Created
February 4, 2018 22:29
-
-
Save cclloyd/e7f1183f3a018dbc32cd7c55e15375cf to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## UserFrosting sample nginx configuration file. | |
## See https://learn.userfrosting.com/going-live/vps-production-environment/application-setup#configure-the-webserver-nginx- | |
## Redirect HTTP to HTTPS | |
## Enable this block once you've set up SSL. This will redirect all HTTP requests to HTTPS. | |
server { | |
listen 80; | |
server_name opensrd.cclloyd.com; | |
return 301 https://$host$request_uri; | |
} | |
## Main server configuration | |
server { | |
## Non-SSL configuration. Not recommended for production! | |
#listen 80; | |
## Defines the script/file to look for when a request is made to the index of your server name. | |
index index.php index.html index.htm; | |
## Begin - Server Info | |
## Document root directory for your project. Should be set to the directory that contains your index.php. | |
root /var/www/websrd/public; | |
server_name opensrd.cclloyd.com; | |
## End - Server Info | |
## SSL configuration | |
## It is STRONGLY RECOMMENDED that you use SSL for all traffic to your UF site. | |
## Otherwise, you are potentially leaking your users' sensitive info, including passwords! | |
## See https://letsencrypt.org/ to find out how to get a free, trusted SSL cert for your site. | |
# | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
## Certificate paths (example for letsencrypt) | |
ssl_certificate /etc/letsencrypt/live/opensrd.cclloyd.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/opensrd.cclloyd.com/privkey.pem; | |
## Disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
## Enable session resumption to enable low latency for repeat visitors. | |
#ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 5m; | |
## Enables server-side protection from BEAST attacks | |
ssl_prefer_server_ciphers on; | |
## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
ssl_dhparam /etc/nginx/dhparam.pem; # google will tell you how to make this | |
## Ciphers chosen for forward secrecy and compatibility | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
## Enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) | |
resolver 8.8.8.8; | |
ssl_stapling on; | |
ssl_trusted_certificate /etc/letsencrypt/live/<cert name>/fullchain.pem; # same as your ssl_certificate path | |
## Config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |
## End - SSL configuration | |
access_log /var/log/nginx/access.log; | |
add_header X-Frame-Options SAMEORIGIN; | |
add_header X-Content-Type-Options nosniff; | |
## This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. | |
add_header X-XSS-Protection "1; mode=block"; #optional | |
## Begin - Pagespeed | |
## See https://learn.userfrosting.com/going-live/vps-production-environment/additional-recommendations | |
## for information on compiling nginx with the Pagespeed module. | |
#pagespeed on; | |
#pagespeed FileCachePath /var/ngx_pagespeed_cache; | |
#pagespeed Disallow "*.svg*"; | |
## Add additional filters here | |
#pagespeed EnableFilters prioritize_critical_css; | |
## Ensure requests for pagespeed optimized resources go to the pagespeed | |
## handler and no extraneous headers get set. | |
#location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; } | |
#location ~ "^/ngx_pagespeed_static/" { } | |
#location ~ "^/ngx_pagespeed_beacon" { } | |
## End - Pagespeed | |
## Begin - Let's Encrypt | |
## Allow URLs for certbot acme challenge | |
location ~ /.well-known { | |
allow all; | |
} | |
## End - Let's Encrypt | |
## Begin - Handle PHP requests | |
location ~ \.(php)$ { | |
# Throw away any requests to execute PHP scripts in other directories | |
# See http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html for why this is needed | |
location ~ \..*/.*\.php$ { | |
return 404; | |
} | |
# regex to split $uri to $fastcgi_script_name and $fastcgi_path | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
fastcgi_keep_conn on; | |
# For FPM (PHP 7) | |
fastcgi_pass unix:/run/php/php7.0-fpm.sock; | |
# For FPM (PHP 5.x) | |
#fastcgi_pass unix:/var/run/php5-fpm.sock; | |
# For traditional PHP FastCGI (php5-cgi or php7.0-cgi) | |
#fastcgi_pass 127.0.0.1:9000; | |
# For HHVM | |
#fastcgi_pass unix:/var/run/hhvm/hhvm.sock; | |
fastcgi_index index.php; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
include fastcgi_params; | |
} | |
## End - Handle PHP requests | |
## Begin - Caching static files | |
location ~* \.(png|gif|jpg|jpeg|svg|ico|css|js|woff|ttf|otf|woff2|eot)$ { | |
include /etc/nginx/mime.types; | |
expires max; | |
index index.php; | |
try_files $uri $uri/ /index.php?$query_string; | |
} | |
## End - Caching static files | |
## Begin - Index | |
## for subfolders, simply adjust: | |
## `location /subfolder {` | |
## and the rewrite to use `/subfolder/index.php` | |
location / { | |
include /etc/nginx/mime.types; | |
index index.php; | |
try_files $uri $uri/ /index.php?$query_string; | |
} | |
## End - Index | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment