server { listen 80; server_name dominio.ufrj.br; return 302 https://dominio.ufrj.br$request_uri; } server { listen 443 ssl; server_name dominio.ufrj.br; ## Keep alive timeout set to a greater value for SSL/TLS. keepalive_timeout 75 75; ## Access and error logs. access_log /var/log/nginx/dominio.access.log; error_log /var/log/nginx/dominio.error.log; ## See the keepalive_timeout directive in nginx.conf. ssl_certificate /etc/ssl/localcerts/dominio.ufrj.br.crt; ssl_certificate_key /etc/ssl/private/dominio.ufrj.br.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!SSLv3:!SSLv2; ssl_prefer_server_ciphers on; ## Strict Transport Security header for enhanced security. See ## http://www.chromium.org/sts. add_header Strict-Transport-Security "max-age=15768000"; root /usr/share/redmine/public; index index.html; ## See the blacklist.conf file at the parent dir: /etc/nginx. ## All static files will be served directly. location ~* ^.+\.(?:css|js|jpe?g|gif|htc|ico|png|html)$ { access_log off; expires 30d; ## No need to bleed constant updates. Send the all shebang in one ## fell swoop. tcp_nodelay off; ## Set the OS file cache. open_file_cache max=3000 inactive=120s; open_file_cache_valid 45s; open_file_cache_min_uses 2; open_file_cache_errors off; } ## Support for favicon. Return an 1x1 transparent GIF if it doesn't ## exist. location = /favicon.ico { expires 30d; try_files /favicon.ico @empty; } ## Return an in memory 1x1 transparent GIF. location @empty { expires 30d; empty_gif; } ## Protect .git files. location ^~ /.git { return 404; } }
server { server_name dominio.ufrj.br; root /srv/www/dominio.ufrj.br/site; access_log /var/log/nginx/access.dominio.ufrj.br.log; error_log /var/log/nginx/error.dominio.ufrj.br.log; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Very rarely should these ever be accessed outside of your lan location ~* \.(txt|log)$ { #allow 192.168.0.0/16; deny all; } location ~ \..*/.*\.php$ { return 403; } location ~ ^/sites/.*/private/ { return 403; } # Block access to "hidden" files and directories whose names begin with a # period. This includes directories used by version control systems such # as Subversion or Git to store control files. location ~ (^|/)\. { return 403; } location / { # try_files $uri @rewrite; # For Drupal <= 6 try_files $uri /index.php?$query_string; # For Drupal >= 7 } location @rewrite { rewrite ^/(.*)$ /index.php?q=$1; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini include fastcgi_params; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_intercept_errors on; fastcgi_pass unix:/srv/www/dominio.ufrj.br/php-fpm.sock; } # Fighting with Styles? This little gem is amazing. # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6 location ~ ^/sites/.*/files/styles/ { # For Drpal >= 7 try_files $uri @rewrite; } location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires max; log_not_found off; } }