brunoamaral/example-nginx.conf

## example-nginx.conf
server {
    server_name .DOMAIN-NAME;
    listen 80;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}
server {
    listen 443  ssl http2;
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types application/javascript application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml;

    add_header X-Frame-Options SAMEORIGIN;
    # add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google-analytics.com https://ssl.google-analytics.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://www.facebook.com https://s-static.ak.facebook.com; object-src 'none'";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/DOMAIN-NAME/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/DOMAIN-NAME/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN-NAME/fullchain.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;


    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers '<YOUR CYPHER GOES HERE>';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    root /var/web/DOMAIN-NAME;
    index index.php index.html index.htm;

    # try_files $uri $uri/ =404;
    location / {
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }
    location ^~ /.well-known{
        alias /var/web/DOMAIN-NAME/.well-known;
        allow all;
        auth_basic off;
    }
    error_page 404 /404.html;

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
            root /usr/share/nginx/html;
    }

    location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            include fastcgi_params;
    }

    # Media: images, icons, video, audio, HTC
    location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }

    location /feed {
        return 302 https://DOMAIN-NAME/index.xml;
    }

    # CSS and Javascript
    location ~* \.(?:css|js)$ {
    expires 1M;
    access_log off;
    add_header Cache-Control "public";
    }
    location = /analytics.js {
        # Proxy to google-analytics.com
        proxy_pass https://www.google-analytics.com;
        # Custom expires time
        expires 1y;
    }

# This file holds the passwords
    include /etc/nginx/incl/basicauth.conf;
}
	server {
	server_name .DOMAIN-NAME;
	listen 80;

	# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
	return 301 https://$host$request_uri;
	}
	server {
	listen 443 ssl http2;
	gzip on;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types application/javascript application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml;

	add_header X-Frame-Options SAMEORIGIN;
	# add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google-analytics.com https://ssl.google-analytics.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://www.facebook.com https://s-static.ak.facebook.com; object-src 'none'";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options nosniff;

	# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	ssl_certificate /etc/letsencrypt/live/DOMAIN-NAME/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/DOMAIN-NAME/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN-NAME/fullchain.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;


	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# modern configuration. tweak to your needs.
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers '<YOUR CYPHER GOES HERE>';
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling ---
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	root /var/web/DOMAIN-NAME;
	index index.php index.html index.htm;

	# try_files $uri $uri/ =404;
	location / {
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}
	location ^~ /.well-known{
	alias /var/web/DOMAIN-NAME/.well-known;
	allow all;
	auth_basic off;
	}
	error_page 404 /404.html;

	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root /usr/share/nginx/html;
	}

	location ~ \.php$ {
	try_files $uri =404;
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php;
	include fastcgi_params;
	}

	# Media: images, icons, video, audio, HTC
	location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|svgz\|mp4\|ogg\|ogv\|webm\|htc)$ {
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}

	location /feed {
	return 302 https://DOMAIN-NAME/index.xml;
	}

	# CSS and Javascript
	location ~* \.(?:css\|js)$ {
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}
	location = /analytics.js {
	# Proxy to google-analytics.com
	proxy_pass https://www.google-analytics.com;
	# Custom expires time
	expires 1y;
	}

	# This file holds the passwords
	include /etc/nginx/incl/basicauth.conf;
	}