Skip to content

Instantly share code, notes, and snippets.

@lifehome

lifehome/https-fpm.incl

Last active Aug 17, 2019
Embed
What would you like to do?
Default NGINX Configurations
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_param HTTPS true;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
worker_processes 4;
error_log /var/log/nginx/error.log;
events { worker_connections 1024; }
http {
# Cloudflare IP resolver
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header CF-Connecting-IP;
# nginx Core Configuration
server_tokens off;
server_names_hash_bucket_size 128;
include mime.types;
default_type application/octet-stream;
sendfile on;
#ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_session_tickets off;
# SSL Cipher suite configuration
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# OSCP Experimential configuration
#ssl_trusted_certificate /etc/nginx/certs/cloudflare_origin_ecc.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=86400;
resolver_timeout 10;
# SSL session Experimential configuration
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
client_max_body_size 100m;
server{
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _;
# SSL Certificate configuration
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
return 301 https://www.google.com;
}
#####################################
# #
# Example PHP website configuration #
# #
#####################################
# Default server rule for plain HTTP transport
# This is to ensure HTTPS-only traffic
server{
listen 80; # Listen to IPv4 on all interface
listen [::]:80; # Listen to IPv6 on all interface
server_name example.org;
return 301 https://example.org$request_uri;
}
# Main configuration for HTTPS site
server{
listen 443 ssl http2; # Listen to IPv4 with http2 extension on all interface
listen [::]:443 ssl http2; # Listen to IPv6 with http2 extension on all interface
server_name example.org; # FQDN for the site
# SSL Certificate configuration
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
root /path/to/script; # Path to script directory
index index.php index.html index.htm; # Index filename
include /etc/nginx/https-fpm.incl; # HTTPS php-fpm include
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment