sensonicm/nginx-host

## nginx-host
server {
        listen 80 ;
        #listen [::]:80 ;
        server_name domain.ru www.domain.ru;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl http2;
        server_name www.domain.ru;
        return 301 $scheme://domain.ru$request_uri;
}

server {
        listen 443 ssl http2 default_server;
        #listen [::]:443 ssl http2 ;

        server_name domain.ru;

        include snippets/domain-signed.conf;
        include snippets/ssl-params.conf;

        root /var/www/domain.ru;

        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }

        location ~ ^/sites/default/settings.php {
                return 403;
        }

        location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
                deny all;
        }

        location ~* \.(txt|log)$ {
                allow 192.168.0.0/16;
                deny all;
        }

        location ~ \..*/.*\.php$ {
                return 403;
        }

        location ~ ^/sites/.*/private/ {
                return 403;
        }

        location ~* ^/.well-known/ {
                allow all;
        }

        location ~ (^|/)\. {
                return 403;
        }

        location / {
                try_files $uri /index.php?$query_string;
        }

        location @rewrite {
                rewrite ^/(.*)$ /index.php?q=$1;
        }

        location ~ /vendor/.*\.php$ {
                deny all;
                return 404;
        }

        location ~ \.php(/|$) {
                include snippets/fastcgi-php.conf;
                fastcgi_param HTTP_PROXY "";
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_param QUERY_STRING $query_string;
                fastcgi_intercept_errors on;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }

        location ~ ^/sites/.*/files/styles/ {
                try_files $uri @rewrite;
        }

        location ~ ^(/[a-z\-]+)?/system/files/ {
                try_files $uri /index.php?$query_string;
        }

        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
                try_files $uri @rewrite;
                expires max;
                log_not_found off;
        }
}

## ssl strict conf (A+ on SSL Labs)
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 12h;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 valid=60s ipv6=on;
resolver_timeout 10s;
#ssl_trusted_certificate /etc/ssl/certs/domain_ru.ca-bundle.pem; # when domain.crt dont contain chain-certs
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dh2048.pem;
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
	server {
	listen 80 ;
	#listen [::]:80 ;
	server_name domain.ru www.domain.ru;
	return 301 https://$server_name$request_uri;
	}

	server {
	listen 443 ssl http2;
	server_name www.domain.ru;
	return 301 $scheme://domain.ru$request_uri;
	}

	server {
	listen 443 ssl http2 default_server;
	#listen [::]:443 ssl http2 ;

	server_name domain.ru;

	include snippets/domain-signed.conf;
	include snippets/ssl-params.conf;

	root /var/www/domain.ru;

	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	location ~ ^/sites/default/settings.php {
	return 403;
	}

	location ~* \.(engine\|inc\|info\|install\|make\|module\|profile\|test\|po\|sh\|.sql\|theme\|tpl(\.php)?\|xtmpl)$\|^(\..\|Entries.*\|Repository\|Root\|Tag\|Template)$\|\.php_ {
	deny all;
	}

	location ~* \.(txt\|log)$ {
	allow 192.168.0.0/16;
	deny all;
	}

	location ~ \../.\.php$ {
	return 403;
	}

	location ~ ^/sites/.*/private/ {
	return 403;
	}

	location ~* ^/.well-known/ {
	allow all;
	}

	location ~ (^\|/)\. {
	return 403;
	}

	location / {
	try_files $uri /index.php?$query_string;
	}

	location @rewrite {
	rewrite ^/(.*)$ /index.php?q=$1;
	}

	location ~ /vendor/.*\.php$ {
	deny all;
	return 404;
	}

	location ~ \.php(/\|$) {
	include snippets/fastcgi-php.conf;
	fastcgi_param HTTP_PROXY "";
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;
	fastcgi_param QUERY_STRING $query_string;
	fastcgi_intercept_errors on;
	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	}

	location ~ ^/sites/.*/files/styles/ {
	try_files $uri @rewrite;
	}

	location ~ ^(/[a-z\-]+)?/system/files/ {
	try_files $uri /index.php?$query_string;
	}

	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico\|svg)$ {
	try_files $uri @rewrite;
	expires max;
	log_not_found off;
	}
	}
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_session_timeout 12h;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 valid=60s ipv6=on;
	resolver_timeout 10s;
	#ssl_trusted_certificate /etc/ssl/certs/domain_ru.ca-bundle.pem; # when domain.crt dont contain chain-certs
	add_header Strict-Transport-Security "max-age=31536000";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	ssl_dhparam /etc/ssl/certs/dh2048.pem;
	add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";