server { listen 80; server_name staging.{{company-name}}.talent.careers; root /srv/http/staging.{{company-name}}.talent.careers/web; location / { rewrite ^(.*)$ https://staging.{{company-name}}.talent.careers$1 permanent; } #return 301 https://$server_name$request_uri; # ACME challenge location ^~ /.well-known { allow all; #alias /var/lib/letsencrypt/.well-known/; default_type "text/plain"; try_files $uri =404; } } server { #listen 443; listen [::]:443 ssl; listen 443 ssl; server_name staging.{{company-name}}.talent.careers; if ($scheme != "https"){ return 301 https://$host$request_uri; } # managed by Certbot if ($host != $server_name) { #return 404 "this is an invalid request"; return 444; } # managed by Certbot ssl_certificate /etc/letsencrypt/live/{{company-name}}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{company-name}}/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/{{company-name}}/chain.pem; ssl_session_timeout 1d; ssl_session_cache shared:le_nginx_SSL:1m; ssl_session_tickets off; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; root /srv/http/staging.{{company-name}}.talent.careers/web/; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/htpasswd; add_header Cache-Control "no-cache, no-store, must-revalidate, proxy-revalidate"; #add_header X-Frame-Options SAMEORIGIN; # allow from startberlin etc add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "same-origin"; add_header Expect-CT "max-age=0, report-uri=https://sompani.report-uri.com/r/d/ct/reportOnly"; # add_header Content-Security-Policy "default-src https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src https:; object-src 'none'"; add_header X-Who-Is-Awesome "You are ❤"; location / { # try to serve file directly, fallback to app.php try_files $uri /app.php$is_args$args; } location ~ ^/app\.php(/|$) { fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; # When you are using symlinks to link the document root to the # current version of your application, you should pass the real # application path instead of the path to the symlink to PHP # FPM. # Otherwise, PHP's OPcache may not properly detect changes to # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126 # for more information). fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; # Prevents URIs that include the front controller. This will 404: # http://domain.tld/app.php/some-path # Remove the internal directive to allow URIs like this internal; expires -1; } # return 404 for all other php files not matching the front controller # this prevents access to other php files you don't want to be accessible. location ~ \.php$ { return 404; } location ^~ /og-image { root /srv/img/staging.sompani.com/; } # ACME challenge #location ^~ /.well-known { # allow all; # alias /var/lib/letsencrypt/.well-known/; # default_type "text/plain"; # try_files $uri =404; #} error_log /var/log/nginx/staging.{{company-name}}.talent.careers.error.log; access_log /var/log/nginx/staging.{{company-name}}.talent.careers.access.log; }