upstream php-handler { server unix:/var/run/php/php7.0-fpm.sock; } map $s

1. upstream php-handler {
2.   server unix:/var/run/php/php7.0-fpm.sock;
3. }
4.  
5. map $scheme $hsts_header {
6.   https max-age=15768000;
7. }
8.  
9. server {
10.   listen 8081 ssl;
11.   server_name baucum.me:8081;
12.  
13.   ssl_certificate /someplace/fullchain.pem;
14.   ssl_certificate_key /anotherplace/privkey.pem;
15.  
16.   add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
17.   add_header Strict-Transport-Security $hsts_header;
18.   add_header X-Content-Type-Options nosniff;
19.   add_header X-Frame-Options "SAMEORIGIN";
20.   add_header X-XSS-Protection "1; mode=block";
21.   add_header X-Robots-Tag none;
22.   add_header X-Download-Options noopen;
23.   add_header X-Permitted-Cross-Domain-Policies none;
24.  
25.   root /usr/share/nginx/owncloud/;
26.   location = /robots.txt {
27.     allow all;
28.     log_not_found off;
29.     access_log off;
30.   }
31.  
32.   location = /.well-known/carddav {
33.     return 301 $scheme://$host/remote.php/dav;
34.   }
35.   location = /.well-known/caldav {
36.     return 301 $scheme://$host/remote.php/dav;
37.   }
38.  
39.   location /.well-known/acme-challenge { }
40.  
41.   client_max_body_size 10G; # set max upload size
42.   fastcgi_buffers 64 4K;
43.  
44.   gzip off;
45.  
46.   error_page 403 = /core/templates/403.php;
47.   error_page 404 = /core/templates/404.php;
48.  
49.   location / {
50.     rewrite ^ /index.php$uri;
51.   }
52.  
53.   location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
54.     return 404;
55.   }
56.   location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
57.     return 404;
58.   }
59.   location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
60.     fastcgi_split_path_info ^(.+\.php)(/.*)$;
61.     include fastcgi_params;
62.     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
63.     fastcgi_param PATH_INFO $fastcgi_path_info;
64.     fastcgi_param HTTPS on;
65.     fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
66.     fastcgi_param front_controller_active true;
67.     fastcgi_pass php-handler;
68.     fastcgi_intercept_errors on;
69.     fastcgi_request_buffering off;
70.   }
71.  
72.   location ~ ^/(?:updater|ocs-provider)(?:$|/) {      try_files $uri/ =404;
73.       index index.php;
74.   }
75.  
76.   location ~* \.(?:css|js)$ {
77.     try_files $uri /index.php$uri$is_args$args;
78.     add_header Cache-Control "public, max-age=7200";
79.     # Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
80.     # Before enabling Strict-Transport-Security headers please read into this topic first.
81.     # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
82.     add_header X-Content-Type-Options nosniff;
83.     add_header X-Frame-Options "SAMEORIGIN";
84.     add_header X-XSS-Protection "1; mode=block";
85.     add_header X-Robots-Tag none;
86.     add_header X-Download-Options noopen;
87.     add_header X-Permitted-Cross-Domain-Policies none;
88.     # Optional: Don't log access to assets
89.     access_log off;
90.   }
91.  
92. ######
93.  
94.   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
95.   ssl_prefer_server_ciphers on;
96.   ssl_dhparam /moreplaces/dhparam.pem;
97.   ssl_ciphers 'something';
98.   ssl_session_timeout 1d;
99.   ssl_session_cache shared:SSL:50m;
100.   ssl_stapling on;
101.   ssl_stapling_verify on;
102.   #add_header Strict-Transport-Security max-age=15768000;
103.  
104.   location ~* ^/calibre.+.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
105.     proxy_pass http://127.0.0.1:8082;
106.   }
107.  
108.  
109.   location /calibre/ {
110.     proxy_pass http://127.0.0.1:8082;
111.   }
112. }