server { listen :; listen []:; listen [::]:; listen : ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if}; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; # ssl_prefer_server_ciphers on; listen []: ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if}; listen [::]: ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if}; ssl_certificate ; ssl_certificate_key ; server_name ; root ; if ($scheme != "https") { rewrite ^ https://$http_host$request_uri? permanent; } if ($http_host "") { rewrite ^ $scheme://$request_uri? permanent; } if ($http_host "") { rewrite ^ $scheme://$request_uri? permanent; } if ($http_host "") { rewrite ^(.*)$ $2 ; } if ($http_host != "") { rewrite ^(.*)$ $2 ; } location / { proxy_pass ; rewrite ^/(.*) /$1; } index index.html index.htm index.php index.cgi index.pl index.xhtml; location ~ \.shtml$ { ssi on; } error_page 400 /error/400.html; error_page 401 /error/401.html; error_page 403 /error/403.html; error_page 404 /error/404.html; error_page 405 /error/405.html; error_page 500 /error/500.html; error_page 502 /error/502.html; error_page 503 /error/503.html; recursive_error_pages on; location = /error/400.html { internal; } location = /error/401.html { internal; } location = /error/403.html { internal; } location = /error/404.html { internal; } location = /error/405.html { internal; } location = /error/500.html { internal; } location = /error/502.html { internal; } location = /error/503.html { internal; } error_log /var/log/ispconfig/httpd//error.log; access_log /var/log/ispconfig/httpd//access.log combined; error_log /var/log/ispconfig/httpd//error.log; access_log /var/log/ispconfig/httpd//access.log anonymized; ## Disable .htaccess and other hidden files location ~ /\. { deny all; } ## Allow access for .well-known/acme-challenge location ^~ /.well-known/acme-challenge/ { access_log off; log_not_found off; auth_basic off; root /usr/local/ispconfig/interface/acme/; autoindex off; index index.html; try_files $uri $uri/ =404; } location = /favicon.ico { log_not_found off; access_log off; expires max; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } location = /robots.txt { allow all; log_not_found off; access_log off; } location /stats/ { index index.html index.php; auth_basic "Members Only"; auth_basic_user_file ; } location ^~ /awstats-icon { alias /usr/share/awstats/icon; } location ~ (\.php|^/php-fpm-status)$ { try_files @php; } location @php { try_files $uri =404; include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:; fastcgi_pass unix:; fastcgi_index index.php; fastcgi_param DOCUMENT_ROOT ; fastcgi_param HOME ; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; #fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_intercept_errors on; } location @php { try_files $uri =404; include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/hhvm/hhvm..sock; fastcgi_index index.php; fastcgi_param DOCUMENT_ROOT ; fastcgi_param HOME ; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; #fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_intercept_errors on; error_page 500 501 502 503 = @phpfallback; } location @phpfallback { try_files $uri =404; include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:; fastcgi_pass unix:; fastcgi_index index.php; fastcgi_param DOCUMENT_ROOT ; fastcgi_param HOME ; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; #fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_intercept_errors on; } location @php { deny all; } location /cgi-bin/ { try_files $uri =404; include /etc/nginx/fastcgi_params; root ; gzip off; fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_index index.cgi; fastcgi_param DOCUMENT_ROOT ; fastcgi_param HOME ; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_intercept_errors on; } pagespeed on; pagespeed FileCachePath /var/ngx_pagespeed_cache; pagespeed FetchHttps enable,allow_self_signed; # let's speed up PageSpeed by storing it in the super duper fast memcached pagespeed MemcachedThreads 1; pagespeed MemcachedServers "localhost:11211"; # Filter settings pagespeed RewriteLevel CoreFilters; pagespeed EnableFilters collapse_whitespace,remove_comments; # Ensure requests for pagespeed optimized resources go to the pagespeed # handler and no extraneous headers get set. location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; access_log off; } location ~ "^/ngx_pagespeed_static/" { access_log off; } location ~ "^/ngx_pagespeed_beacon$" { access_log off; } location /ngx_pagespeed_statistics { allow 127.0.0.1; deny all; access_log off; } location /ngx_pagespeed_global_statistics { allow 127.0.0.1; deny all; access_log off; } location /ngx_pagespeed_message { allow 127.0.0.1; deny all; access_log off; } location /pagespeed_console { allow 127.0.0.1; deny all; access_log off; } location { ##merge## auth_basic "Members Only"; auth_basic_user_file .htpasswd; location ~ \.php$ { try_files @php; } } } server { listen :80; listen []:80; listen :443 ssl; listen []:443 ssl; ssl_certificate ; ssl_certificate_key ; server_name ; if ($http_host "") { rewrite ^ $scheme://$request_uri? permanent; } ## no redirect for acme location ^~ /.well-known/acme-challenge/ { access_log off; log_not_found off; root /usr/local/ispconfig/interface/acme/; autoindex off; index index.html; try_files $uri $uri/ =404; } location / { rewrite ^ $request_uri? ; } location / { proxy_pass ; rewrite ^/(.*) /$1; } }