cclloyd/gist:e7f1183f3a018dbc32cd7c55e15375cf Secret

## gistfile1.txt
## UserFrosting sample nginx configuration file.
## See https://learn.userfrosting.com/going-live/vps-production-environment/application-setup#configure-the-webserver-nginx-

## Redirect HTTP to HTTPS
## Enable this block once you've set up SSL.  This will redirect all HTTP requests to HTTPS.
server {
    listen 80;
    server_name opensrd.cclloyd.com;
    return 301 https://$host$request_uri;
}

## Main server configuration
server {
    ## Non-SSL configuration.  Not recommended for production!
    #listen 80;
    ## Defines the script/file to look for when a request is made to the index of your server name.
    index index.php index.html index.htm;

    ## Begin - Server Info
    ## Document root directory for your project.  Should be set to the directory that contains your index.php.
    root /var/www/websrd/public;
    server_name opensrd.cclloyd.com;
    ## End - Server Info

    ## SSL configuration
    ## It is STRONGLY RECOMMENDED that you use SSL for all traffic to your UF site.
    ## Otherwise, you are potentially leaking your users' sensitive info, including passwords!
    ## See https://letsencrypt.org/ to find out how to get a free, trusted SSL cert for your site.
    #
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ## Certificate paths (example for letsencrypt)
    ssl_certificate /etc/letsencrypt/live/opensrd.cclloyd.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/opensrd.cclloyd.com/privkey.pem;
    ## Disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ## Enable session resumption to enable low latency for repeat visitors.
    #ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 5m;
    ## Enables server-side protection from BEAST attacks
    ssl_prefer_server_ciphers on;
    ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/dhparam.pem; # google will tell you how to make this
    ## Ciphers chosen for forward secrecy and compatibility
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ## Enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
    resolver 8.8.8.8;
    ssl_stapling on;
    ssl_trusted_certificate /etc/letsencrypt/live/<cert name>/fullchain.pem; # same as your ssl_certificate path
    ## Config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    ## End - SSL configuration

    access_log /var/log/nginx/access.log;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    ## This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
    add_header X-XSS-Protection "1; mode=block"; #optional

    ## Begin - Pagespeed
    ## See https://learn.userfrosting.com/going-live/vps-production-environment/additional-recommendations
    ## for information on compiling nginx with the Pagespeed module.
    #pagespeed on;
    #pagespeed FileCachePath /var/ngx_pagespeed_cache;
    #pagespeed Disallow "*.svg*";
    ## Add additional filters here
    #pagespeed EnableFilters prioritize_critical_css;
    ## Ensure requests for pagespeed optimized resources go to the pagespeed
    ## handler and no extraneous headers get set.
    #location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; }
    #location ~ "^/ngx_pagespeed_static/" { }
    #location ~ "^/ngx_pagespeed_beacon" { }
    ## End - Pagespeed

    ## Begin - Let's Encrypt
    ## Allow URLs for certbot acme challenge
    location ~ /.well-known {
        allow all;
    }
    ## End - Let's Encrypt

    ## Begin - Handle PHP requests
    location ~ \.(php)$ {
        # Throw away any requests to execute PHP scripts in other directories
        # See http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html for why this is needed
        location ~ \..*/.*\.php$ {
            return 404;
        }
        # regex to split $uri to $fastcgi_script_name and $fastcgi_path
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_keep_conn on;
        # For FPM (PHP 7)
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        # For FPM (PHP 5.x)
        #fastcgi_pass unix:/var/run/php5-fpm.sock;
        # For traditional PHP FastCGI (php5-cgi or php7.0-cgi)
        #fastcgi_pass 127.0.0.1:9000;
        # For HHVM
        #fastcgi_pass unix:/var/run/hhvm/hhvm.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
    ## End - Handle PHP requests

    ## Begin - Caching static files
    location ~* \.(png|gif|jpg|jpeg|svg|ico|css|js|woff|ttf|otf|woff2|eot)$ {
        include /etc/nginx/mime.types;
        expires max;

        index index.php;
        try_files $uri $uri/ /index.php?$query_string;
    }
    ## End - Caching static files

    ## Begin - Index
    ## for subfolders, simply adjust:
    ## `location /subfolder {`
    ## and the rewrite to use `/subfolder/index.php`
    location / {
        include /etc/nginx/mime.types;
        index index.php;
        try_files $uri $uri/ /index.php?$query_string;
    }
    ## End - Index
}
	## UserFrosting sample nginx configuration file.
	## See https://learn.userfrosting.com/going-live/vps-production-environment/application-setup#configure-the-webserver-nginx-

