SSL Origin CloudFlare
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name kangtain.com www.kangtain.com;
root /var/www/kangtain.com;
index index.php;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
# Add headers to serve security related headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
ssl_certificate /etc/ssl/certs/cloudflare_kangtain.com.pem;
ssl_certificate_key /etc/ssl/private/cloudflare_key_kangtain.com.pem;
ssl_client_certificate /etc/ssl/certs/origin-pull-ca.pem;
ssl_verify_client on;
error_log /var/log/nginx/kangtain.com.error;
access_log /var/log/nginx/kangtain.com.access;
location / {
try_files $uri $uri/ /index.php;
}
location ~ /.well-known {
allow all;
}
location ~ /\.ht {
deny all;
}
location /rest.php {
try_files $uri $uri/ /rest.php?$args;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include snippets/fastcgi-php.conf;
}
}
SSL Lets Encrypt
server {
server_name kangtain.com;
root /var/www/kangtain.com;
index index.php;
error_log /var/log/nginx/kangtain.com.error;
access_log /var/log/nginx/kangtain.com.access;
location / {
try_files $uri $uri/ /index.php;
}
location ~ /.well-known {
allow all;
}
location ~ /\.ht {
deny all;
}
location /rest.php {
try_files $uri $uri/ /rest.php?$args;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include snippets/fastcgi-php.conf;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/kangtain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/kangtain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/kangtain.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = kangtain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name kangtain.com;
root /var/www/kangtain.com;
index index.php;
error_log /var/log/nginx/kangtain.com.error;
access_log /var/log/nginx/kangtain.com.access;
location / {
try_files $uri $uri/ /index.php;
}
location ~ /.well-known {
allow all;
}
location ~ /\.ht {
deny all;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include snippets/fastcgi-php.conf;
}
}