danalloway/ssl.nginxconf

## ssl.nginxconf


    # capture HTTP requests to example.com and www.example.com
    # and permanently redirect them to the HTTPS version of the site
    #
server {
    listen 80;      # IPv4
    listen [::]:80; # IPv6

    server_name example.com www.example.com;
    return 301 https://www.example.com$request_uri;
}


    # capture HTTPS requests without the WWW and permanently redirect them
    #
server {
    listen 443;      # IPv4
    listen [::]:443; # IPv6

    server_name example.com;
    return 301 https://www.example.com$request_uri;
}


    #
    # the default server
    #
server {
    listen 443 default_server; # IPv4
    listen [::]:443;           # IPv6


        # SSL Configuration
        #
    ssl on;
    ssl_certificate_key /etc/nginx/ssl/example.key;
    ssl_certificate /etc/nginx/ssl/example.crt;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;


        # this file needs to be generated using the following command
        # `openssl dhparam -out /etc/nginx/ssl/dh_param.pem 4096`
        #
    ssl_dhparam /etc/nginx/ssl/dh_param.pem;


    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options "DENY";
    add_header X-Content-Type-Options nosniff;


        # Basic Server Configuration
        #
    server_name www.example.com;


    root /var/www/example/public;
    index index.php;


        # Logging
        #
    access_log /var/log/nginx/example_access.log;
    error_log /var/log/nginx/example_error.log;


    location / {

        # static files will be served directly
        location ~* ^.+\.(?:css|cur|js|jpg|jpeg|gif|htc|ico|png|html|xml)$ {
            access_log off;
            expires 30d;
        }

        # prevent hidden files from being served
        location ~ /\. {
            access_log off;
            log_not_found off;
            deny all;
        }

        # first try to serve the file directly
        # then try passing it to PHP for processing
        try_files $uri @php;

    }

        #
        # All PHP requests are forced through index.php behind the scenes.
        #
        # This is acomplished using a number of fastcgi parameters,
        # the benefit in doing it this way is not having to use any rewrites.
        #
        # A request for => /foo/bar?baz=1
        # would result in => /index.php?_url=/foo/bar&baz=1
        #
        # Just keep in mind that this makes index.php the only directly
        # accesible PHP file in your application installation.
        #
        # Also, make sure you have your PHP-FPM configured to listen via unix
        # socket at /var/run/php5-fpm.sock
        #
        # (this is typically done via the /etc/php5/fpm/pool.d/www.conf file).
        #
    location @php {

        include fastcgi_params;

        fastcgi_param QUERY_STRING _url=$uri&$args;
        fastcgi_param SCRIPT_NAME /index.php;
        fastcgi_param SCRIPT_FILENAME $document_root/index.php;

        fastcgi_intercept_errors on;
        fastcgi_read_timeout 14400;
        fastcgi_index index.php;

        fastcgi_pass unix:/var/run/php5-fpm.sock;
    }

        # 404 requests to any other PHP files
    location ~* ^.+\.php$ {
        return 404;
    }

}


	# capture HTTP requests to example.com and www.example.com
	# and permanently redirect them to the HTTPS version of the site
	#
	server {
	listen 80; # IPv4
	listen [::]:80; # IPv6

	server_name example.com www.example.com;
	return 301 https://www.example.com$request_uri;
	}


	# capture HTTPS requests without the WWW and permanently redirect them
	#
	server {
	listen 443; # IPv4
	listen [::]:443; # IPv6

	server_name example.com;
	return 301 https://www.example.com$request_uri;
	}


	#
	# the default server
	#
	server {
	listen 443 default_server; # IPv4
	listen [::]:443; # IPv6


	# SSL Configuration
	#
	ssl on;
	ssl_certificate_key /etc/nginx/ssl/example.key;
	ssl_certificate /etc/nginx/ssl/example.crt;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;

	ssl_stapling on;
	ssl_stapling_verify on;

	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;


	# this file needs to be generated using the following command
	# `openssl dhparam -out /etc/nginx/ssl/dh_param.pem 4096`
	#
	ssl_dhparam /etc/nginx/ssl/dh_param.pem;


	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header X-Frame-Options "DENY";
	add_header X-Content-Type-Options nosniff;


	# Basic Server Configuration
	#
	server_name www.example.com;


	root /var/www/example/public;
	index index.php;


	# Logging
	#
	access_log /var/log/nginx/example_access.log;
	error_log /var/log/nginx/example_error.log;


	location / {

	# static files will be served directly
	location ~* ^.+\.(?:css\|cur\|js\|jpg\|jpeg\|gif\|htc\|ico\|png\|html\|xml)$ {
	access_log off;
	expires 30d;
	}

	# prevent hidden files from being served
	location ~ /\. {
	access_log off;
	log_not_found off;
	deny all;
	}

	# first try to serve the file directly
	# then try passing it to PHP for processing
	try_files $uri @php;

	}

	#
	# All PHP requests are forced through index.php behind the scenes.
	#
	# This is acomplished using a number of fastcgi parameters,
	# the benefit in doing it this way is not having to use any rewrites.
	#
	# A request for => /foo/bar?baz=1
	# would result in => /index.php?_url=/foo/bar&baz=1
	#
	# Just keep in mind that this makes index.php the only directly
	# accesible PHP file in your application installation.
	#
	# Also, make sure you have your PHP-FPM configured to listen via unix
	# socket at /var/run/php5-fpm.sock
	#
	# (this is typically done via the /etc/php5/fpm/pool.d/www.conf file).
	#
	location @php {

	include fastcgi_params;

	fastcgi_param QUERY_STRING _url=$uri&$args;
	fastcgi_param SCRIPT_NAME /index.php;
	fastcgi_param SCRIPT_FILENAME $document_root/index.php;

	fastcgi_intercept_errors on;
	fastcgi_read_timeout 14400;
	fastcgi_index index.php;

	fastcgi_pass unix:/var/run/php5-fpm.sock;
	}

	# 404 requests to any other PHP files
	location ~* ^.+\.php$ {
	return 404;
	}

	}