Update

bajpangosh · bajpangosh · commit eaa80b8cf2a1 · 2019-03-13T11:12:36.000+05:30
diff --git a/nginx.conf b/nginx.conf
@@ -0,0 +1,51 @@
+# Generated by nginxconfig.io
+# https://nginxconfig.io/?0.domain=example.com&0.non_www=false&0.cert_type=custom&0.ssl_certificate=%2Fetc%2Fnginx%2Fssl%2Fnginx.crt&0.ssl_certificate_key=%2Fetc%2Fnginx%2Fssl%2Fnginx.key
+
+user www-data;
+pid /run/nginx.pid;
+worker_processes auto;
+worker_rlimit_nofile 65535;
+
+events {
+	multi_accept on;
+	worker_connections 65535;
+}
+
+http {
+	charset utf-8;
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	server_tokens off;
+	log_not_found off;
+	types_hash_max_size 2048;
+	client_max_body_size 16M;
+
+	# MIME
+	include mime.types;
+	default_type application/octet-stream;
+
+	# logging
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log warn;
+
+	# SSL
+	ssl_session_timeout 1d;
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;
+
+	# modern configuration
+	ssl_protocols TLSv1.2;
+	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+	ssl_prefer_server_ciphers on;
+
+	# OCSP Stapling
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
+	resolver_timeout 2s;
+
+	# load configs
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
diff --git a/nginxconfig.io/general.conf b/nginxconfig.io/general.conf
@@ -0,0 +1,32 @@
+# security headers
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header Referrer-Policy "no-referrer-when-downgrade" always;
+add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+# . files
+location ~ /\.(?!well-known) {
+	deny all;
+}
+
+# assets, media
+location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
+	expires 7d;
+	access_log off;
+}
+
+# svg, fonts
+location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
+	add_header Access-Control-Allow-Origin "*";
+	expires 7d;
+	access_log off;
+}
+
+# gzip
+gzip on;
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
diff --git a/nginxconfig.io/php_fastcgi.conf b/nginxconfig.io/php_fastcgi.conf
@@ -0,0 +1,16 @@
+# 404
+try_files $fastcgi_script_name =404;
+
+# default fastcgi_params
+include fastcgi_params;
+
+# fastcgi settings
+fastcgi_pass			unix:/var/run/php/php7.2-fpm.sock;
+fastcgi_index			index.php;
+fastcgi_buffers			8 16k;
+fastcgi_buffer_size		32k;
+
+# fastcgi params
+fastcgi_param DOCUMENT_ROOT		$realpath_root;
+fastcgi_param SCRIPT_FILENAME	$realpath_root$fastcgi_script_name;
+fastcgi_param PHP_ADMIN_VALUE	"open_basedir=$base/:/usr/lib/php/:/tmp/";
diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf
@@ -0,0 +1,51 @@
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name www.example.com;
+	set $base /var/www/example.com;
+	root $base/public;
+
+	# SSL
+	ssl_certificate /etc/nginx/ssl/nginx.crt;
+	ssl_certificate_key /etc/nginx/ssl/nginx.key;
+
+	# index.php
+	index index.php;
+
+	# index.php fallback
+	location / {
+		try_files $uri $uri/ /index.php?$query_string;
+	}
+
+	# handle .php
+	location ~ \.php$ {
+		include nginxconfig.io/php_fastcgi.conf;
+	}
+
+	include nginxconfig.io/general.conf;
+}
+
+# non-www, subdomains redirect
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name .example.com;
+
+	# SSL
+	ssl_certificate /etc/nginx/ssl/nginx.crt;
+	ssl_certificate_key /etc/nginx/ssl/nginx.key;
+
+	return 301 https://www.example.com$request_uri;
+}
+
+# HTTP redirect
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name .example.com;
+
+	return 301 https://www.example.com$request_uri;
+}
diff --git a/sites-enabled/example.com.conf b/sites-enabled/example.com.conf
@@ -0,0 +1 @@
+../sites-available/example.com.conf