	## Redirect HTTP to HTTPS
	## Enable this block once you've set up SSL. This will redirect all HTTP requests to HTTPS.
	server {
	listen 80;
	server_name opensrd.cclloyd.com;
	return 301 https://$host$request_uri;
	}

	## Main server configuration
	server {
	## Non-SSL configuration. Not recommended for production!
	#listen 80;
	## Defines the script/file to look for when a request is made to the index of your server name.
	index index.php index.html index.htm;

	## Begin - Server Info
	## Document root directory for your project. Should be set to the directory that contains your index.php.
	root /var/www/websrd/public;
	server_name opensrd.cclloyd.com;
	## End - Server Info

	## SSL configuration
	## It is STRONGLY RECOMMENDED that you use SSL for all traffic to your UF site.
	## Otherwise, you are potentially leaking your users' sensitive info, including passwords!
	## See https://letsencrypt.org/ to find out how to get a free, trusted SSL cert for your site.
	#
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	## Certificate paths (example for letsencrypt)
	ssl_certificate /etc/letsencrypt/live/opensrd.cclloyd.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/opensrd.cclloyd.com/privkey.pem;
	## Disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	## Enable session resumption to enable low latency for repeat visitors.
	#ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;
	## Enables server-side protection from BEAST attacks
	ssl_prefer_server_ciphers on;
	## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/dhparam.pem; # google will tell you how to make this
	## Ciphers chosen for forward secrecy and compatibility
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	## Enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
	resolver 8.8.8.8;
	ssl_stapling on;
	ssl_trusted_certificate /etc/letsencrypt/live/<cert name>/fullchain.pem; # same as your ssl_certificate path
	## Config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
	## End - SSL configuration

	access_log /var/log/nginx/access.log;

	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	## This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	add_header X-XSS-Protection "1; mode=block"; #optional

	## Begin - Pagespeed
	## See https://learn.userfrosting.com/going-live/vps-production-environment/additional-recommendations
	## for information on compiling nginx with the Pagespeed module.
	#pagespeed on;
	#pagespeed FileCachePath /var/ngx_pagespeed_cache;
	#pagespeed Disallow ".svg";
	## Add additional filters here
	#pagespeed EnableFilters prioritize_critical_css;
	## Ensure requests for pagespeed optimized resources go to the pagespeed
	## handler and no extraneous headers get set.
	#location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; }
	#location ~ "^/ngx_pagespeed_static/" { }
	#location ~ "^/ngx_pagespeed_beacon" { }
	## End - Pagespeed

	## Begin - Let's Encrypt
	## Allow URLs for certbot acme challenge
	location ~ /.well-known {
	allow all;
	}
	## End - Let's Encrypt

	## Begin - Handle PHP requests
	location ~ \.(php)$ {
	# Throw away any requests to execute PHP scripts in other directories
	# See http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html for why this is needed
	location ~ \../.\.php$ {
	return 404;
	}
	# regex to split $uri to $fastcgi_script_name and $fastcgi_path
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_keep_conn on;
	# For FPM (PHP 7)
	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	# For FPM (PHP 5.x)
	#fastcgi_pass unix:/var/run/php5-fpm.sock;
	# For traditional PHP FastCGI (php5-cgi or php7.0-cgi)
	#fastcgi_pass 127.0.0.1:9000;
	# For HHVM
	#fastcgi_pass unix:/var/run/hhvm/hhvm.sock;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	}
	## End - Handle PHP requests

	## Begin - Caching static files
	location ~* \.(png\|gif\|jpg\|jpeg\|svg\|ico\|css\|js\|woff\|ttf\|otf\|woff2\|eot)$ {
	include /etc/nginx/mime.types;
	expires max;

	index index.php;
	try_files $uri $uri/ /index.php?$query_string;
	}
	## End - Caching static files

	## Begin - Index
	## for subfolders, simply adjust:
	## `location /subfolder {`
	## and the rewrite to use `/subfolder/index.php`
	location / {
	include /etc/nginx/mime.types;
	index index.php;
	try_files $uri $uri/ /index.php?$query_string;
	}
	## End - Index
	}