socketz · August 8, 2018 02:57
diff --git a/0_nginx_example_config.md b/0_nginx_example_config.md
diff --git a/1_acme-challenge.conf b/1_acme-challenge.conf
 location ~ /.well-known {
    allow all;
 }

 location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root         /data/nginx/www/.well-known/acme-challenge/;
 }

 location = /.well-known/acme-challenge/ {
    return 404;
 }
diff --git a/2_restrictions.conf b/2_restrictions.conf
 # Global restrictions configuration file.
 # Designed to be included in any server {} block.
 location = /favicon.ico {
        try_files $uri =404;
        log_not_found off;
        access_log off;
 }

 location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
 }

 # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
 location ~ /\. {
        deny all;
 }

 # Deny access to any files with a .php extension in the uploads directory
 # Works in sub-directory installs and also in multisite network
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
 location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
 }
diff --git a/3_expires.conf b/3_expires.conf
 # Expire rules for static content

 # No default expire rule. This config mirrors that of apache as outlined in the
 # html5-boilerplate .htaccess file. However, nginx applies rules by location,
 # the apache rules are defined by type. A consequence of this difference is that
 # if you use no file extension in the url and serve html, with apache you get an
 # expire time of 0s, with nginx you'd get an expire header of one month in the
 # future (if the default expire rule is 1 month). Therefore, do not use a
 # default expire rule with nginx unless your site is completely static

 # cache.appcache, your document html and data
 location ~* \.(?:manifest|appcache|html?|xml|json)$ {
  add_header Cache-Control "max-age=0";
 }

 # Feed
 location ~* \.(?:rss|atom)$ {
  add_header Cache-Control "max-age=3600";
 }

 # Media: images, icons, video, audio, HTC
 location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
  access_log off;
  add_header Cache-Control "max-age=2592000";
  fastcgi_ignore_headers Set-Cookie;
 }

 # Media: svgz files are already compressed.
 location ~* \.svgz$ {
  access_log off;
  gzip off;
  add_header Cache-Control "max-age=2592000";
 }

 # CSS and Javascript
 location ~* \.(?:css|js)$ {
  add_header Cache-Control "max-age=31536000";
  access_log off;
  fastcgi_ignore_headers Set-Cookie;
 }

 # WebFonts
 # If you are NOT using cross-domain-fonts.conf, uncomment the following directive
 location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
 add_header Cache-Control "max-age=2592000";
 access_log off;
 }
diff --git a/4_ssl-params.conf b/4_ssl-params.conf
 # SSLv3 is insecure, but it is required by some payment networks
 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;

 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

 ssl_ecdh_curve secp384r1;
 ssl_session_cache shared:SSL:10m;

 ssl_certificate /data/ssl/example.com/fullchain.pem; # MODIFY
 ssl_certificate_key /data/ssl/example.com/privkey.pem; # MODIFY

 ssl_session_timeout 1440m;
 ssl_session_tickets off;
 ssl_stapling on;
 ssl_stapling_verify on;
 ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org/; # MODIFY
 ssl_trusted_certificate /data/ssl/example.com/chain.pem; # MODIFY
 resolver 8.8.8.8 8.8.4.4 valid=300s; # MODIFY IF YOU WANT
 resolver_timeout 5s;

 # Disable preloading HSTS for now.  You can use the commented out header line that includes
 # the "preload" directive if you understand the implications.
 #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

 add_header X-Frame-Options SAMEORIGIN;
 add_header X-Content-Type-Options nosniff;
 add_header Referrer-Policy "strict-origin" always;
 add_header X-XSS-Protection "1; mode=block";

 # This CSP is fully working with Pretashop scripts
 add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'self' https:; script-src 'unsafe-inline' 'unsafe-eval' 'self' https:; style-src 'unsafe-inline' 'self' https:";

 ssl_dhparam /data/ssl/certs/dhparam.pem; # MODIFY
diff --git a/5_example.com.conf b/5_example.com.conf
 server {
  listen [::]:80;
  listen 80;

  server_name example.com www.example.com;

  return 301 https://www.example.com$request_uri;
 }

 server {
  listen [::]:443 ssl;
  listen 443 ssl;

  server_name example.com;

  include snippets/ssl-params.conf;

  return 301 https://www.example.com$request_uri;
 }

 server {
    listen [::]:443 ssl deferred;
    listen 443 ssl deferred;


    server_name www.example.com;

    include snippets/ssl-params.conf;

    root /data/nginx/www/prestashop;
    access_log /data/nginx/log/example.com.access.log;
    error_log /data/nginx/log/example.com.error.log;

    index index.php index.html; # Letting nginx know which files to try when requesting a folder
    
    include global/acme-challenge.conf # let's encrypt acme-challenge
    include global/restrictions.conf;
    include global/expires.conf;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";                                             # Do people still use Internet Explorer 6? In that case, disable gzip and hope for the best!
    gzip_vary on;                                                     # Also compress content with other MIME types than "text/html"
    gzip_types application/json text/css application/javascript;      # We only want to compress json, css and js. Compressing images and such isn't worth it
    gzip_proxied any;
    gzip_comp_level 6;                                                # Set desired compression ratio, higher is better compression, but slower
    gzip_buffers 16 8k;                                               # Gzip buffer size
    gzip_http_version 1.0;                                            # Compress every type of HTTP request

    rewrite ^/([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$                 /img/p/$1/$1$2$3.jpg last;
    rewrite ^/([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$          /img/p/$1/$2/$1$2$3$4.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$   /img/p/$1/$2/$3/$1$2$3$4$5.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$            /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$     /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$          /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$   /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$    /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg last;
    rewrite ^/c/([0-9]+)(-[_a-zA-Z0-9-]*)/[_a-zA-Z0-9-]*.jpg$   /img/c/$1$2.jpg last;
    rewrite ^/c/([a-zA-Z-]+)/[a-zA-Z0-9-]+.jpg$                 /img/c/$1.jpg last;
    rewrite ^/([0-9]+)(-[_a-zA-Z0-9-]*)/[_a-zA-Z0-9-]*.jpg$     /img/c/$1$2.jpg last;
    rewrite ^/images_ie/?([^/]+)\.(jpe?g|png|gif)$              /js/jquery/plugins/fancybox/images/$1.$2 last;
    
    # Spanish Friendly URL's - Replace by yours
    rewrite '^/alertas-email$' /index.php?controller=module-mailalerts-account last;
    rewrite '^/pagina-no-encontrada$' /index.php?controller=pagenotfound last;
    rewrite '^/mas-vendidos$' /index.php?controller=best-sales last;
    rewrite '^/contactenos$' /index.php?controller=contact last;
    rewrite '^/marcas$' /index.php?controller=manufacturer last;
    rewrite '^/nuevos-productos$' /index.php?controller=new-products last;
    rewrite '^/contrasena-olvidado$' /index.php?controller=password last;
    rewrite '^/promocion$' /index.php?controller=prices-drop last;
    rewrite '^/mapa-del-sitio$' /index.php?controller=sitemap last;
    rewrite '^/proveedores$' /index.php?controller=supplier last;
    rewrite '^/direccion$' /index.php?controller=address last;
    rewrite '^/direcciones$' /index.php?controller=addresses last;
    rewrite '^/autenticacion$' /index.php?controller=authentication last;
    rewrite '^/carro-de-la-compra$' /index.php?controller=cart last;
    rewrite '^/descuento$' /index.php?controller=discount last;
    rewrite '^/historial-de-pedidos$' /index.php?controller=history last;
    rewrite '^/identidad$' /index.php?controller=identity last;
    rewrite '^/mi-cuenta$' /index.php?controller=my-account last;
    rewrite '^/devolucion-de-productos$' /index.php?controller=order-follow last;
    rewrite '^/vales$' /index.php?controller=order-slip last;
    rewrite '^/carrito$' /index.php?controller=order last;
    rewrite '^/buscar$' /index.php?controller=search last;
    rewrite '^/tiendas$' /index.php?controller=stores last;
    rewrite '^/pedido-rapido$' /index.php?controller=order-opc last;
    rewrite '^/estado-pedido$' /index.php?controller=guest-tracking last;
    rewrite '^/confirmacion-pedido$' /index.php?controller=order-confirmation last;
    rewrite '^/comparar-productos$' /index.php?controller=products-comparison last;

    if (!-e $request_filename){
        rewrite ^(.*)$ /index.php?q=$1 last;
    }

    location /api {
        rewrite ^/api/(.*)$ /webservice/dispatcher.php?url=$1 break;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        try_files $uri =404;
        fastcgi_keep_conn on;
        fastcgi_index index.php;
        fastcgi_pass php:9000;
        include fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
    }
 }
	location ~ /.well-known {
	allow all;
	}

	location ^~ /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /data/nginx/www/.well-known/acme-challenge/;
	}

	location = /.well-known/acme-challenge/ {
	return 404;
	}
	# Global restrictions configuration file.
	# Designed to be included in any server {} block.
	location = /favicon.ico {
	try_files $uri =404;
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~ /\. {
	deny all;
	}

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}
	# Expire rules for static content

	# No default expire rule. This config mirrors that of apache as outlined in the
	# html5-boilerplate .htaccess file. However, nginx applies rules by location,
	# the apache rules are defined by type. A consequence of this difference is that
	# if you use no file extension in the url and serve html, with apache you get an
	# expire time of 0s, with nginx you'd get an expire header of one month in the
	# future (if the default expire rule is 1 month). Therefore, do not use a
	# default expire rule with nginx unless your site is completely static

	# cache.appcache, your document html and data
	location ~* \.(?:manifest\|appcache\|html?\|xml\|json)$ {
	add_header Cache-Control "max-age=0";
	}

	# Feed
	location ~* \.(?:rss\|atom)$ {
	add_header Cache-Control "max-age=3600";
	}

	# Media: images, icons, video, audio, HTC
	location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|mp4\|ogg\|ogv\|webm\|htc)$ {
	access_log off;
	add_header Cache-Control "max-age=2592000";
	fastcgi_ignore_headers Set-Cookie;
	}

	# Media: svgz files are already compressed.
	location ~* \.svgz$ {
	access_log off;
	gzip off;
	add_header Cache-Control "max-age=2592000";
	}

	# CSS and Javascript
	location ~* \.(?:css\|js)$ {
	add_header Cache-Control "max-age=31536000";
	access_log off;
	fastcgi_ignore_headers Set-Cookie;
	}

	# WebFonts
	# If you are NOT using cross-domain-fonts.conf, uncomment the following directive
	location ~* \.(?:ttf\|ttc\|otf\|eot\|woff\|woff2)$ {
	add_header Cache-Control "max-age=2592000";
	access_log off;
	}
	# SSLv3 is insecure, but it is required by some payment networks
	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;

	ssl_certificate /data/ssl/example.com/fullchain.pem; # MODIFY
	ssl_certificate_key /data/ssl/example.com/privkey.pem; # MODIFY

	ssl_session_timeout 1440m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org/; # MODIFY
	ssl_trusted_certificate /data/ssl/example.com/chain.pem; # MODIFY
	resolver 8.8.8.8 8.8.4.4 valid=300s; # MODIFY IF YOU WANT
	resolver_timeout 5s;

	# Disable preloading HSTS for now. You can use the commented out header line that includes
	# the "preload" directive if you understand the implications.
	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header Referrer-Policy "strict-origin" always;
	add_header X-XSS-Protection "1; mode=block";

	# This CSP is fully working with Pretashop scripts
	add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'self' https:; script-src 'unsafe-inline' 'unsafe-eval' 'self' https:; style-src 'unsafe-inline' 'self' https:";

	ssl_dhparam /data/ssl/certs/dhparam.pem; # MODIFY
	server {
	listen [::]:80;
	listen 80;

	server_name example.com www.example.com;

	return 301 https://www.example.com$request_uri;
	}

	server {
	listen [::]:443 ssl;
	listen 443 ssl;

	server_name example.com;

	include snippets/ssl-params.conf;

	return 301 https://www.example.com$request_uri;
	}

	server {
	listen [::]:443 ssl deferred;
	listen 443 ssl deferred;


	server_name www.example.com;

	include snippets/ssl-params.conf;

