Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- server {
- listen *:80;
- server_name site.ua www.site.ua;
- return 301 https://$host$request_uri;
- }
- server {
- listen *:443 ssl http2;
- server_name site.ua www.site.ua;
- if ($host = 'www.site.ua' ) {
- return 301 https://site.ua$request_uri;
- }
- if ( $http_user_agent = "" ){
- return 444;
- }
- keepalive_timeout 75 75;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:50m;
- ssl_session_timeout 1d;
- ssl_certificate /etc/letsencrypt/live/site.ua/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/site.ua/privkey.pem;
- ssl_dhparam /etc/ssl/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
- add_header Strict-Transport-Security 'max-age=31536000';
- ssl_stapling on;
- resolver 8.8.4.4 8.8.8.8 valid=300s;
- ssl_stapling_verify on;
- charset off;
- gzip on;
- gzip_comp_level 3;
- gzip_types application/x-javascript application/javascript text/css;
- index index.php;
- access_log /var/log/nginx/site.ua_ssl-access.log;
- error_log /var/log/nginx/site.ua_ssl-error.log;
- ssi on;
- set $root_path /var/www/html;
- root $root_path;
- set $php_sock unix:/var/run/php-fpm/php-fpm.sock;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header Host $host;
- client_max_body_size 1024M;
- client_body_buffer_size 4M;
- if ($request_uri ~* "^(.*\/)index\.php$") {
- return 301 $1;
- }
- location / {
- try_files $uri $uri/ @bitrix;
- rewrite ^([^.\?]*[^/])$ $1/ permanent;
- }
- location ~* /upload/.*\.(php|php3|php4|php5|php6|phtml|pl|asp|aspx|cgi|dll|exe|shtm|shtml|fcg|fcgi|fpl|asmx|pht|py|psp|rb|var)$ {
- types {
- text/plain text/plain php php3 php4 php5 php6 phtml pl asp aspx cgi dll exe ico shtm shtml fcg fcgi fpl asmx pht py psp rb var;
- }
- }
- location ~ \.php$ {
- try_files $uri @bitrix;
- fastcgi_pass $php_sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]";
- fastcgi_read_timeout 300;
- include fastcgi_params;
- }
- location @bitrix {
- fastcgi_pass $php_sock;
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root/bitrix/urlrewrite.php;
- fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]";
- }
- location ~* /bitrix/admin.+\.php$ {
- try_files $uri @bitrixadm;
- fastcgi_pass $php_sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]";
- include fastcgi_params;
- }
- location @bitrixadm{
- fastcgi_pass $php_sock;
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root/bitrix/admin/404.php;
- fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]";
- }
- location = /favicon.ico {
- log_not_found off;
- access_log off;
- }
- location = /robots.txt {
- allow all;
- log_not_found off;
- access_log off;
- }
- location ~ /.well-known {
- allow all;
- }
- #
- # block this locations for any installation
- #
- # ht(passwd|access)
- location ~* /\.ht { deny all; }
- # repositories
- location ~* /\.(svn|hg|git) { deny all; }
- # bitrix internal locations
- location ~* ^/bitrix/(modules|local_cache|stack_cache|managed_cache|php_interface) {
- deny all;
- }
- # upload files
- location ~* ^/upload/1c_[^/]+/ { deny all; }
- # use the file system to access files outside the site (cache)
- location ~* /\.\./ { deny all; }
- location ~* ^/bitrix/html_pages/\.config\.php { deny all; }
- location ~* ^/bitrix/html_pages/\.enabled { deny all; }
- # Intenal locations
- location ^~ /upload/support/not_image { internal; }
- # Cache location: composite and general site
- location ~* @.*\.html$ {
- internal;
- # disable browser cache, php manage file
- expires -1y;
- add_header X-Bitrix-Composite "Nginx (file)";
- }
- # Player options, disable no-sniff
- location ~* ^/bitrix/components/bitrix/player/mediaplayer/player$ {
- add_header Access-Control-Allow-Origin *;
- }
- # Accept access for merged css and js
- location ~* ^/bitrix/cache/(css/.+\.css|js/.+\.js)$ {
- expires 30d;
- error_page 404 /404.html;
- }
- # Disable access for other assets in cache location
- location ~* ^/bitrix/cache { deny all; }
- # Use nginx to return static content from s3 cloud storage
- # /upload/bx_cloud_upload/<schema>.<backet_name>.<s3_point>.amazonaws.com/<path/to/file>
- location ^~ /upload/bx_cloud_upload/ {
- location ~ ^/upload/bx_cloud_upload/(http[s]?)\.([^/:]+)\.(s3|s3-us-west-1|s3-eu-west-1|s3-ap-southeast-1|s3-ap-northeast-1)\.amazonaws\.com/(.+)$ {
- internal;
- resolver 8.8.8.8;
- proxy_method GET;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Server $host;
- #proxy_max_temp_file_size 0;
- proxy_pass $1://$2.$3.amazonaws.com/$4;
- }
- location ~* .*$ { deny all; }
- }
- # Static content
- location ~* ^/(upload|bitrix/images|bitrix/tmp) {
- expires 30d;
- }
- location ~* \.(css|js|gif|png|jpg|jpeg|ico|ogg|ttf|woff|eot|otf)$ {
- error_page 404 /404.html;
- expires 30d;
- }
- location = /404.html {
- access_log off ;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
