vmari · February 12, 2019 15:35
diff --git a/nginx ssl proxy letsencrypt conf symfony b/nginx ssl proxy letsencrypt conf symfony
 server {
        listen 80;
        server_name site.com;
        return 301 https://$server_name$request_uri;
 }

 server {
        listen 443 ssl http2;

        root /var/www/html;
 	      rewrite_log on;
        server_name site.com;
 	      client_max_body_size 55M;
 	      index index.php index.html;

        ssl_certificate     /etc/letsencrypt/live/site.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem;

 # Improve HTTPS performance with session resumption
  	ssl_session_cache shared:SSL:10m;
  	ssl_session_timeout 5m;

 	# Enable server-side protection against BEAST attacks
  	ssl_prefer_server_ciphers on;
 	ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
  		
  	# Disable SSLv3
  	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    	# Diffie-Hellman parameter for DHE ciphersuites
        # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    	ssl_dhparam /etc/ssl/certs/dhparam.pem;

 	# Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
 	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";  

  	# Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
  	ssl_stapling on;
  	ssl_stapling_verify on;
  	ssl_trusted_certificate /etc/letsencrypt/live/site.com/fullchain.pem;
  	resolver 8.8.8.8 8.8.4.4 valid=300s;
  	resolver_timeout 5s;

 # Required for LE certificate enrollment using certbot
   location '/.well-known/acme-challenge' {
 	default_type "text/plain";
 	root /var/www/html;
   }

 	# webhook
 	location = /qweqweqweqwe {
 		proxy_pass http://localhost:6666/qweqweqweqwe;
 	}

 	set $maintenance off;

 	if ($maintenance = on) {
 		return 503;
 	}

 	error_page 503 @maintenance;

 	location @maintenance {
 		rewrite ^(.*)$ /maintenance.html break;
 	}

        location / {
 		try_files $uri $uri/ /index.html;
        }

 	location /api/ {
 		proxy_set_header X-Real-IP  $remote_addr;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header Host $host;
 		proxy_pass http://localhost:8000;
        }


 	location /admin/ {
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header Host $host;
                proxy_pass http://localhost:8000;
        }


 	location ~ \.php(/|$) {
 		fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 	}

 	location ~ /\.ht { 
 		deny all;
 	}
 }


 server {
    listen 8000;
    root /var/www/html/api;

    location / {

        # Temporary solution for preflight request error
        if ($request_method = OPTIONS ) {
            add_header Access-Control-Allow-Origin $http_origin;
            add_header Access-Control-Allow-Methods "GET, OPTIONS, POST, PUT, DELETE";
            add_header Access-Control-Allow-Headers "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Pragma,access-token,Content-Type,";
            add_header Access-Control-Allow-Credentials "true";
            add_header Content-Length 0;
            return 200;
        }

        try_files $uri @rewriteapp;
    }

    location @rewriteapp {
        rewrite ^(.*)$ /app.php/$1 last;
    }

    location ~ ^/(app|app_dev|config)\.php(/|$) {
        fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    error_log /var/log/nginx/symfony_error.log;
    access_log /var/log/nginx/symfony_access.log;
 }
	server {
	listen 80;
	server_name site.com;
	return 301 https://$server_name$request_uri;
	}

	server {
	listen 443 ssl http2;

	root /var/www/html;
	rewrite_log on;
	server_name site.com;
	client_max_body_size 55M;
	index index.php index.html;

	ssl_certificate /etc/letsencrypt/live/site.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem;

	# Improve HTTPS performance with session resumption
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 5m;

	# Enable server-side protection against BEAST attacks
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

	# Disable SSLv3
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# Diffie-Hellman parameter for DHE ciphersuites
	# $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	# Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";

	# Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/letsencrypt/live/site.com/fullchain.pem;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;

	# Required for LE certificate enrollment using certbot
	location '/.well-known/acme-challenge' {
	default_type "text/plain";
	root /var/www/html;
	}

	# webhook
	location = /qweqweqweqwe {
	proxy_pass http://localhost:6666/qweqweqweqwe;
	}

	set $maintenance off;

	if ($maintenance = on) {
	return 503;
	}

	error_page 503 @maintenance;

	location @maintenance {
	rewrite ^(.*)$ /maintenance.html break;
	}

	location / {
	try_files $uri $uri/ /index.html;
	}

	location /api/ {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_set_header Host $host;
	proxy_pass http://localhost:8000;
	}


	location /admin/ {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_set_header Host $host;
	proxy_pass http://localhost:8000;
	}


	location ~ \.php(/\|$) {
	fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	}

	location ~ /\.ht {
	deny all;
	}
	}


	server {
	listen 8000;
	root /var/www/html/api;

	location / {

	# Temporary solution for preflight request error
	if ($request_method = OPTIONS ) {
	add_header Access-Control-Allow-Origin $http_origin;
	add_header Access-Control-Allow-Methods "GET, OPTIONS, POST, PUT, DELETE";
	add_header Access-Control-Allow-Headers "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Pragma,access-token,Content-Type,";
	add_header Access-Control-Allow-Credentials "true";
	add_header Content-Length 0;
	return 200;
	}

	try_files $uri @rewriteapp;
	}

	location @rewriteapp {
	rewrite ^(.*)$ /app.php/$1 last;
	}

	location ~ ^/(app\|app_dev\|config)\.php(/\|$) {
	fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	}

	error_log /var/log/nginx/symfony_error.log;
	access_log /var/log/nginx/symfony_access.log;
	}