Untitled

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
 server {
    server_name data.cungcaphangsi.com www.data.cungcaphangsi.com;
    return 302 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  server_name data.cungcaphangsi.com www.data.cungcaphangsi.com;

  ##  redirect https www to https non-www
      if ($host = 'www.data.cungcaphangsi.com' ) {
         return 302 https://data.cungcaphangsi.com$request_uri;
      }

  ssl_dhparam /usr/local/nginx/conf/ssl/data.cungcaphangsi.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/data.cungcaphangsi.com/data.cungcaphangsi.com.crt;
  #ssl_certificate      /usr/local/nginx/conf/ssl/data.cungcaphangsi.com/nginx_bundle_5caa09071cdd.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/data.cungcaphangsi.com/data.cungcaphangsi.com.key;

  include /usr/local/nginx/conf/ssl_include.conf;

  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header  X-Content-Type-Options "nosniff";
  #add_header X-Frame-Options DENY;
  #spdy_headers_comp 5;
  ssl_buffer_size 1400;
  ssl_session_tickets on;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/data.cungcaphangsi.com/nginx_bundle_5caa09071cdd.crt;


# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  ssi  on;

  access_log /home/nginx/domains/data.cungcaphangsi.com/log/access.log combined buffer=256k flush=60m;
  error_log /home/nginx/domains/data.cungcaphangsi.com/log/error.log;

  root /home/nginx/domains/data.cungcaphangsi.com/public;

  # prevent access to ./directories and files
  location ~ (?:^|/)\. {
   deny all;
  }


 location / {
  try_files $uri $uri/ /index.php?$uri&$args;
  index index.php index.html;
  }

  location /install/data/ {
    internal;
  }
  location /install/templates/ {
    internal;
  }
  location /internal_data/ {
    internal;
  }
  location /library/ {
    internal;
  }

  location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass    127.0.0.1:9000;
    fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include         fastcgi_params;
  }


  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}