Nginx Conf

1. // nginx.conf
2.  
3. # For more information on configuration, see:
4. #   * Official English Documentation: http://nginx.org/en/docs/
5. #   * Official Russian Documentation: http://nginx.org/ru/docs/
6.  
7. user  webhost wwweb;
8. worker_processes  1;
9.  
10. error_log  /var/log/nginx/error.log;
11. #error_log  /var/log/nginx/error.log  notice;
12. #error_log  /var/log/nginx/error.log  info;
13.  
14. pid        /run/nginx.pid;
15.  
16. events {
17.     worker_connections  1024;
18. }
19.  
20. http {
21.     include       /etc/nginx/mime.types;
22.     default_type  application/octet-stream;
23.  
24.     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
25.                       '$status $body_bytes_sent "$http_referer" '
26.                       '"$http_user_agent" "$http_x_forwarded_for"';
27.  
28.     access_log  /var/log/nginx/access.log  main;
29.  
30.     sendfile        on;
31.     #tcp_nopush     on;
32.  
33.     keepalive_timeout  65;
34.  
35.     gzip on;
36.     gzip_disable "msie6";
37.  
38.     gzip_vary on;
39.     gzip_proxied any;
40.     gzip_comp_level 6;
41.     gzip_buffers 16 8k;
42.     gzip_http_version 1.1;
43.     gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
44.  
45.     index   index.html index.htm;
46.  
47.     # Load modular configuration files from the /etc/nginx/conf.d directory.
48.     # See http://nginx.org/en/docs/ngx_core_module.html#include
49.     # for more information.
50.     include /etc/nginx/conf.d/*.conf;
51.  
52. }
53.  
54. // Actual website conf
55. server {
56.     server_name  _;
57.     rewrite ^ $scheme://www.mydomain.tld$request_uri redirect;
58. }
59.  
60. server {
61.     listen       80;
62.     listen       443 ssl spdy;
63.     server_name  www.mydomain.tld mydomain.tld;
64.  
65.     # Buffer size of 1400 bytes fits in one MTU.
66.     # nginx 1.5.9+ ONLY
67.     ssl_buffer_size 1400;
68.  
69.     add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
70.  
71.     ssl_session_cache   shared:SSL:10m;
72.     ssl_session_timeout 10m;
73.  
74.     keepalive_timeout 75 75;
75.  
76.     ssl_certificate /var/www/mydomain.tld/private/ssl/mydomain.tld.crt;
77.     ssl_certificate_key /var/www/mydomain.tld/private/ssl/mydomain.tld.key;
78.  
79.     #enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
80.     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
81.  
82.     #Disables all weak ciphers
83.     ssl_ciphers "kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED";
84.  
85.     ssl_prefer_server_ciphers on;
86.  
87.     ssl_dhparam /var/www/mydomain.tld/private/ssl/dhparam2048.pem;
88.  
89.     ssl_stapling on;
90.     ssl_stapling_verify on;
91.     resolver 8.8.8.8 8.8.4.4 valid=86400;
92.     resolver_timeout 10;
93.     ssl_trusted_certificate /var/www/mydomain.tld/private/ssl/mydomain.tld.crt;
94.  
95.     # set client body size to 5M #
96.     client_max_body_size 5M;
97.  
98.     access_log  /var/www/mydomain.tld/private/logs/access.log  main;
99.  
100.     root   /var/www/mydomain.tld/public/www;
101.     index  index.php;
102.  
103.     error_page   500 502 503 504  /50x.html;
104.     location = /50x.html {
105.         root   /usr/share/nginx/html;
106.     }
107.  
108.     # Global restrictions configuration file.
109.     # Designed to be included in any server {} block.</p>
110.     location = /favicon.ico {
111.         log_not_found off;
112.         access_log off;
113.     }
114.  
115.     location = /robots.txt {
116.         allow all;
117.         log_not_found off;
118.         access_log off;
119.     }
120.  
121.     # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
122.     # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
123.     location ~ /\. {
124.         deny all;
125.     }
126.  
127.     # Deny access to any files with a .php extension in the uploads directory
128.     # Works in sub-directory installs and also in multisite network
129.     # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
130.     location ~* /(?:uploads|files)/.*\.php$ {
131.         deny all;
132.     }
133.  
134.     # This order might seem weird - this is attempted to match last if rules below fail.
135.     # http://wiki.nginx.org/HttpCoreModule
136.     location / {
137.         try_files $uri $uri/ /index.php?$args;
138.     }
139.  
140.     # Add trailing slash to */wp-admin requests.
141.     rewrite /wp-admin$ $scheme://$host$uri/ permanent;
142.  
143.     # Directives to send expires headers and turn off 404 error logging.
144.     location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$     {
145.        access_log off; log_not_found off; expires max;
146.     }
147.  
148.     # Directives to send expires headers.
149.     location ~* ^.+\.(css|js)$ {
150.        expires 14d;
151.     }
152.  
153.     # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
154.     #
155.     location ~ \.php$ {
156.         fastcgi_pass   127.0.0.1:9000;
157.         fastcgi_index  index.php;
158.         fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
159.         include        fastcgi_params;
160.     }
161.  
162.     location @rewrites {
163.         rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
164.         rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
165.     }
166.  
167. }