gjuric/piwik-nginx.conf

## piwik-nginx.conf
server {
    listen               80 default;

    server_name          stats.example.com;

    return 301           https://stats.example.com$request_uri;
}

upstream php-fpm {
    server               unix:/var/run/php5-fpm.sock;
}

server {
    listen               443 ssl spdy default;
    server_name          stats.example.com;

    # SSL
    ssl_certificate      /etc/ssl/private/stats.example.com.crt;
    ssl_certificate_key  /etc/ssl/private/stats.example.com.key;
    ssl_session_cache    shared:SSL:15m;
    ssl_session_timeout  15m;
    ssl_ciphers          HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    # HSTS Header
    add_header Strict-Transport-Security max-age=15768000;

    ## OCSP Stapling
    resolver             8.8.8.8;
    ssl_stapling         on;
    ssl_stapling_verify  on;

    root                 /srv/www/stats.example.com;

    access_log           /var/log/nginx/access.log  main;

    location / {
        auth_basic       "Restricted";
        auth_basic_user_file htpasswd;

        index            index.php;
        try_files $uri   /index.php?$query_string;
    }


    location ~ ^/(piwik|js/index)\.php(/|$) {
        fastcgi_pass     php-fpm;
        fastcgi_index    index.php;
        fastcgi_param    SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param    HTTPS on;
        include          fastcgi_params;
    }

    location ~ ^/(index)\.php(/|$) {

        satisfy any;
        allow 95.85.33.84/32;
        deny  all;
        auth_basic "Restricted";
        auth_basic_user_file htpasswd;

        fastcgi_pass   php-fpm;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param  HTTPS on;
        include        fastcgi_params;
    }

    location = /js/ {
        index index.php;
    }

    location = /main.js {
        expires max;
        rewrite .* /piwik.js last;
    }

    location ~* ^.+\.(?:css|gif|jpe?g|js|png|swf|txt|svg)$ {
        expires        max;
        tcp_nodelay    off;
    }

    ## Disallow access to several helper files.
    location ~* \.(?:bat|html?|git|ini|sh|svn[^.]*|tpl|xml)$ {
        return         404;
    }

    location /config   { deny all; }
    location /core     { deny all; }
    location /lang     { deny all; }
    location /misc     { deny all; }
    location /tmp      { deny all; }
    location /plugins  { deny all; }
}
	server {
	listen 80 default;

	server_name stats.example.com;

	return 301 https://stats.example.com$request_uri;
	}

	upstream php-fpm {
	server unix:/var/run/php5-fpm.sock;
	}

	server {
	listen 443 ssl spdy default;
	server_name stats.example.com;

	# SSL
	ssl_certificate /etc/ssl/private/stats.example.com.crt;
	ssl_certificate_key /etc/ssl/private/stats.example.com.key;
	ssl_session_cache shared:SSL:15m;
	ssl_session_timeout 15m;
	ssl_ciphers HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers on;

	# HSTS Header
	add_header Strict-Transport-Security max-age=15768000;

	## OCSP Stapling
	resolver 8.8.8.8;
	ssl_stapling on;
	ssl_stapling_verify on;

	root /srv/www/stats.example.com;

	access_log /var/log/nginx/access.log main;

	location / {
	auth_basic "Restricted";
	auth_basic_user_file htpasswd;

	index index.php;
	try_files $uri /index.php?$query_string;
	}


	location ~ ^/(piwik\|js/index)\.php(/\|$) {
	fastcgi_pass php-fpm;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param HTTPS on;
	include fastcgi_params;
	}

	location ~ ^/(index)\.php(/\|$) {

	satisfy any;
	allow 95.85.33.84/32;
	deny all;
	auth_basic "Restricted";
	auth_basic_user_file htpasswd;

	fastcgi_pass php-fpm;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param HTTPS on;
	include fastcgi_params;
	}

	location = /js/ {
	index index.php;
	}

	location = /main.js {
	expires max;
	rewrite .* /piwik.js last;
	}

	location ~* ^.+\.(?:css\|gif\|jpe?g\|js\|png\|swf\|txt\|svg)$ {
	expires max;
	tcp_nodelay off;
	}

	## Disallow access to several helper files.
	location ~* \.(?:bat\|html?\|git\|ini\|sh\|svn[^.]*\|tpl\|xml)$ {
	return 404;
	}

	location /config { deny all; }
	location /core { deny all; }
	location /lang { deny all; }
	location /misc { deny all; }
	location /tmp { deny all; }
	location /plugins { deny all; }
	}