hewerthomn/nginx_php7_ssl

## nginx_php7_ssl
server {
	server_name	DOMAIN;
	listen		80;
	listen		[::]:80;

	return		301	https://$server_name$request_uri;
}

server {
	server_name	DOMAIN;
	listen		  443 ssl http2;
	listen		  [::]:443 ssl http2;

	root		/var/www/PUBLIC_PATH/;
	index		index.php;

	location / {
		try_files $uri $uri/ /index.php$is_args$args;
	}

	# Prevent serving files beginning with a “$”
	# Do not log attempt
	location ~ ~$ {
		access_log off;
		log_not_found off;
		deny all;
	}

	# Prevent logging whenever favicon & robots.txt files are accessed
	location = /robots.txt {
		log_not_found off;
	}

	location = /favicon.ico {
		access_log off;
		log_not_found off;
	}

	location ~ \.php$ {
		try_files $uri /index.php =404;

    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param HTTP_PROXY "";
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

    include /etc/nginx/fastcgi_params;
	}

	add_header Strict-Transport-Security "max-age=31536000" always;
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;

	ssl_certificate /PATH_TO/fullchain.pem;
	ssl_certificate_key /PATH/TO/privkey.pem;

	# ssl_dhparam /etc/nginx/cert/dhparam.pem;

	ssl_session_cache shared:le_nginx_SSL:20m;
	ssl_session_timeout 1d;

	ssl_session_tickets off;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot
	# ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
}
	server {
	server_name DOMAIN;
	listen 80;
	listen [::]:80;

	return 301 https://$server_name$request_uri;
	}

	server {
	server_name DOMAIN;
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	root /var/www/PUBLIC_PATH/;
	index index.php;

	location / {
	try_files $uri $uri/ /index.php$is_args$args;
	}

	# Prevent serving files beginning with a “$”
	# Do not log attempt
	location ~ ~$ {
	access_log off;
	log_not_found off;
	deny all;
	}

	# Prevent logging whenever favicon & robots.txt files are accessed
	location = /robots.txt {
	log_not_found off;
	}

	location = /favicon.ico {
	access_log off;
	log_not_found off;
	}

	location ~ \.php$ {
	try_files $uri /index.php =404;

	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
	fastcgi_index index.php;
	fastcgi_param HTTP_PROXY "";
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

	include /etc/nginx/fastcgi_params;
	}

	add_header Strict-Transport-Security "max-age=31536000" always;
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;

	ssl_certificate /PATH_TO/fullchain.pem;
	ssl_certificate_key /PATH/TO/privkey.pem;

	# ssl_dhparam /etc/nginx/cert/dhparam.pem;

	ssl_session_cache shared:le_nginx_SSL:20m;
	ssl_session_timeout 1d;

	ssl_session_tickets off;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot
	# ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
	}