default-nginx-vhost.conf

# Default nginx vhost configuration
#
server {
	listen 80;
	listen [::]:80;

	# Change server_name to real (sub-)domain name of web site.
	server_name vhost.domain.org;

	# Rule for legitimate ACME Challenge requests
	location ^~ /.well-known/acme-challenge/ {
		default_type "text/plain";
		# this can be any directory, but this name keeps it clear
		root /var/www/letsencrypt;
	}

	# Hide /acme-challenge subdirectory and return 404 on all requests.
	# It is somewhat more secure than letting Nginx return 403.
	# Ending slash is important!
	location = /.well-known/acme-challenge/ {
		return 404;
	}

	# Redirect all other requests to https.
	location / {
		return 301 https://$server_name$request_uri;
	}
}

server {
	# SSL configuration

	listen 443 ssl;
	listen [::]:443 ssl;

	# Change server_name to real (sub-)domain name of web site.
	server_name vhost.domain.org;

	# Change server_name to real (sub-)domain name of web site.
	ssl_certificate /etc/letsencrypt/live/vhost.domain.org/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/vhost.domain.org/privkey.pem;

	root /var/www/vhost.domain.org/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;

		# With php-fpm (or other unix sockets):
		fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
	}

	location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|ttc|otf|eot|woff|woff2)$ {
		expires modified 30d;
		add_header Pragma public;
		add_header Cache-Control "public";
	}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	location ~ /\.ht {
		deny all;
	}
}