' line out if you set up php-fpm/php-fcgi
		# on another machine.  And then cross your fingers that you won't get hacked.
		try_files $uri =404;

		include fastcgi_params;
		fastcgi_pass 127.0.0.1:9000;
	}
}

# PHP search for file Exploit:
# The PHP regex location block fires instead of the try_files block. Therefore we need
# to add "try_files $uri =404;" to make sure that "/uploads/virusimage.jpg/hello.php"
# never executes the hidden php code inside virusimage.jpg because it can't find hello.php!
# The exploit also can be stopped by adding "cgi.fix_pathinfo = 0" in your php.ini file. 

defaults.conf

# Route all requests for non-existent files to index.php
if (!-e $request_filename) {
        rewrite ^/(.*)$ /index.php/$1 last;
}

# Pass PHP scripts to php-fastcgi listening on port 9000
location ~ \.php {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass 127.0.0.1:9000;
}

defaults.mvc.conf

# Route all requests for non-existent files to index.php
if (!-e $request_filename) {
	rewrite ^/(.*)$ /index.php/$1 last;
}

# Hide all PHP scripts
location ~ \.php {
	rewrite ^/(.*)$ /index.php/$1 last;
}

# Forward index.php requests to php-fastcgi
location ~ ^/index.php {
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_pass 127.0.0.1:9000;
}

frameworks.conf

# Creates unlimited ".loc" domains as long as you add the 
# entry to /etc/hosts and create the matching $host folder
server {
        listen 80;
        server_name ~^(?<project>.+)\.frameworks\.loc$;
        root /home/[USERNAME]/www/frameworks/$project/public;
        index index.html index.php;
        error_log /home/[USERNAME]/www/log/frameworks.error.log warn;

        # Directives to send expires headers and turn off 404 error logging.
        #location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        #       expires 24h;
        #       log_not_found off;
        #}

        # Route all requests for non-existent files to index.php
        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }

        # Pass PHP scripts to php-fastcgi listening on port 9000
        location ~ \.php$ {

                # Zero-day exploit defense.
                # http://forum.nginx.org/read.php?2,88845,page=3
                # Won't work properly (404 error) if the file is not stored on 
                # this server,  which is entirely possible with php-fpm/php-fcgi.
                # Comment the 'try_files' line out if you set up php-fpm/php-fcgi
                # on another machine.  And then cross your fingers that you won't get hacked.
                try_files $uri =404;

                include fastcgi_params;
                fastcgi_pass 127.0.0.1:9000;
                # fastcgi_pass unix:/var/run/php5-fpm.sock;
        }
}

# PHP search for file Exploit:
# The PHP regex location block fires instead of the try_files block. Therefore we need
# to add "try_files $uri =404;" to make sure that "/uploads/virusimage.jpg/hello.php"
# never executes the hidden php code inside virusimage.jpg because it can't find hello.php!
# The exploit also can be stopped by adding "cgi.fix_pathinfo = 0" in your php.ini file. 

localhost

# Localhost
server
{
        # web root directory
        root   /home/user/www/localhost;

        listen   80 default;
        server_name  localhost;
        index  index.html index.htm index.php;
        #include defaults.conf;
        include defaults.mvc.conf;
}

mvc.conf

index index.html index.php;
try_files $uri @missing;

location @missing {
        rewrite ^ /index.php$request_uri last;
}

# This will only run if the below location doesn't (anything but /index.php)
location ~ \.php {
        rewrite ^ /index.php$request_uri last;
}

location ^~ /index.php {
        include fastcgi_params;
        fastcgi_index  index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass 127.0.0.1:9000;
}

mvc.hide.php.conf

# MicroMVC Framework
server {
	listen 80;
	server_name micromvc.loc;
	index index.html index.php;
	
	# web root directory
	root /var/www/micromvc;
	
	try_files $uri @missing;
	
	location @missing {
		rewrite ^ /index.php$request_uri last;
	}

	# This will only run if the below location doesn't, so anything other than /index.php
	location ~ \.php {
		rewrite ^ /index.php$request_uri last;
	}
	
	# Only send index.php requests to PHP-fastcgi
	location ^~ /index.php {
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_pass 127.0.0.1:9000;
	}
}

rate-limit.conf

http
{
    limit_req   zone=one  burst=5  nodelay;

    server
    {
        location
        {
            limit_req   zone=delay  burst=5 nodelay;
        }
    }
}

Forward development server file requests to production: rewrite ^/uploads/(.*)$ http://www.example.com/uploads/$1 last;

This keeps each development server from needing to have a copy of the files in uploads.