lifehome/https-fpm.incl

## https-fpm.incl
location ~ \.php$ {
  include /etc/nginx/fastcgi_params;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
  fastcgi_param HTTPS true;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

## nginx.conf
##
# Process settings
##

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

##
# Extra nginix dynamic modules injection
##

#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;

##
# nginx Core Configurations
##

events {
  worker_connections 1024;
  multi_accept on;
}

http {

  ##
  # Basic Settings
  ##

  sendfile              on;
  tcp_nopush            on;
  tcp_nodelay           on;
  types_hash_max_size   16384;
  server_tokens         off;

  server_names_hash_bucket_size   128;
  server_name_in_redirect         off;

  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  client_max_body_size  100m;

  ##
  # Cloudflare visitor IP restoration
  ##

  set_real_ip_from  103.21.244.0/22;
  set_real_ip_from  103.22.200.0/22;
  set_real_ip_from  103.31.4.0/22;
  set_real_ip_from  104.16.0.0/12;
  set_real_ip_from  108.162.192.0/18;
  set_real_ip_from  131.0.72.0/22;
  set_real_ip_from  141.101.64.0/18;
  set_real_ip_from  162.158.0.0/15;
  set_real_ip_from  172.64.0.0/13;
  set_real_ip_from  173.245.48.0/20;
  set_real_ip_from  188.114.96.0/20;
  set_real_ip_from  190.93.240.0/20;
  set_real_ip_from  197.234.240.0/22;
  set_real_ip_from  198.41.128.0/17;
  set_real_ip_from  2400:cb00::/32;
  set_real_ip_from  2606:4700::/32;
  set_real_ip_from  2803:f800::/32;
  set_real_ip_from  2405:b500::/32;
  set_real_ip_from  2405:8100::/32;
  set_real_ip_from  2c0f:f248::/32;
  set_real_ip_from  2a06:98c0::/29;

  real_ip_header    CF-Connecting-IP;

  ##
  # SSL Settings
  ##

  ssl_protocols                 TLSv1.3;
  ssl_session_tickets           off;
  ssl_dhparam                   /etc/nginx/dhparam.pem;

  # SSL Cipher suite configuration
  ssl_ciphers                   EECDH+AESGCM:EDH+AESGCM;
  ssl_ecdh_curve                secp384r1;
  ssl_prefer_server_ciphers     on;

  # OSCP Experimential configuration
  ssl_stapling                  on;
  ssl_stapling_verify           on;
  resolver                      1.1.1.1 1.0.0.1 valid=300s;
  resolver_timeout              5;

  # Cloudflare Authenticated Origin Pull
  ssl_trusted_certificate       /etc/nginx/origin_ca_ecc_root.pem;
  ssl_client_certificate        /etc/nginx/origin-pull-ca.pem;
  ssl_verify_client             on;

  # SSL session Experimential configuration
  ssl_session_cache             shared:SSL:10m;
  ssl_session_timeout           10m;
  keepalive_timeout             70;

  # Extra HTTP headers for security considerations
  add_header                    Content-Security-Policy             "default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline'; frame-src https: data:; style-src https: 'unsafe-inline'; img-src https: data: blob:; media-src https: data: blob:; font-src https: data:; connect-src https: wss:; child-src https: blob:; object-src 'none'";
  add_header                    Permissions-Policy                  "interest-cohort=()";
  add_header                    Referrer-Policy                     "no-referrer";
  add_header                    Strict-Transport-Security           "max-age=63072000; includeSubDomains; preload";
  add_header                    X-Content-Type-Options              "nosniff";
  add_header                    X-Frame-Options                     "SAMEORIGIN";
  add_header                    X-XSS-Protection                    "1; mode=block";

  ##
  # nginx-specific ModSecurity Connector
  ##

  modsecurity                   on;
  modsecurity_rules_file        /etc/nginx/modsec/main.conf;

  ##
  # Logging Settings
  ##

  access_log                    /var/log/nginx/access.log;
  error_log                     /var/log/nginx/error.log;

  ##
  # Gzip Settings
  ##

  gzip on;

  ##
  # Default catch-all host
  ##

  server{
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;

    # SSL Certificate configuration
    ssl_certificate      /path/to/certificate.pem;
    ssl_certificate_key  /path/to/certificate.key;

    return 501;
  }

  ##
  # Example PHP website configuration
  ##

  # Default server rule for plain HTTP transport
  # This is to ensure HTTPS-only traffic
  server{
    listen 80;                  # Listen to IPv4 on all interface
    listen [::]:80;             # Listen to IPv6 on all interface
    server_name example.org;

    return 301 https://example.org$request_uri;
  }

  # Main configuration for HTTPS site
  server{
    listen 443 ssl http2;       # Listen to IPv4 with http2 extension on all interface
    listen [::]:443 ssl http2;  # Listen to IPv6 with http2 extension on all interface
    server_name example.org;    # FQDN for the site

