server { listen 80; server_name *.domain.com; return 301 https://$host$request_uri; } server { listen 443 ssl http2; ssl on; server_name ~^(?<subdomain>[^.]+).domain.com; keepalive_timeout 300; # Letsencrypt ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # Cipher ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_dhparam /etc/ssl/private/dhparam.pem; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # OSCP ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem; # Header add_header Strict-Transport-Security max-age=63072000; # HSTS add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # Document-Root root /var/www/domain.com/$subdomain/public; index index.php index.html index.htm; location / { try_files $uri $uri/ =404; } # FastCGI fastcgi_param HTTPS on; location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param HTTPS on; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; fastcgi_intercept_errors on; } }
Kommentare