davidhellmann/gist:d45255bfe414dc4112096e1ef17fbe7a

## gistfile1.txt
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/bestwebsite.gallery/before/*;

# Bots to ban via user agent
map $http_user_agent $limit_bots {
     default 0;
     ~*(AhrefsBot|Baiduspider|PaperLiBot) 1;
 }

server {
    # Listen for both IPv4 & IPv6 requests on port 443 with http2 enabled
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # General virtual host settings
    server_name bestwebsite.gallery;
    root /home/forge/bestwebsite.gallery/current/web;
    index index.html index.htm index.php;
    charset utf-8;

    # Enable server-side includes as per: http://nginx.org/en/docs/http/ngx_http_ssi_module.html
    ssi on;

    # Disable limits on the maximum allowed size of the client request body
    client_max_body_size 0;

    # Ban certain bots from crawling the site
    if ($limit_bots = 1) {
        return 403;
    }

    # 404 error handler
    error_page 404 /index.php?$query_string;

    # 301 Redirect URLs with trailing /'s as per https://webmasters.googleblog.com/2010/04/to-slash-or-not-to-slash.html
    #rewrite ^/(.*)/$ /$1 permanent;

    # Change // -> / for all URLs, so it works for our php location block, too
    merge_slashes off;
    rewrite (.*)//+(.*) $1/$2 permanent;

    # Handle Do Not Track as per https://www.eff.org/dnt-policy
    location /.well-known/dnt-policy.txt {
        try_files /dnt-policy.txt /index.php?p=/dnt-policy.txt;
    }

    # For WordPress bots/users
    location ~ ^/(wp-login|wp-admin|wp-config|wp-content|wp-includes|(.*)\.exe) {
        return 301 https://wordpress.com/wp-login.php;
    }

    # Access and error logging
    access_log off;
    error_log  /var/log/nginx/bestwebsite.gallery-error.log error;
    # If you want error logging to go to SYSLOG (for services like Papertrailapp.com), uncomment the following:
    #error_log syslog:server=unix:/dev/log,facility=local7,tag=nginx,severity=error;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/bestwebsite.gallery/XXX/server.crt;
    ssl_certificate_key /etc/nginx/ssl/bestwebsite.gallery/XXX/server.key;

    # SSL/TLS configuration, with TLSv1.0 disabled because it is insecure; note that IE 8, 9 & 10 support
    # TLSv1.1, but it's not enabled by default clients using those browsers will not be able to connect
    ssl_protocols TLSv1.2 TLSv1.1;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
    ssl_buffer_size 4k;
    ssl_session_timeout 4h;
    ssl_session_cache shared:SSL:40m;
    # ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;

    # FORGE CONFIG (DOT NOT REMOVE!)
    include forge-conf/bestwebsite.gallery/server/*;

    # Load configuration files from nginx-partials
    include /etc/nginx/nginx-partials/*.conf;

    # Root directory location handler
    location / {
        try_files $uri/index.html $uri $uri/ /index.php?$query_string;
    }

    # Localized sites, hat tip to Johannes -- https://gist.github.com/johanneslamers/f6d2bc0d7435dca130fc

    # If you are creating a localized site as per: https://craftcms.com/docs/localization-guide
    # the directives here will help you handle the locale redirection so that requests will
    # be routed through the appropriate index.php wherein you set the `CRAFT_LOCALE`

    # Enable this by un-commenting it, and changing the language codes as appropriate
    # Add a new location @XXrewrites and location /XX/ block for each language that
    # you need to support

    #location @enrewrites {
    #    rewrite ^/en/(.*)$ /en/index.php?p=$1? last;
    #}
    #
    #location /en/ {
    #    try_files $uri $uri/ @enrewrites;
    #}

    # Craft-specific location handlers to ensure AdminCP requests route through index.php
    # If you change your `cpTrigger`, change it here as well
    location ^~ /admin {
        try_files $uri $uri/ /index.php?$query_string;
    }
    location ^~ /cpresources {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # php-fpm configuration
    location ~ [^/]\.php(/|$) {
        try_files $uri $uri/ /index.php?$query_string;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # Change this to whatever version of php you are using
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTP_PROXY "";
        fastcgi_param HTTP_HOST bestwebsite.gallery;

        fastcgi_intercept_errors off;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
    }

    location ~ /\.ht {
        deny all;
    }

    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|otf|ttf|eot|woff|svg|webp|webm|woff|woff2)$ {
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }
}

# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/bestwebsite.gallery/after/*;
	# FORGE CONFIG (DOT NOT REMOVE!)
	include forge-conf/bestwebsite.gallery/before/*;

	# Bots to ban via user agent
	map $http_user_agent $limit_bots {
	default 0;
	~*(AhrefsBot\|Baiduspider\|PaperLiBot) 1;
	}

	server {
	# Listen for both IPv4 & IPv6 requests on port 443 with http2 enabled
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	# General virtual host settings
	server_name bestwebsite.gallery;
	root /home/forge/bestwebsite.gallery/current/web;
	index index.html index.htm index.php;
	charset utf-8;

	# Enable server-side includes as per: http://nginx.org/en/docs/http/ngx_http_ssi_module.html
	ssi on;

	# Disable limits on the maximum allowed size of the client request body
	client_max_body_size 0;

	# Ban certain bots from crawling the site
	if ($limit_bots = 1) {
	return 403;
	}

	# 404 error handler
	error_page 404 /index.php?$query_string;

	# 301 Redirect URLs with trailing /'s as per https://webmasters.googleblog.com/2010/04/to-slash-or-not-to-slash.html
	#rewrite ^/(.*)/$ /$1 permanent;

	# Change // -> / for all URLs, so it works for our php location block, too
	merge_slashes off;
	rewrite (.)//+(.) $1/$2 permanent;

	# Handle Do Not Track as per https://www.eff.org/dnt-policy
	location /.well-known/dnt-policy.txt {
	try_files /dnt-policy.txt /index.php?p=/dnt-policy.txt;
	}

	# For WordPress bots/users
	location ~ ^/(wp-login\|wp-admin\|wp-config\|wp-content\|wp-includes\|(.*)\.exe) {
	return 301 https://wordpress.com/wp-login.php;
	}

	# Access and error logging
	access_log off;
	error_log /var/log/nginx/bestwebsite.gallery-error.log error;
	# If you want error logging to go to SYSLOG (for services like Papertrailapp.com), uncomment the following:
	#error_log syslog:server=unix:/dev/log,facility=local7,tag=nginx,severity=error;

	# FORGE SSL (DO NOT REMOVE!)
	ssl_certificate /etc/nginx/ssl/bestwebsite.gallery/XXX/server.crt;
	ssl_certificate_key /etc/nginx/ssl/bestwebsite.gallery/XXX/server.key;

	# SSL/TLS configuration, with TLSv1.0 disabled because it is insecure; note that IE 8, 9 & 10 support
	# TLSv1.1, but it's not enabled by default clients using those browsers will not be able to connect
	ssl_protocols TLSv1.2 TLSv1.1;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
	ssl_buffer_size 4k;
	ssl_session_timeout 4h;
	ssl_session_cache shared:SSL:40m;
	# ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;

	# FORGE CONFIG (DOT NOT REMOVE!)
	include forge-conf/bestwebsite.gallery/server/*;

	# Load configuration files from nginx-partials
	include /etc/nginx/nginx-partials/*.conf;

	# Root directory location handler
	location / {
	try_files $uri/index.html $uri $uri/ /index.php?$query_string;
	}

	# Localized sites, hat tip to Johannes -- https://gist.github.com/johanneslamers/f6d2bc0d7435dca130fc

	# If you are creating a localized site as per: https://craftcms.com/docs/localization-guide
	# the directives here will help you handle the locale redirection so that requests will
	# be routed through the appropriate index.php wherein you set the `CRAFT_LOCALE`

	# Enable this by un-commenting it, and changing the language codes as appropriate
	# Add a new location @XXrewrites and location /XX/ block for each language that
	# you need to support

	#location @enrewrites {
	# rewrite ^/en/(.*)$ /en/index.php?p=$1? last;
	#}
	#
	#location /en/ {
	# try_files $uri $uri/ @enrewrites;
	#}

	# Craft-specific location handlers to ensure AdminCP requests route through index.php
	# If you change your `cpTrigger`, change it here as well
	location ^~ /admin {
	try_files $uri $uri/ /index.php?$query_string;
	}
	location ^~ /cpresources {
	try_files $uri $uri/ /index.php?$query_string;
	}

	# php-fpm configuration
	location ~ [^/]\.php(/\|$) {
	try_files $uri $uri/ /index.php?$query_string;
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	# Change this to whatever version of php you are using
	fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
	fastcgi_index index.php;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;
	fastcgi_param HTTP_PROXY "";
	fastcgi_param HTTP_HOST bestwebsite.gallery;

	fastcgi_intercept_errors off;
	fastcgi_buffer_size 16k;
	fastcgi_buffers 4 16k;
	fastcgi_connect_timeout 300;
	fastcgi_send_timeout 300;
	fastcgi_read_timeout 300;
	}

	location ~ /\.ht {
	deny all;
	}

	location ~* ^.+\.(?:css\|cur\|js\|jpe?g\|gif\|htc\|ico\|png\|html\|otf\|ttf\|eot\|woff\|svg\|webp\|webm\|woff\|woff2)$ {
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}
	}

	# FORGE CONFIG (DOT NOT REMOVE!)
	include forge-conf/bestwebsite.gallery/after/*;