	root /data/nginx/www/prestashop;
	access_log /data/nginx/log/example.com.access.log;
	error_log /data/nginx/log/example.com.error.log;

	index index.php index.html; # Letting nginx know which files to try when requesting a folder

	include global/acme-challenge.conf # let's encrypt acme-challenge
	include global/restrictions.conf;
	include global/expires.conf;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6"; # Do people still use Internet Explorer 6? In that case, disable gzip and hope for the best!
	gzip_vary on; # Also compress content with other MIME types than "text/html"
	gzip_types application/json text/css application/javascript; # We only want to compress json, css and js. Compressing images and such isn't worth it
	gzip_proxied any;
	gzip_comp_level 6; # Set desired compression ratio, higher is better compression, but slower
	gzip_buffers 16 8k; # Gzip buffer size
	gzip_http_version 1.0; # Compress every type of HTTP request

	rewrite ^/([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$1$2$3.jpg last;
	rewrite ^/([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$1$2$3$4.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$1$2$3$4$5.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg last;
	rewrite ^/c/([0-9]+)(-[_a-zA-Z0-9-])/[_a-zA-Z0-9-].jpg$ /img/c/$1$2.jpg last;
	rewrite ^/c/([a-zA-Z-]+)/[a-zA-Z0-9-]+.jpg$ /img/c/$1.jpg last;
	rewrite ^/([0-9]+)(-[_a-zA-Z0-9-])/[_a-zA-Z0-9-].jpg$ /img/c/$1$2.jpg last;
	rewrite ^/images_ie/?([^/]+)\.(jpe?g\|png\|gif)$ /js/jquery/plugins/fancybox/images/$1.$2 last;

	# Spanish Friendly URL's - Replace by yours
	rewrite '^/alertas-email$' /index.php?controller=module-mailalerts-account last;
	rewrite '^/pagina-no-encontrada$' /index.php?controller=pagenotfound last;
	rewrite '^/mas-vendidos$' /index.php?controller=best-sales last;
	rewrite '^/contactenos$' /index.php?controller=contact last;
	rewrite '^/marcas$' /index.php?controller=manufacturer last;
	rewrite '^/nuevos-productos$' /index.php?controller=new-products last;
	rewrite '^/contrasena-olvidado$' /index.php?controller=password last;
	rewrite '^/promocion$' /index.php?controller=prices-drop last;
	rewrite '^/mapa-del-sitio$' /index.php?controller=sitemap last;
	rewrite '^/proveedores$' /index.php?controller=supplier last;
	rewrite '^/direccion$' /index.php?controller=address last;
	rewrite '^/direcciones$' /index.php?controller=addresses last;
	rewrite '^/autenticacion$' /index.php?controller=authentication last;
	rewrite '^/carro-de-la-compra$' /index.php?controller=cart last;
	rewrite '^/descuento$' /index.php?controller=discount last;
	rewrite '^/historial-de-pedidos$' /index.php?controller=history last;
	rewrite '^/identidad$' /index.php?controller=identity last;
	rewrite '^/mi-cuenta$' /index.php?controller=my-account last;
	rewrite '^/devolucion-de-productos$' /index.php?controller=order-follow last;
	rewrite '^/vales$' /index.php?controller=order-slip last;
	rewrite '^/carrito$' /index.php?controller=order last;
	rewrite '^/buscar$' /index.php?controller=search last;
	rewrite '^/tiendas$' /index.php?controller=stores last;
	rewrite '^/pedido-rapido$' /index.php?controller=order-opc last;
	rewrite '^/estado-pedido$' /index.php?controller=guest-tracking last;
	rewrite '^/confirmacion-pedido$' /index.php?controller=order-confirmation last;
	rewrite '^/comparar-productos$' /index.php?controller=products-comparison last;

	if (!-e $request_filename){
	rewrite ^(.*)$ /index.php?q=$1 last;
	}

	location /api {
	rewrite ^/api/(.*)$ /webservice/dispatcher.php?url=$1 break;
	}

	location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	try_files $uri =404;
	fastcgi_keep_conn on;
	fastcgi_index index.php;
	fastcgi_pass php:9000;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	}
	}