antichaos/drupal-nginx-virtualhost.conf Secret

## drupal-nginx-virtualhost.conf
server {
            server_name xxxxxxxxxxxxxx.net;
            root /data/web/xxxxxxxx/htdocs;

            gzip_static on;

            listen 443 ssl;
            ssl on;
            ssl_certificate      /etc/ssl/certs/xxxxx.crt;
            ssl_certificate_key  /etc/ssl/certs/xxxxxx.key;
            ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

            ssl_dhparam /etc/ssl/dh4096.pem;
            ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';


            ssl_prefer_server_ciphers on;
            ssl_session_cache shared:SSL:10m;
            ssl_session_timeout 10m;
            add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";

            error_log /var/log/nginx/xxx-error.log info;
            access_log /var/log/nginx/xxx-access.log ;

            location = /favicon.ico {
                log_not_found off;
                access_log off;
            }

            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }

            location ~ \..*/.*\.php$ {
                return 403;
            }

            location ~ ^/files/.*/private {
                return 403;
            }

            # Block access to "hidden" files and directories whose names begin with a
            # period. This includes directories used by version control systems such
            # as Subversion or Git to store control files.
            location ~ (^|/)\. {
                return 403;
            }

            location / {
                # try_files $uri @rewrite; # For Drupal <= 6
                try_files $uri /index.php?$query_string; # For Drupal >= 7
            }

            location @rewrite {
                rewrite ^/(.*)$ /index.php?q=$1;
            }

            # Don't allow direct access to PHP files in the vendor directory.
            location ~ /vendor/.*\.php$ {
                deny all;
                return 404;
            }


            location ~ '\.php$|^/update.php' {
                fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
                #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                fastcgi_intercept_errors on;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
            }

            # private files (mainly images which should be served by imagecache) are located in /files/private

            location ~ ^/system/files/styles/ {
                        try_files $uri @rewrite;
                }

            location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
                expires max;
                log_not_found off;
            }
}
	server {
	server_name xxxxxxxxxxxxxx.net;
	root /data/web/xxxxxxxx/htdocs;

	gzip_static on;

	listen 443 ssl;
	ssl on;
	ssl_certificate /etc/ssl/certs/xxxxx.crt;
	ssl_certificate_key /etc/ssl/certs/xxxxxx.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	ssl_dhparam /etc/ssl/dh4096.pem;
	ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';


	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";

	error_log /var/log/nginx/xxx-error.log info;
	access_log /var/log/nginx/xxx-access.log ;

	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	location ~ \../.\.php$ {
	return 403;
	}

	location ~ ^/files/.*/private {
	return 403;
	}

	# Block access to "hidden" files and directories whose names begin with a
	# period. This includes directories used by version control systems such
	# as Subversion or Git to store control files.
	location ~ (^\|/)\. {
	return 403;
	}

	location / {
	# try_files $uri @rewrite; # For Drupal <= 6
	try_files $uri /index.php?$query_string; # For Drupal >= 7
	}

	location @rewrite {
	rewrite ^/(.*)$ /index.php?q=$1;
	}

	# Don't allow direct access to PHP files in the vendor directory.
	location ~ /vendor/.*\.php$ {
	deny all;
	return 404;
	}


	location ~ '\.php$\|^/update.php' {
	fastcgi_split_path_info ^(.+?\.php)(\|/.*)$;
	#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $request_filename;
	fastcgi_intercept_errors on;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
	}

	# private files (mainly images which should be served by imagecache) are located in /files/private

	location ~ ^/system/files/styles/ {
	try_files $uri @rewrite;
	}

	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico)$ {
	expires max;
	log_not_found off;
	}
	}