lcdss · May 23, 2016 02:01
diff --git a/php-nginx-server-config-example b/php-nginx-server-config-example
 ###############################
 # /etc/nginx/nginx.conf
 ###############################

 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;

 events {
 	worker_connections 768;
 	# multi_accept on;
 }

 http {

 	##
 	# Basic Settings
 	##

 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
 	server_tokens off;

 	# server_names_hash_bucket_size 64;
 	# server_name_in_redirect off;

 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;

 	##
 	# SSL Settings
 	##

 	ssl_buffer_size 4k;
 	ssl_protocols TLSv1.2;
 	ssl_prefer_server_ciphers on;
 	ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
 	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
 	ssl_session_cache shared:SSL:50m;
 	ssl_session_timeout 5m;
 	ssl_session_tickets on;
 	ssl_session_ticket_key /etc/ssl/session_ticket.key;
 	ssl_dhparam /etc/ssl/dhparam.pem;
 	ssl_stapling on;
 	# ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
 	ssl_stapling_verify on;
 	resolver 8.8.8.8 8.8.4.4 valid=300s;
 	resolver_timeout 5s;

 	##
 	# Headers
 	##

 	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
 	add_header X-Frame-Options "DENY" always;
 	add_header X-Content-Type-Options "nosniff" always;
 	add_header X-XSS-Protection "1; mode=block" always;
 	add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://code.jquery.com; img-src 'self' https://ghost.org; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self'; form-action 'self'";

 	##
 	# Logging Settings
 	##

 	access_log /var/log/nginx/access.log;
 	error_log /var/log/nginx/error.log;

 	##
 	# Gzip Settings
 	##

 	gzip on;
 	gzip_disable "msie6";

 	# gzip_vary on;
 	# gzip_proxied any;
 	# gzip_comp_level 6;
 	# gzip_buffers 16 8k;
 	# gzip_http_version 1.1;
 	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

 	##
 	# Virtual Host Configs
 	##

 	include /etc/nginx/conf.d/*.conf;
 	include /etc/nginx/sites-enabled/*;
 }

 #mail {
 #	# See sample authentication script at:
 #	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
 #
 #	# auth_http localhost/auth.php;
 #	# pop3_capabilities "TOP" "USER";
 #	# imap_capabilities "IMAP4rev1" "UIDPLUS";
 #
 #	server {
 #		listen     localhost:110;
 #		protocol   pop3;
 #		proxy      on;
 #	}
 #
 #	server {
 #		listen     localhost:143;
 #		protocol   imap;
 #		proxy      on;
 #	}
 #}

 ########################################
 # /etc/nginx/sites-available/default
 ########################################

 server {
 	listen 80;
 	server_name domain.com;
 	return 301 https://www.$server_name$request_uri;
 }

 server {
 	listen 443 ssl http2;
 	server_name domain.com;
 	return 301 $scheme://www.$server_name$request_uri;
 }

 server {
 	listen 443 ssl http2;
 	server_name www.domain.com;
 	root /var/www/domain.com/public;
 	index index.php;

 	location / {
 		try_files $uri $uri/ /index.php?$query_string;
 	}

 	location = /favicon.ico { access_log off; log_not_found off; }
 	location = /robots.txt  { access_log off; log_not_found off; }

 	location ~ \.php$ {
 		include snippets/fastcgi-php.conf;
 	}

 	location ~ /\.ht {
 		deny all;
 	}
 }

 server {
 	listen 80;
  server_name status.domain.com;
  return 301 https://$server_name$request_uri;
 }

 server {
 	listen 443 ssl http2;
  server_name status.domain.com;
 	root /var/www/cachet/public;
 	index index.php;

 	location / {
    try_files $uri $uri/ /index.php?$query_string;
 	}

 	location = /favicon.ico { access_log off; log_not_found off; }
 	location = /robots.txt  { access_log off; log_not_found off; }

 	location ~ \.php$ {
  	include snippets/fastcgi-php.conf;
 	}

 	location ~ /\.ht {
    deny all;
 	}
 }

 server {
  listen 80;
  server_name pma.domain.com;
  return 301 https://$server_name$request_uri;
 }

 server {
  listen 443 ssl http2;
  server_name pma.domain.com;
  root /var/www/phpmyadmin;
  index index.php;

  location / {
    try_files $uri $uri/ /index.php?$query_string;
  }

  location = /favicon.ico { access_log off; log_not_found off; }
  location = /robots.txt  { access_log off; log_not_found off; }

  location ~ \.php$ {
  	include snippets/fastcgi-php.conf;
 	}

 	location ~ /\.ht {
 		deny all;
 	}
 }

 server {
 	listen 80;
 	server_name bootstrap.domain.com;
 	root /var/www/bootstrap/docs/_site;
 	index index.html;

 	rewrite ^(.+)/+$ $1;
 	rewrite ^(.+)/index.html$ $1;

 	location / {
 		try_files $uri/index.html $uri $uri.html =404;
 	}
 }

 ##############################
 # /etc/nginx/snippets/fastcgi-php.conf
 ##############################

 # regex to split $uri to $fastcgi_script_name and $fastcgi_path
 fastcgi_split_path_info ^(.+\.php)(/.+)$;

 # Check that the PHP script exists before passing it
 try_files $uri /index.php =404;

 # Bypass the fact that try_files resets $fastcgi_path_info
 # see: http://trac.nginx.org/nginx/ticket/321
 set $path_info $fastcgi_path_info;
 fastcgi_param PATH_INFO $path_info;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

 fastcgi_pass unix:/run/php/php7.0-fpm.sock;

 fastcgi_index index.php;
	###############################
	# /etc/nginx/nginx.conf
	###############################

	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;

	events {
	worker_connections 768;
	# multi_accept on;
	}

	http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_buffer_size 4k;
	ssl_protocols TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;
	ssl_session_tickets on;
	ssl_session_ticket_key /etc/ssl/session_ticket.key;
	ssl_dhparam /etc/ssl/dhparam.pem;
	ssl_stapling on;
	# ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;

	##
	# Headers
	##

	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
	add_header X-Frame-Options "DENY" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://code.jquery.com; img-src 'self' https://ghost.org; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self'; form-action 'self'";

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}

	#mail {
	# # See sample authentication script at:
	# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
	#
	# # auth_http localhost/auth.php;
	# # pop3_capabilities "TOP" "USER";
	# # imap_capabilities "IMAP4rev1" "UIDPLUS";
	#
	# server {
	# listen localhost:110;
	# protocol pop3;
	# proxy on;
	# }
	#
	# server {
	# listen localhost:143;
	# protocol imap;
	# proxy on;
	# }
	#}

	########################################
	# /etc/nginx/sites-available/default
	########################################

	server {
	listen 80;
	server_name domain.com;
	return 301 https://www.$server_name$request_uri;
	}

	server {
	listen 443 ssl http2;
	server_name domain.com;
	return 301 $scheme://www.$server_name$request_uri;
	}

	server {
	listen 443 ssl http2;
	server_name www.domain.com;
	root /var/www/domain.com/public;
	index index.php;

	location / {
	try_files $uri $uri/ /index.php?$query_string;
	}

	location = /favicon.ico { access_log off; log_not_found off; }
	location = /robots.txt { access_log off; log_not_found off; }

	location ~ \.php$ {
	include snippets/fastcgi-php.conf;
	}

	location ~ /\.ht {
	deny all;
	}
	}

	server {
	listen 80;
	server_name status.domain.com;
	return 301 https://$server_name$request_uri;
	}

	server {
	listen 443 ssl http2;
	server_name status.domain.com;
	root /var/www/cachet/public;
	index index.php;

	location / {
	try_files $uri $uri/ /index.php?$query_string;
	}

	location = /favicon.ico { access_log off; log_not_found off; }
	location = /robots.txt { access_log off; log_not_found off; }

	location ~ \.php$ {
	include snippets/fastcgi-php.conf;
	}

	location ~ /\.ht {
	deny all;
	}
	}

	server {
	listen 80;
	server_name pma.domain.com;
	return 301 https://$server_name$request_uri;
	}

	server {
	listen 443 ssl http2;
	server_name pma.domain.com;
	root /var/www/phpmyadmin;
	index index.php;

	location / {
	try_files $uri $uri/ /index.php?$query_string;
	}

	location = /favicon.ico { access_log off; log_not_found off; }
	location = /robots.txt { access_log off; log_not_found off; }

	location ~ \.php$ {
	include snippets/fastcgi-php.conf;
	}

	location ~ /\.ht {
	deny all;
	}
	}

	server {
	listen 80;
	server_name bootstrap.domain.com;
	root /var/www/bootstrap/docs/_site;
	index index.html;

	rewrite ^(.+)/+$ $1;
	rewrite ^(.+)/index.html$ $1;

	location / {
	try_files $uri/index.html $uri $uri.html =404;
	}
	}

	##############################
	# /etc/nginx/snippets/fastcgi-php.conf
	##############################

	# regex to split $uri to $fastcgi_script_name and $fastcgi_path
	fastcgi_split_path_info ^(.+\.php)(/.+)$;

	# Check that the PHP script exists before passing it
	try_files $uri /index.php =404;

	# Bypass the fact that try_files resets $fastcgi_path_info
	# see: http://trac.nginx.org/nginx/ticket/321
	set $path_info $fastcgi_path_info;
	fastcgi_param PATH_INFO $path_info;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

	fastcgi_pass unix:/run/php/php7.0-fpm.sock;

	fastcgi_index index.php;