webserver-config/site-config.conf

# HTTP redirect
server {
    listen 80;
    listen [::]:80;
    server_name .$DOMAIN;
    return 301 https://$host$request_uri;
}

# HTTPS server
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .$DOMAIN;

    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
    include snippets/ssl.conf;

    # Check for banned IPs
    if ($is_banned) {
        return 403;
    }

    # Apply general rate limit
    limit_req zone=general burst=100 nodelay;

    # Content Security Policy (needs to be per-domain)
    add_header Content-Security-Policy "default-src 'self' *.$DOMAIN; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN; style-src 'self' 'unsafe-inline' *.$DOMAIN; img-src 'self' data: *.$DOMAIN; font-src 'self' data: *.$DOMAIN; connect-src 'self' *.$DOMAIN; frame-src 'self' *.$DOMAIN; media-src 'self' *.$DOMAIN; object-src 'none'; base-uri 'self'; form-action 'self' *.$DOMAIN" always;

    # Subdomain handling
    set $subdomain '';
    set $full_root "/var/www/$DOMAIN/_main/www";
    if ($host ~* ^([^.]+)\.$DOMAIN$) {
        set $subdomain $1;
        set $full_root "/var/www/$DOMAIN/subdomains/$subdomain/www";
    }
    root $full_root;

    # Basic settings
    index index.html index.htm index.php;
    client_max_body_size 20M;

    # Block .ht* files
    location ~ /\.ht {
        deny all;
    }

    # Main location block
    location / {
        try_files $uri $uri/ @router;
    }

    # Router handling
    location @router {
        if (!-f $document_root/router.php) {
            return 404;
        }
        limit_req zone=php burst=20 nodelay;
        fastcgi_pass unix:/var/run/php/php-fpm.sock;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root/router.php;
    }

    # Basic PHP configuration
    location ~ \.php$ {
        limit_req zone=php burst=20 nodelay;
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # Static file handling
    location ~* ^.+\.((?!php).)*$ {
        expires 30d;
        add_header Cache-Control "public, no-transform";
        try_files $uri $uri/ =404;
    }

    # Logging
    access_log /var/log/nginx/access.log domain_combined;
    error_log /var/log/nginx/error.log;
    access_log "/var/www/$DOMAIN/logs/access.log" domain_combined;
    error_log "/var/www/$DOMAIN/logs/error.log";
}