andybeak · March 17, 2016 12:33
diff --git a/nginx_laravel.conf b/nginx_laravel.conf
 # Read  
 #       http://wiki.nginx.org/Pitfalls
 #       http://wiki.nginx.org/QuickStart#       
 #       http://tautt.com/best-nginx-configuration-for-security/
 #
 #       Generate your key with: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
 #       Generate certificate: sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
 
 server_tokens off;
 
 server {
 
    listen [::]:80 default_server;
    listen 80;

    root /usr/share/nginx/html/;
    index index.php;

    # http://www.gnuterrypratchett.com/#nginx
    add_header X-Clacks-Overhead "GNU Terry Pratchett"; 
    
    # mitigate clickjacking
    add_header X-Frame-Options SAMEORIGIN;
    
    location / {        
        # include /etc/nginx/naxsi.rules;
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }
     
    # Do not log favicon.ico requests
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
 
    # Do not log robots.txt requests
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
 
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|txt|woff)$ {
        expires max;
        log_not_found off;
    }
     
    # Redirect 403 errors to 404 error to fool attackers
    error_page 403 = 404;
 
    # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~ /\. {
        deny all;
    }
 
     location ~ \.php$ {

        try_files $uri =404;

        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }

        include         fastcgi_params;
        fastcgi_keep_conn on;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param   SERVER_NAME $host;
        fastcgi_pass    unix:/var/run/php5-fpm.sock;
 	      fastcgi_read_timeout 600;
        fastcgi_param   PHP_VALUE "memory_limit = 4096M";
 #	      fastcgi_pass   127.0.0.1:9001;      #for hiphop
    }

 }
	# Read
	# http://wiki.nginx.org/Pitfalls
	# http://wiki.nginx.org/QuickStart#
	# http://tautt.com/best-nginx-configuration-for-security/
	#
	# Generate your key with: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
	# Generate certificate: sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

	server_tokens off;

	server {

	listen [::]:80 default_server;
	listen 80;

	root /usr/share/nginx/html/;
	index index.php;

	# http://www.gnuterrypratchett.com/#nginx
	add_header X-Clacks-Overhead "GNU Terry Pratchett";

	# mitigate clickjacking
	add_header X-Frame-Options SAMEORIGIN;

	location / {
	# include /etc/nginx/naxsi.rules;
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}

	# Do not log favicon.ico requests
	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	# Do not log robots.txt requests
	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico\|txt\|woff)$ {
	expires max;
	log_not_found off;
	}

	# Redirect 403 errors to 404 error to fool attackers
	error_page 403 = 404;

	# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~ /\. {
	deny all;
	}

	location ~ \.php$ {

	try_files $uri =404;

	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	if (!-f $document_root$fastcgi_script_name) {
	return 404;
	}

	include fastcgi_params;
	fastcgi_keep_conn on;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param SERVER_NAME $host;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_read_timeout 600;
	fastcgi_param PHP_VALUE "memory_limit = 4096M";
	# fastcgi_pass 127.0.0.1:9001; #for hiphop
	}

	}