naagaraa/nginx.vhost.template.php8.2.conf

## nginx.vhost.template.php8.2.conf
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

# Server block for each website or application
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name SITE_DOMAIN;
    root /var/www/html/PROJECT_DIR/public/;
    client_max_body_size 1024M;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    # Implement Referrer Policy
    # Control how much referrer information is sent with requests.
    add_header Referrer-Policy "strict-origin-when-cross-origin";

    # Prevent Clickjacking
    # use the X-Frame-Options header to prevent your site from being included in an iframe on another site.
    add_header X-Frame-Options "DENY";

    # Implement Content Security Policy (CSP)
    # CSP helps prevent XSS attacks by defining content sources that the browser is allowed to load. Add a CSP header to your server blocks.
    # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";

    # Enable Strict Transport Security (HSTS):
    # HSTS ensures that web browsers interact with your site only over HTTPS, improving security.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Enable Public Key Pinning (HPKP):
    # HPKP associates a specific cryptographic public key with a particular web server to prevent man-in-the-middle attacks with fraudulent certificates.
    add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains; preload';

    # ssl_protocols TLSv1.2;
    # public certificate
    ssl_certificate /etc/ssl/SITE_DOMAIN/selfsigned.crt;

    # CA bundle
    # enable and modify when required
    # ssl_trusted_certificate /etc/ssl/SITE_DOMAIN/ca_bundle.crt;

    # private key
    ssl_certificate_key /etc/ssl/SITE_DOMAIN/selfsigned.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # ssl
    ssl_dhparam /etc/ssl/dhparams-2048.pem;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # Enable OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    index index.html index.htm index.php;

    charset utf-8;

    # web access log
    access_log /var/log/nginx/SITE_DOMAIN.access.log;
    error_log /var/log/nginx/SITE_DOMAIN.error.log;

    # root
    location / {
        # rate limiting
        limit_req zone=one burst=5 nodelay;
        try_files $uri $uri/ /index.php?$query_string;
    }

    # octane
    #location @octane {
    #    set $suffix "";
    #
    #    if ($uri = /index.php) {
    #        set $suffix ?$query_string;
    #    }
    #
    #    proxy_http_version 1.1;
    #    proxy_set_header Host $http_host;
    #    proxy_set_header Scheme $scheme;
    #    proxy_set_header SERVER_PORT $server_port;
    #    proxy_set_header REMOTE_ADDR $remote_addr;
    #    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #    proxy_set_header Upgrade $http_upgrade;
    #    proxy_set_header Connection $connection_upgrade;
    #
    #    proxy_pass http://127.0.0.1:8000$suffix;
    #}

    # restrict http methods
    if ($request_method !~ ^(GET|POST|PUT|DELETE|HEAD|OPTIONS)$) {
        return 405;
    }

    error_page 404 /index.php;

    # php
    location ~ \.php$ {
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;

        try_files $uri =404;
        include fastcgi_params;

        # fastcgi caching
        fastcgi_index index.php;
        # fastcgi_buffers     8 16k;
        # fastcgi_buffer_size 32k;

        # FastCGI caching configuration
        # fastcgi_cache my_cache;
        fastcgi_cache_valid 200 301 302 5m;
        fastcgi_cache_methods GET HEAD;
        fastcgi_cache_bypass $no_cache;
        fastcgi_no_cache $no_cache;
        fastcgi_cache_key $scheme$request_method$host$request_uri;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_read_timeout 3600;
    }

    # well know
    location ~ /\.(?!well-known).* {
        deny all;
    }

    # favicon
    location = /favicon.ico {
        access_log off;
        log_not_found off;
    }

    # robots
    location = /robots.txt {
        access_log off;
        log_not_found off;
    }

    # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires 1d;
        access_log off;
    }

    # svg, fonts
    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        expires 7d;
        access_log off;
    }

    # fix livewire
    location = /livewire/livewire.js {
        expires off;
        try_files $uri $uri/ /index.php?$query_string;
    }
}
	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}

	# Server block for each website or application
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name SITE_DOMAIN;
	root /var/www/html/PROJECT_DIR/public/;
	client_max_body_size 1024M;

	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options "nosniff";

	# Implement Referrer Policy
	# Control how much referrer information is sent with requests.
	add_header Referrer-Policy "strict-origin-when-cross-origin";

