Untitled

### /etc/nginx/nginx.conf
user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
    worker_connections 4096;
    multi_accept on;
    use epoll;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 15;
    keepalive_requests 65536;
    client_body_timeout 12;
    client_header_timeout 15;
    send_timeout 15;
    types_hash_max_size 2048;
    server_tokens off;

    server_names_hash_max_size 1024;
    server_names_hash_bucket_size 1024;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    include fastcgi_params;

    index index.php index.html index.htm;

    client_body_temp_path /tmp/client_body;
        proxy_temp_path /tmp/proxy;
        fastcgi_temp_path /tmp/fastcgi;
        uwsgi_temp_path /tmp/uwsgi;
        scgi_temp_path /tmp/scgi;
        fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=phpcache:100m inactive=60m;
        fastcgi_cache_key "$scheme$request_method$host$request_uri";
    default_type application/octet-stream;

    client_body_buffer_size 16K;
    client_header_buffer_size 1K;
    client_max_body_size 8m;
    large_client_header_buffers 2 1k;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log warn;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";
    gzip_min_length 1000;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 2;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json image/svg+xml image/png image/gif image/jpeg application/x-javascript text/xml application/xml application/xml+rss text/javascript font/ttf font/otf font/eot x-font/woff application/x-font-ttf application/x-font-truetype application/x-font-opentype application/font-woff application/font-woff2 application/vnd.ms-fontobject audio/mpeg3 audio/x-mpeg-3 audio/ogg audio/flac audio/mpeg application/mpeg application/mpeg3 application/ogg;

    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##

    #include /etc/nginx/naxsi_core.rules;

    ##
    # nginx-passenger config
    ##
    # Uncomment it if you installed nginx-passenger
    ##

    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/blacklist.conf;
    include /etc/nginx/sites-enabled/*;

    upstream php {
        server unix:/var/run/php/php7.0-fpm.sock;
    }

    server {
        listen 80; # IPv4
        listen [::]:80; # IPv6
        server_name example.com www.example.com;
        return 301 https://$server_name$request_uri;

            }

    server {
        server_name example.com www.example.com;
        listen 443 default http2 ssl; # SSL
        listen [::]:443 default http2 ssl; # IPv6
        ssl on;
        ssl_certificate /etc/nginx/ssl/tls.crt;
        ssl_certificate_key /etc/nginx/ssl/ssl.key;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 24h;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256+EECDH:AES256+EDH:!aNULL;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_stapling on;
        ssl_stapling_verify on;

        add_header Public-Key-Pins 'pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; max-age=2592000';
                add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;";
                add_header X-Content-Type-Options "nosniff";
                add_header X-Frame-Options SAMEORIGIN;
                add_header X-XSS-Protection "1; mode=block";
        add_header X-Dns-Prefetch-Control 'content=on';

        # autoindex on; # File listing
        # auth_basic "Personal File Server";
        # auth_basic_user_file $PATH/htpasswd.conf;
        root /home/user/selfhost/html;
        include /etc/nginx/includes/*.conf; # Extra config

        client_max_body_size 10M;

        location / {
            set $memcached_key "$uri?$args";
            memcached_pass  127.0.0.1:11211;
            error_page 404 502 504 = @fallback;
        }

        location @fallback {
            try_files $uri $uri/ /index.php$args;
            if ($http_origin ~* (https?://[^/]*\.example\.com(:[0-9]+)?)) {
                        add_header 'Access-Control-Allow-Origin' "$http_origin";
                        }
            if (-f $document_root/maintenance.html) {
                return 503;
            }
        }

        location ~ [^/]\.php(/|$) {
            # set cgi.fix_pathinfo = 0; in php.ini
            include fastcgi.conf;
            #fastcgi_intercept_errors on;
            fastcgi_intercept_errors off;
            fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
            fastcgi_cache phpcache;
            fastcgi_cache_valid 200 60m;
            #add_header X-Fastcgi-Cache $upstream_cache_status;
        }

        location /happenings-and-events {
            proxy_pass https://example.com/posts/category/happenings-and-events;
        }
        location /gallery {
            proxy_pass https://example.com/posts/category/gallery;
        }
        location ~ /nginx.conf {
            deny all;
        }

        include /etc/nginx/conf.d/nginx.conf;

        error_page 503 @maintenance;
        location @maintenance {
            rewrite ^(.*)$ /.maintenance.html break;
        }

                }
    }
}
# /etc/nginx/fastcgi_params
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
fastcgi_max_temp_file_size 0;
# Wordpress iThemes security config
# BEGIN iThemes Security - Do not modify or remove this line
# iThemes Security Config Details: 2
    # Ban Hosts - Security > Settings > Banned Users
    deny xxx.xxx.xxx.xxx;

    # Protect System Files - Security > Settings > System Tweaks > System Files
    location ~ /\.ht { deny all; }
    location ~ wp-config.php { deny all; }
    location ~ readme.html { deny all; }
    location ~ readme.txt { deny all; }
    location ~ /install.php { deny all; }
    location ^wp-includes/(.*).php { deny all; }
    location ^/wp-admin/includes(.*)$ { deny all; }

    # Disable PHP in Uploads - Security > Settings > System Tweaks > Uploads
    location ^wp\-content/uploads/(.*).php(.?) { deny all; }

    # Filter Request Methods - Security > Settings > System Tweaks > Request Methods
    if ($request_method ~* "^(TRACE|DELETE|TRACK)") { return 403; }

    # Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings
    set $susquery 0;
    if ($args ~* "\.\./") { set $susquery 1; }
    if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
    if ($args ~* "etc/passwd") { set $susquery 1; }
    if ($args ~* "boot.ini") { set $susquery 1; }
    if ($args ~* "ftp:") { set $susquery 1; }
    if ($args ~* "http:") { set $susquery 1; }
    if ($args ~* "https:") { set $susquery 1; }
    if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
    if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
    if ($args ~* "base64_encode") { set $susquery 1; }
    if ($args ~* "(%24&x)") { set $susquery 1; }
    if ($args ~* "(127.0)") { set $susquery 1; }
    if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
    if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; }
    if ($args !~ "^loggedout=true") { set $susquery 0; }
    if ($args !~ "^action=jetpack-sso") { set $susquery 0; }
    if ($args !~ "^action=rp") { set $susquery 0; }
    if ($http_cookie !~ "^.*wordpress_logged_in_.*$") { set $susquery 0; }
    if ($http_referer !~ "^http://maps.googleapis.com(.*)$") { set $susquery 0; }
    if ($susquery = 1) { return 403; }

    # Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters
    if ($args ~* "(%0|%A|%B|%C|%D|%E|%F)") { return 403; }
# END iThemes Security - Do not modify or remove this line