# HTTP redirect server { listen 80; listen [::]:80; server_name .$DOMAIN; return 301 https://$host$request_uri; } # HTTPS server server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name .$DOMAIN; # SSL configuration ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; include snippets/ssl.conf; # Check for banned IPs if ($is_banned) { rewrite ^ @banned last; } # Banned location handler location @banned { internal; add_header Content-Type text/plain; return 403 "403 Forbidden (IP temporarily banned)\n"; } # Apply general rate limit limit_req zone=general burst=100 nodelay; # Content Security Policy and other security headers set $content_security_policy "default-src 'self' *.$DOMAIN; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN; style-src 'self' 'unsafe-inline' *.$DOMAIN; img-src 'self' data: *.$DOMAIN; font-src 'self' data: *.$DOMAIN; connect-src 'self' *.$DOMAIN; frame-src 'self' *.$DOMAIN; media-src 'self' *.$DOMAIN; object-src 'none'; base-uri 'self'; form-action 'self' *.$DOMAIN"; add_header Content-Security-Policy $content_security_policy always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Subdomain handling set $subdomain ''; set $site_root "/var/www/$DOMAIN/_main"; if ($host ~* ^([^.]+)\.$DOMAIN$) { set $subdomain $1; set $site_root "/var/www/$DOMAIN/subdomains/$subdomain"; } root "$site_root/www"; # Default error page config include snippets/error-pages.conf; # Basic settings index index.html index.htm index.php; client_max_body_size 20M; # Include site-specific configurations include /var/www/$DOMAIN/nginx/*.conf; # Block .ht* files location ~ /\.ht { deny all; } # Main location block location / { try_files $uri $uri/ @router; } # Router handling location @router { if (!-f $document_root/router.php) { return 404; } limit_req zone=php burst=20 nodelay; fastcgi_pass unix:/var/run/php/php-fpm.sock; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/router.php; } # Basic PHP configuration location ~ \.php$ { limit_req zone=php burst=20 nodelay; try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } # Static file handling (matches any file extension except .php) location ~* ^.+\.((?!php).)*$ { # Caching and security headers expires 30d; add_header Cache-Control "public, no-transform"; add_header Content-Security-Policy $content_security_policy always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Try to serve the file directly try_files $uri $uri/ =404; } # Logging access_log /var/log/nginx/access.log domain_combined; error_log /var/log/nginx/error.log; access_log "/var/www/$DOMAIN/logs/access.log" domain_combined; error_log "/var/www/$DOMAIN/logs/error.log"; }