	# Prevent Clickjacking
	# use the X-Frame-Options header to prevent your site from being included in an iframe on another site.
	add_header X-Frame-Options "DENY";

	# Implement Content Security Policy (CSP)
	# CSP helps prevent XSS attacks by defining content sources that the browser is allowed to load. Add a CSP header to your server blocks.
	# add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";

	# Enable Strict Transport Security (HSTS):
	# HSTS ensures that web browsers interact with your site only over HTTPS, improving security.
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

	# Enable Public Key Pinning (HPKP):
	# HPKP associates a specific cryptographic public key with a particular web server to prevent man-in-the-middle attacks with fraudulent certificates.
	add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains; preload';

	# ssl_protocols TLSv1.2;
	# public certificate
	ssl_certificate /etc/ssl/SITE_DOMAIN/selfsigned.crt;

	# CA bundle
	# enable and modify when required
	# ssl_trusted_certificate /etc/ssl/SITE_DOMAIN/ca_bundle.crt;

	# private key
	ssl_certificate_key /etc/ssl/SITE_DOMAIN/selfsigned.key;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers off;

	# ssl
	ssl_dhparam /etc/ssl/dhparams-2048.pem;

	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 1d;
	ssl_session_tickets off;

	# Enable OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;

	index index.html index.htm index.php;

	charset utf-8;

	# web access log
	access_log /var/log/nginx/SITE_DOMAIN.access.log;
	error_log /var/log/nginx/SITE_DOMAIN.error.log;

	# root
	location / {
	# rate limiting
	limit_req zone=one burst=5 nodelay;
	try_files $uri $uri/ /index.php?$query_string;
	}

	# octane
	#location @octane {
	# set $suffix "";
	#
	# if ($uri = /index.php) {
	# set $suffix ?$query_string;
	# }
	#
	# proxy_http_version 1.1;
	# proxy_set_header Host $http_host;
	# proxy_set_header Scheme $scheme;
	# proxy_set_header SERVER_PORT $server_port;
	# proxy_set_header REMOTE_ADDR $remote_addr;
	# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	# proxy_set_header Upgrade $http_upgrade;
	# proxy_set_header Connection $connection_upgrade;
	#
	# proxy_pass http://127.0.0.1:8000$suffix;
	#}

	# restrict http methods
	if ($request_method !~ ^(GET\|POST\|PUT\|DELETE\|HEAD\|OPTIONS)$) {
	return 405;
	}

	error_page 404 /index.php;

	# php
	location ~ \.php$ {
	fastcgi_pass unix:/run/php/php8.2-fpm.sock;

	try_files $uri =404;
	include fastcgi_params;

	# fastcgi caching
	fastcgi_index index.php;
	# fastcgi_buffers 8 16k;
	# fastcgi_buffer_size 32k;

	# FastCGI caching configuration
	# fastcgi_cache my_cache;
	fastcgi_cache_valid 200 301 302 5m;
	fastcgi_cache_methods GET HEAD;
	fastcgi_cache_bypass $no_cache;
	fastcgi_no_cache $no_cache;
	fastcgi_cache_key $scheme$request_method$host$request_uri;

	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_read_timeout 3600;
	}

	# well know
	location ~ /\.(?!well-known).* {
	deny all;
	}

	# favicon
	location = /favicon.ico {
	access_log off;
	log_not_found off;
	}

	# robots
	location = /robots.txt {
	access_log off;
	log_not_found off;
	}

	# assets, media
	location ~* \.(?:css(\.map)?\|js(\.map)?\|jpe?g\|png\|gif\|ico\|cur\|heic\|webp\|tiff?\|mp3\|m4a\|aac\|ogg\|midi?\|wav\|mp4\|mov\|webm\|mpe?g\|avi\|ogv\|flv\|wmv)$ {
	expires 1d;
	access_log off;
	}

	# svg, fonts
	location ~* \.(?:svgz?\|ttf\|ttc\|otf\|eot\|woff2?)$ {
	add_header Access-Control-Allow-Origin "*";
	expires 7d;
	access_log off;
	}

	# fix livewire
	location = /livewire/livewire.js {
	expires off;
	try_files $uri $uri/ /index.php?$query_string;
	}
	}