robinwl/vhost.conf

## vhost.conf
server {

  ##
  # Basic config
  ##

  listen      80;
  listen      443 ssl spdy;
  server_name _;

  root        /var/www/public/;
  index       index.php index.html index.htm;

  ##
  # TLS
  ##

  ssl_certificate           /etc/nginx/ssl/server.crt;
  ssl_certificate_key       /etc/nginx/ssl/server.key;
  ssl_dhparam               /etc/nginx/ssl/dhparam.pem;
  ssl_prefer_server_ciphers on;
  ssl_ciphers               'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
  ssl_protocols             TLSv1.2 TLSv1.1 TLSv1;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       10m;
  ssl_stapling              on;
  ssl_stapling_verify       on;
  ssl_buffer_size           1400;

  spdy_headers_comp         0;
  keepalive_timeout         70;
  resolver                  8.8.8.8 8.8.4.4 valid=86400;
  resolver_timeout          10;

  ##
  # Security stuff
  ##
  server_tokens off;

  add_header    Strict-Transport-Security max-age=31536000;
  add_header    X-XSS-Protection "1; mode=block";
  add_header    X-Content-Type-Options nosniff;
  add_header    X-Frame-Options SAMEORIGIN;

  ##
  # Routes
  ##

  location / {
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    proxy_pass       http://127.0.0.1:8080;
  }

  ##
  # Gzip
  ##

  gzip            on;
  gzip_disable    "msie6";
  gzip_vary       on;
  gzip_types      text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  gzip_buffers    16 8k;
  gzip_comp_level 6;
  gzip_proxied    any;

  ##
  # Open file cache
  ##

  open_file_cache          max=10000 inactive=5m;
  open_file_cache_valid    2h;
  open_file_cache_min_uses 1;
  open_file_cache_errors   on;

  ##
  # Serve static content from disk
  ##

  location /files {
    alias      /var/www/public/files/;
    expires    max;
    access_log /var/log/nginx/static.log;
  }


  ##
  # Deny some requests
  ##

  location ~ /\.ht {
    deny all;
  }

}
	server {

	##
	# Basic config
	##

	listen 80;
	listen 443 ssl spdy;
	server_name _;

	root /var/www/public/;
	index index.php index.html index.htm;

	##
	# TLS
	##

	ssl_certificate /etc/nginx/ssl/server.crt;
	ssl_certificate_key /etc/nginx/ssl/server.key;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_buffer_size 1400;

	spdy_headers_comp 0;
	keepalive_timeout 70;
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;

	##
	# Security stuff
	##
	server_tokens off;

	add_header Strict-Transport-Security max-age=31536000;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options nosniff;
	add_header X-Frame-Options SAMEORIGIN;

	##
	# Routes
	##

	location / {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_set_header Host $host;
	proxy_pass http://127.0.0.1:8080;
	}

	##
	# Gzip
	##

	gzip on;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
	gzip_buffers 16 8k;
	gzip_comp_level 6;
	gzip_proxied any;

	##
	# Open file cache
	##

	open_file_cache max=10000 inactive=5m;
	open_file_cache_valid 2h;
	open_file_cache_min_uses 1;
	open_file_cache_errors on;

	##
	# Serve static content from disk
	##

	location /files {
	alias /var/www/public/files/;
	expires max;
	access_log /var/log/nginx/static.log;
	}


	##
	# Deny some requests
	##

	location ~ /\.ht {
	deny all;
	}

	}