server {
     listen 80;
     server_name *.domain.com;
     return 301 https://$host$request_uri;
     }
 server {
    listen 443 ssl http2;
    ssl on;
    server_name ~^(?<subdomain>[^.]+).domain.com;
 
    keepalive_timeout 300;
 
    # Letsencrypt
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    # Cipher
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_dhparam /etc/ssl/private/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
 
    # OSCP
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem;
   
    # Header
    add_header Strict-Transport-Security max-age=63072000; # HSTS
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
 
    # Document-Root
    root /var/www/domain.com/$subdomain/public;
   
    index index.php index.html index.htm;
 
    location / {
        try_files $uri $uri/ =404;
    }
 
    # FastCGI
    fastcgi_param HTTPS on;
    location ~ \.php$ {
        try_files  $uri  =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param HTTPS on;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        fastcgi_intercept_errors on;
    }
 
}
Zuletzt bearbeitet: September 26, 2019

Autor

Kommentare

Schreibe eine Antwort oder einen Kommentar

Deine EMail-Adresse wird nicht veröffentlicht.