# Default nginx configuration user root; worker_processes auto; daemon off; error_log /data/logs/nginx/nginx.log warn; pid /run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type "text/html"; access_log /data/logs/nginx/access.default.log; sendfile on; keepalive_timeout 65; gzip on; map $http_upgrade $connection_upgrade { default upgrade; '' close; } disable_symlinks off; root REPLACE_SERVER_WWW_DIR; server { listen REPLACE_SERVER_PORT; server_name REPLACE_SERVER_NAME; root REPLACE_SERVER_WWW_DIR; index index.php index.cgi index.pl index.aspx index.txt index.json index.html index.unknown.php index.default.php; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *; frame-src 'self' *; object-src 'self'" always; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_certificate /etc/ssl/localhost.crt; ssl_certificate_key /etc/ssl/localhost.key; proxy_intercept_errors off; location ^~ /.well-known { default_type "text/plain"; root REPLACE_SERVER_WWW_DIR/.well-known; } location ^~ = /favicon.ico { log_not_found off; access_log off; } location ^~ = /robots.txt { allow all; log_not_found off; access_log off; } location ^~ /health { default_type text/html; allow all; access_log off; return 200 'OK'; } location ^~ /health/json { default_type application/json; allow all; access_log off; return 200 '{"status":"OK"}'; } location ^~ /health/status { stub_status; } location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } fastcgi_param HTTP_PROXY ""; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; } # location /cgi-bin { # root /usr/local/share/wwwroot/cgi-bin; # gzip off; # fastcgi_pass unix:/var/run/fcgiwrap.socket; # fastcgi_param HTTP_PROXY ""; # fastcgi_param GATEWAY_INTERFACE CGI/1.1; # fastcgi_param SERVER_SOFTWARE nginx; # fastcgi_param QUERY_STRING $query_string; # fastcgi_param REQUEST_METHOD $request_method; # fastcgi_param CONTENT_TYPE $content_type; # fastcgi_param CONTENT_LENGTH $content_length; # fastcgi_param SCRIPT_NAME $fastcgi_script_name; # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # fastcgi_param REQUEST_URI $request_uri; # fastcgi_param DOCUMENT_URI $document_uri; # fastcgi_param DOCUMENT_ROOT $document_root; # fastcgi_param SERVER_PROTOCOL $server_protocol; # fastcgi_param REMOTE_ADDR $remote_addr; # fastcgi_param REMOTE_PORT $remote_port; # fastcgi_param SERVER_ADDR $server_addr; # fastcgi_param SERVER_PORT $server_port; # fastcgi_param SERVER_NAME $server_name; # } } include /etc/nginx/vhosts.d/*.conf; }