ziwon · January 4, 2017 08:18
diff --git a/phabricator.conf b/phabricator.conf
 upstream php-phabricator-handler {
 	server unix:/run/php/php7.0-fpm.sock;
 }

 server {
 	listen 80;
 	server_name proj.felixlab.io;
 	return 301 https://$host$request_uri;
 }

 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2 default_server ipv6only=on;

 	server_name proj.felixlab.io;

 	root /var/www/phabricator/phabricator/webroot;

 	client_max_body_size 2G;

 	ssl on;

 	ssl_certificate /etc/letsencrypt/live/proj.felixlab.io/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/proj.felixlab.io/privkey.pem;
 	ssl_trusted_certificate /etc/letsencrypt/live/proj.felixlab.io/fullchain.pem;

 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 	ssl_prefer_server_ciphers on;
 	ssl_dhparam /etc/ssl/certs/dhparam.pem;
 	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 	ssl_session_timeout 1d;
 	ssl_session_cache shared:SSL:50m;
 	ssl_stapling on;
 	ssl_stapling_verify on;
 	add_header Strict-Transport-Security max-age=15768000;

 	location / {
 		index index.php;
 		rewrite ^/(.*)$ /index.php?__path__=/$1 last;
 	}

 	location ~ /.well-known {
 		allow all;
    root /usr/share/nginx/html;
 	}

 	location = /favicon.ico {
 		try_files $uri =204;
 	}

 	location /index.php {
 		fastcgi_pass   php-phabricator-handler;
 		fastcgi_index  index.php;

 		fastcgi_param  REDIRECT_STATUS    200;

 		fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 		fastcgi_param  QUERY_STRING       $query_string;
 		fastcgi_param  REQUEST_METHOD     $request_method;
 		fastcgi_param  CONTENT_TYPE       $content_type;
 		fastcgi_param  CONTENT_LENGTH     $content_length;

 		fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;

 		fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
 		fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

 		fastcgi_param  REMOTE_ADDR        $remote_addr;
 	}
 }
	upstream php-phabricator-handler {
	server unix:/run/php/php7.0-fpm.sock;
	}

	server {
	listen 80;
	server_name proj.felixlab.io;
	return 301 https://$host$request_uri;
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2 default_server ipv6only=on;

	server_name proj.felixlab.io;

	root /var/www/phabricator/phabricator/webroot;

	client_max_body_size 2G;

	ssl on;

	ssl_certificate /etc/letsencrypt/live/proj.felixlab.io/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/proj.felixlab.io/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/proj.felixlab.io/fullchain.pem;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_stapling on;
	ssl_stapling_verify on;
	add_header Strict-Transport-Security max-age=15768000;

	location / {
	index index.php;
	rewrite ^/(.*)$ /index.php?__path__=/$1 last;
	}

	location ~ /.well-known {
	allow all;
	root /usr/share/nginx/html;
	}

	location = /favicon.ico {
	try_files $uri =204;
	}

	location /index.php {
	fastcgi_pass php-phabricator-handler;
	fastcgi_index index.php;

	fastcgi_param REDIRECT_STATUS 200;

	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param QUERY_STRING $query_string;
	fastcgi_param REQUEST_METHOD $request_method;
	fastcgi_param CONTENT_TYPE $content_type;
	fastcgi_param CONTENT_LENGTH $content_length;

	fastcgi_param SCRIPT_NAME $fastcgi_script_name;

	fastcgi_param GATEWAY_INTERFACE CGI/1.1;
	fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

	fastcgi_param REMOTE_ADDR $remote_addr;
	}
	}