siberex/https.conf

## https.conf
# You can also try SSL Configuration Generator from Mozilla:
# https://mozilla.github.io/server-side-tls/ssl-config-generator/

# ! For HTTP2 with proper ALPN support, please use OpenSSL 1.0.2 or newer

# limit_conn_zone $binary_remote_addr zone=perip:20m;

# HTTP redirect
server {
    listen              80;
    server_name         example.com;
    # limit_conn        perip   20;
    return              301     https://example.com$request_uri;
}

# HTTPS
server {
    listen              443 ssl http2;

    server_name         example.com;
    root                /path/to/your/http/public;

    ssl                 on;
    ssl_certificate_key /.key;
    # Don’t forget to add intermediates to certificate file
    ssl_certificate     /.crt;

    # CA+intermediate bundle (Godaddy: gd_bundle-g2-g1.crt)
    ssl_trusted_certificate /.ca.im.bundle.crt;

    # openssl dhparam -out dhparam.pem 4096
    ssl_dhparam         /.dhparam.pem;

    # https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
    ssl_ciphers         ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache   shared:SSL:10m;

    # https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
    # https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
    ssl_stapling        on;
    ssl_stapling_verify on;
    resolver            8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout    10s;

    ssl_prefer_server_ciphers on;

    ssl_session_timeout 24h;

    # http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
    keepalive_timeout   30;

    # HSTS
    # Only if ALL subdomains are served over https all the time:
    # add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
    # 31536000 = year = 365 * 24 * 60 * 60
    add_header Strict-Transport-Security "max-age=31536000; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
    ssl_buffer_size     4k;


    # Couple of useful options
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 8;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    aio             threads;
    sendfile        on;
    tcp_nopush      on;
    tcp_nodelay     on;
    sendfile_max_chunk 512k;


    # site root is redirected to the app boot script
    location = / {
        try_files @site @site;
    }

    # all other locations try other files first and go to our front controller if none of them exists
    location / {
        try_files $uri $uri/ @site;
    }

    location @site {
        include         fastcgi_params;
        fastcgi_param   APP_ENV         production;

        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME $document_root/index.php;

        fastcgi_param   PATH_INFO       $document_uri;
        fastcgi_param   SCRIPT_NAME     index.php;

        fastcgi_pass    unix:/var/run/php5-fpm.sock;

        fastcgi_param	HTTPS			$https if_not_empty;

        internal;
    }
}
	# You can also try SSL Configuration Generator from Mozilla:
	# https://mozilla.github.io/server-side-tls/ssl-config-generator/

	# ! For HTTP2 with proper ALPN support, please use OpenSSL 1.0.2 or newer

	# limit_conn_zone $binary_remote_addr zone=perip:20m;

	# HTTP redirect
	server {
	listen 80;
	server_name example.com;
	# limit_conn perip 20;
	return 301 https://example.com$request_uri;
	}

	# HTTPS
	server {
	listen 443 ssl http2;

	server_name example.com;
	root /path/to/your/http/public;

	ssl on;
	ssl_certificate_key /.key;
	# Don’t forget to add intermediates to certificate file
	ssl_certificate /.crt;

	# CA+intermediate bundle (Godaddy: gd_bundle-g2-g1.crt)
	ssl_trusted_certificate /.ca.im.bundle.crt;

	# openssl dhparam -out dhparam.pem 4096
	ssl_dhparam /.dhparam.pem;

	# https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_session_cache shared:SSL:10m;

	# https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
	# https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 10s;

	ssl_prefer_server_ciphers on;

	ssl_session_timeout 24h;

	# http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
	keepalive_timeout 30;

	# HSTS
	# Only if ALL subdomains are served over https all the time:
	# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
	# 31536000 = year = 365 * 24 * 60 * 60
	add_header Strict-Transport-Security "max-age=31536000; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
	ssl_buffer_size 4k;



	# Couple of useful options
	gzip on;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 8;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	aio threads;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	sendfile_max_chunk 512k;


	# site root is redirected to the app boot script
	location = / {
	try_files @site @site;
	}

	# all other locations try other files first and go to our front controller if none of them exists
	location / {
	try_files $uri $uri/ @site;
	}

	location @site {
	include fastcgi_params;
	fastcgi_param APP_ENV production;

	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root/index.php;

	fastcgi_param PATH_INFO $document_uri;
	fastcgi_param SCRIPT_NAME index.php;

	fastcgi_pass unix:/var/run/php5-fpm.sock;

	fastcgi_param HTTPS $https if_not_empty;

	internal;
	}
	}