Last active
February 15, 2018 08:16
-
-
Save sensonicm/fcffa91bfb1790156a5a3423e7990dd8 to your computer and use it in GitHub Desktop.
nginx http2 + ssl config for Drupal
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80 ; | |
| #listen [::]:80 ; | |
| server_name domain.ru www.domain.ru; | |
| return 301 https://$server_name$request_uri; | |
| } | |
| server { | |
| listen 443 ssl http2; | |
| server_name www.domain.ru; | |
| return 301 $scheme://domain.ru$request_uri; | |
| } | |
| server { | |
| listen 443 ssl http2 default_server; | |
| #listen [::]:443 ssl http2 ; | |
| server_name domain.ru; | |
| include snippets/domain-signed.conf; | |
| include snippets/ssl-params.conf; | |
| root /var/www/domain.ru; | |
| location = /favicon.ico { | |
| log_not_found off; | |
| access_log off; | |
| } | |
| location = /robots.txt { | |
| allow all; | |
| log_not_found off; | |
| access_log off; | |
| } | |
| location ~ ^/sites/default/settings.php { | |
| return 403; | |
| } | |
| location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { | |
| deny all; | |
| } | |
| location ~* \.(txt|log)$ { | |
| allow 192.168.0.0/16; | |
| deny all; | |
| } | |
| location ~ \..*/.*\.php$ { | |
| return 403; | |
| } | |
| location ~ ^/sites/.*/private/ { | |
| return 403; | |
| } | |
| location ~* ^/.well-known/ { | |
| allow all; | |
| } | |
| location ~ (^|/)\. { | |
| return 403; | |
| } | |
| location / { | |
| try_files $uri /index.php?$query_string; | |
| } | |
| location @rewrite { | |
| rewrite ^/(.*)$ /index.php?q=$1; | |
| } | |
| location ~ /vendor/.*\.php$ { | |
| deny all; | |
| return 404; | |
| } | |
| location ~ \.php(/|$) { | |
| include snippets/fastcgi-php.conf; | |
| fastcgi_param HTTP_PROXY ""; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| fastcgi_param PATH_INFO $fastcgi_path_info; | |
| fastcgi_param QUERY_STRING $query_string; | |
| fastcgi_intercept_errors on; | |
| fastcgi_pass unix:/run/php/php7.0-fpm.sock; | |
| } | |
| location ~ ^/sites/.*/files/styles/ { | |
| try_files $uri @rewrite; | |
| } | |
| location ~ ^(/[a-z\-]+)?/system/files/ { | |
| try_files $uri /index.php?$query_string; | |
| } | |
| location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { | |
| try_files $uri @rewrite; | |
| expires max; | |
| log_not_found off; | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
| ssl_ecdh_curve secp384r1; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_tickets off; | |
| ssl_session_timeout 12h; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 8.8.4.4 valid=60s ipv6=on; | |
| resolver_timeout 10s; | |
| #ssl_trusted_certificate /etc/ssl/certs/domain_ru.ca-bundle.pem; # when domain.crt dont contain chain-certs | |
| add_header Strict-Transport-Security "max-age=31536000"; | |
| add_header X-Frame-Options DENY; | |
| add_header X-Content-Type-Options nosniff; | |
| ssl_dhparam /etc/ssl/certs/dh2048.pem; | |
| add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment