spamguy/dipl.io.conf

## dipl.io.conf
server {
	listen 80 default_server;
	listen [::]:80 default_server ipv6only=on;
	server_name www.dipl.io dipl.io;
	return 301 https://dipl.io$request_uri;
}

server {
    listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name dipl.io;
	root /var/www/html/diplio/client;
	index index.php index.html index.htm;
	error_log /var/log/nginx/error.log debug;
	access_log /var/log/nginx/access.log;

	location / {
            add_header          Pragma "no-cache";
            add_header          Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
            expires             -1;

            proxy_set_header    Upgrade $http_upgrade;
            proxy_set_header    Connection "upgrade";
            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header    Host $host;

            try_files $uri $uri/ /index.html;
	}

	location ~ /\. { deny all; }

	add_header Strict-Transport-Security "max-age=63072000";
	add_header X-Frame-Options DENY;

	ssl on;

	ssl_certificate /etc/letsencrypt/live/dipl.io/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/dipl.io/privkey.pem;

	ssl_session_cache shared:SSL:100m;
	ssl_session_timeout 24h;
	ssl_session_tickets on;
	ssl_session_ticket_key /etc/nginx/ssl/ticket.key;

	# Slightly weaker with a smaller generation,
	# but faster and fixes some IE, especially on mobiles.
	# ssl_ecdh_curve secp384r1;
	ssl_ecdh_curve secp521r1;

	ssl_dhparam /etc/nginx/ssl/dhparam4.pem;

	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/letsencrypt/live/dipl.io/fullchain.pem;
	# Google DNS, Open DNS, Dyn DNS
	resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
	resolver_timeout 3s;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	# Nginx for Intermediate Browsers
	# Grade A-
	# 90 % Security
	# High Compatibility
	# - No Java 6 (No DH parameters > 1024 bits)
	# - No IE 6
	# Some Forward Secrecy
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
}
	server {
	listen 80 default_server;
	listen [::]:80 default_server ipv6only=on;
	server_name www.dipl.io dipl.io;
	return 301 https://dipl.io$request_uri;
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name dipl.io;
	root /var/www/html/diplio/client;
	index index.php index.html index.htm;
	error_log /var/log/nginx/error.log debug;
	access_log /var/log/nginx/access.log;

	location / {
	add_header Pragma "no-cache";
	add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
	expires -1;

	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $host;

	try_files $uri $uri/ /index.html;
	}

	location ~ /\. { deny all; }

	add_header Strict-Transport-Security "max-age=63072000";
	add_header X-Frame-Options DENY;

	ssl on;

	ssl_certificate /etc/letsencrypt/live/dipl.io/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/dipl.io/privkey.pem;

	ssl_session_cache shared:SSL:100m;
	ssl_session_timeout 24h;
	ssl_session_tickets on;
	ssl_session_ticket_key /etc/nginx/ssl/ticket.key;

	# Slightly weaker with a smaller generation,
	# but faster and fixes some IE, especially on mobiles.
	# ssl_ecdh_curve secp384r1;
	ssl_ecdh_curve secp521r1;

	ssl_dhparam /etc/nginx/ssl/dhparam4.pem;

	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/letsencrypt/live/dipl.io/fullchain.pem;
	# Google DNS, Open DNS, Dyn DNS
	resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
	resolver_timeout 3s;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	# Nginx for Intermediate Browsers
	# Grade A-
	# 90 % Security
	# High Compatibility
	# - No Java 6 (No DH parameters > 1024 bits)
	# - No IE 6
	# Some Forward Secrecy
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	}