    # SSL Certificate configuration
    ssl_certificate      /path/to/fullchain.pem;
    ssl_certificate_key  /path/to/privkey.pem;

    root /path/to/script;                         # Path to script directory
    index index.php index.html index.htm;         # Index filename

    include /etc/nginx/https-fpm.incl;            # HTTPS php-fpm include
  }

  ##
  # Virtual sites and additional configurations
  ##

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}
	location ~ \.php$ {
	include /etc/nginx/fastcgi_params;
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
	fastcgi_param HTTPS true;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	}
	##
	# Process settings
	##

	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;
	include /etc/nginx/modules-enabled/*.conf;

	##
	# Extra nginix dynamic modules injection
	##

	#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;

	##
	# nginx Core Configurations
	##

	events {
	worker_connections 1024;
	multi_accept on;
	}

	http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	types_hash_max_size 16384;
	server_tokens off;

	server_names_hash_bucket_size 128;
	server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	client_max_body_size 100m;

	##
	# Cloudflare visitor IP restoration
	##

	set_real_ip_from 103.21.244.0/22;
	set_real_ip_from 103.22.200.0/22;
	set_real_ip_from 103.31.4.0/22;
	set_real_ip_from 104.16.0.0/12;
	set_real_ip_from 108.162.192.0/18;
	set_real_ip_from 131.0.72.0/22;
	set_real_ip_from 141.101.64.0/18;
	set_real_ip_from 162.158.0.0/15;
	set_real_ip_from 172.64.0.0/13;
	set_real_ip_from 173.245.48.0/20;
	set_real_ip_from 188.114.96.0/20;
	set_real_ip_from 190.93.240.0/20;
	set_real_ip_from 197.234.240.0/22;
	set_real_ip_from 198.41.128.0/17;
	set_real_ip_from 2400:cb00::/32;
	set_real_ip_from 2606:4700::/32;
	set_real_ip_from 2803:f800::/32;
	set_real_ip_from 2405:b500::/32;
	set_real_ip_from 2405:8100::/32;
	set_real_ip_from 2c0f:f248::/32;
	set_real_ip_from 2a06:98c0::/29;

	real_ip_header CF-Connecting-IP;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1.3;
	ssl_session_tickets off;
	ssl_dhparam /etc/nginx/dhparam.pem;

	# SSL Cipher suite configuration
	ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
	ssl_ecdh_curve secp384r1;
	ssl_prefer_server_ciphers on;

	# OSCP Experimential configuration
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 valid=300s;
	resolver_timeout 5;

	# Cloudflare Authenticated Origin Pull
	ssl_trusted_certificate /etc/nginx/origin_ca_ecc_root.pem;
	ssl_client_certificate /etc/nginx/origin-pull-ca.pem;
	ssl_verify_client on;

	# SSL session Experimential configuration
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	keepalive_timeout 70;

	# Extra HTTP headers for security considerations
	add_header Content-Security-Policy "default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline'; frame-src https: data:; style-src https: 'unsafe-inline'; img-src https: data: blob:; media-src https: data: blob:; font-src https: data:; connect-src https: wss:; child-src https: blob:; object-src 'none'";
	add_header Permissions-Policy "interest-cohort=()";
	add_header Referrer-Policy "no-referrer";
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Content-Type-Options "nosniff";
	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";

	##
	# nginx-specific ModSecurity Connector
	##

	modsecurity on;
	modsecurity_rules_file /etc/nginx/modsec/main.conf;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	##
	# Default catch-all host
	##

	server{
	listen 80;
	listen [::]:80;
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name _;

	# SSL Certificate configuration
	ssl_certificate /path/to/certificate.pem;
	ssl_certificate_key /path/to/certificate.key;

	return 501;
	}

	##
	# Example PHP website configuration
	##

	# Default server rule for plain HTTP transport
	# This is to ensure HTTPS-only traffic
	server{
	listen 80; # Listen to IPv4 on all interface
	listen [::]:80; # Listen to IPv6 on all interface
	server_name example.org;

	return 301 https://example.org$request_uri;
	}

	# Main configuration for HTTPS site
	server{
	listen 443 ssl http2; # Listen to IPv4 with http2 extension on all interface
	listen [::]:443 ssl http2; # Listen to IPv6 with http2 extension on all interface
	server_name example.org; # FQDN for the site

	# SSL Certificate configuration
	ssl_certificate /path/to/fullchain.pem;
	ssl_certificate_key /path/to/privkey.pem;

	root /path/to/script; # Path to script directory
	index index.php index.html index.htm; # Index filename

	include /etc/nginx/https-fpm.incl; # HTTPS php-fpm include
	}

	##
	# Virtual sites and additional configurations
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}