samsulmaarif · February 27, 2019 15:29 · samsulmaarif · Feb 27, 2019
diff --git a/nginx-situsku.conf b/nginx-situsku.conf
 server {
   listen 80;
   server_name www.websiteku.id websiteku.id;
   rewrite ^ https://websiteku.id/$1 permanent;
   #root /home/situs/websiteku;
   location / {
           try_files $uri $uri/ =404;
   }
 }

 server {
    listen 443 ssl http2;

    root /home/situs/websiteku;

    index index.php index.html index.htm index.nginx-debian.html;

    server_name www.websiteku.id websiteku.id;
    error_page 401 403 404 /404.html;
    access_log /var/log/nginx/websiteku.id-access.log;
    error_log /var/log/nginx/websiteku.id-error.log;
    ssl on;

    #### Certificate ####
    ssl_certificate /home/situs/ssl/fullchain.cer;
    ssl_certificate_key /home/situs/ssl/websiteku.id.key;
    ssl_trusted_certificate /home/situs/ssl/ca.cer;
    ssl_dhparam /home/situs/ssl/dhparam/dhparam.pem;
    #### Certificate ####

    ssl_protocols TLSv1.2; ### disable SSLv3, TLSv1.1, and TLSv1
    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:10m;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            include fastcgi.conf;
            include proxy_params;
            fastcgi_intercept_errors on;
            fastcgi_pass 127.0.0.1:9001;
            fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param  QUERY_STRING     $query_string;
            fastcgi_param  REQUEST_METHOD   $request_method;
            fastcgi_param  CONTENT_TYPE     $content_type;
            fastcgi_param  CONTENT_LENGTH   $content_length;
            #fastcgi_intercept_errors        on;
            fastcgi_ignore_client_abort     off;
            fastcgi_connect_timeout 600;
            fastcgi_send_timeout 300;
            fastcgi_read_timeout 900;
            fastcgi_buffer_size 512000k;
            fastcgi_buffers 4 256000k;
            fastcgi_busy_buffers_size 512000k;
            fastcgi_temp_file_write_size  1024000k;
            #client_max_body_size 50M;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
            expires max;
    #        log_not_found off;
    }


    location ~ /\.ht {
            deny all;
    }

    if ($request_method !~ ^(GET|HEAD|POST)$) {
            return 444;
    }
    if ($blockedagent = 1) {
            return 403;
    }
 }
diff --git a/nginx.conf b/nginx.conf
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;

 events {
 	worker_connections 768;
 	# multi_accept on;
 }

 http {

 	##
 	# Basic Settings
 	##

 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
 	server_tokens off;

 	# server_names_hash_bucket_size 64;
 	# server_name_in_redirect off;

 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;

 	##
 	# SSL Settings
 	##

 	ssl_protocols TLSv1.2; # Dropping SSLv3, TLSv1, TLS1.1, ref: POODLE
 	ssl_prefer_server_ciphers on;

 	##
 	# Logging Settings
 	##

 	log_format netdata '$remote_addr - $remote_user [$time_local] '
                      '"$request" $status $body_bytes_sent '
                      '$request_length $request_time $upstream_response_time '
                      '"$http_referer" "$http_user_agent"';

 	access_log /var/log/nginx/access.log netdata;
 	error_log /var/log/nginx/error.log;

 	##
 	# Gzip Settings
 	##

 	gzip on;
 	gzip_disable "msie6";

 	gzip_vary on;
 	gzip_proxied any;
 	gzip_comp_level 6;
 	gzip_buffers 16 8k;
 	gzip_http_version 1.1;
 	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

 	##
 	# Virtual Host Configs
 	##

 	include /etc/nginx/conf.d/*.conf;
 	include /etc/nginx/sites-enabled/*;
 }
	server {
	listen 80;
	server_name www.websiteku.id websiteku.id;
	rewrite ^ https://websiteku.id/$1 permanent;
	#root /home/situs/websiteku;
	location / {
	try_files $uri $uri/ =404;
	}
	}

	server {
	listen 443 ssl http2;

	root /home/situs/websiteku;

	index index.php index.html index.htm index.nginx-debian.html;

	server_name www.websiteku.id websiteku.id;
	error_page 401 403 404 /404.html;
	access_log /var/log/nginx/websiteku.id-access.log;
	error_log /var/log/nginx/websiteku.id-error.log;
	ssl on;

	#### Certificate ####
	ssl_certificate /home/situs/ssl/fullchain.cer;
	ssl_certificate_key /home/situs/ssl/websiteku.id.key;
	ssl_trusted_certificate /home/situs/ssl/ca.cer;
	ssl_dhparam /home/situs/ssl/dhparam/dhparam.pem;
	#### Certificate ####

	ssl_protocols TLSv1.2; ### disable SSLv3, TLSv1.1, and TLSv1
	ssl_prefer_server_ciphers on;

	ssl_session_cache shared:SSL:10m;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;

	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

	location / {
	try_files $uri $uri/ /index.php?$args;
	}

	location ~ \.php$ {
	include snippets/fastcgi-php.conf;
	include fastcgi.conf;
	include proxy_params;
	fastcgi_intercept_errors on;
	fastcgi_pass 127.0.0.1:9001;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param QUERY_STRING $query_string;
	fastcgi_param REQUEST_METHOD $request_method;
	fastcgi_param CONTENT_TYPE $content_type;
	fastcgi_param CONTENT_LENGTH $content_length;
	#fastcgi_intercept_errors on;
	fastcgi_ignore_client_abort off;
	fastcgi_connect_timeout 600;
	fastcgi_send_timeout 300;
	fastcgi_read_timeout 900;
	fastcgi_buffer_size 512000k;
	fastcgi_buffers 4 256000k;
	fastcgi_busy_buffers_size 512000k;
	fastcgi_temp_file_write_size 1024000k;
	#client_max_body_size 50M;
	}

	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico)$ {
	expires max;
	# log_not_found off;
	}


	location ~ /\.ht {
	deny all;
	}

	if ($request_method !~ ^(GET\|HEAD\|POST)$) {
	return 444;
	}
	if ($blockedagent = 1) {
	return 403;
	}
	}
	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;

	events {
	worker_connections 768;
	# multi_accept on;
	}

	http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1.2; # Dropping SSLv3, TLSv1, TLS1.1, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	log_format netdata '$remote_addr - $remote_user [$time_local] '
	'"$request" $status $body_bytes_sent '
	'$request_length $request_time $upstream_response_time '
	'"$http_referer" "$http_user_agent"';

	access_log /var/log/nginx/access.log netdata;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}