haiyon/host.conf

## host.conf
server {
    listen 80;
    server_name  domain.com www.domain.com;
    access_log        /dev/null;

    if ($request_method !~ ^(GET|HEAD|POST)$ ) {
        return 444;
    }

    location ^~ /.well-known/acme-challenge/ {
      alias /data/www/common/;
      try_files $uri =404;
    }
    location / {
      rewrite ^/(.*)$ https://domain.com/$1 redirect; # 302
      # rewrite ^/(.*)$ https://domain.com/$1 permanent; #301
    }

}

server {
    listen  443 ssl http2;
    server_name  domain.com www.domain.com;
    root   /data/www/domain;
    index index.html index.htm;

    # include conf.d/blacklist.conf;

    # dehydrated
    ssl_certificate      /etc/letsencrypt/live/domain/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/domain/privkey.pem;
    include conf.d/ssl.conf;

    access_log  /data/log/nginx/domain.access.log  main;

    if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
      return 444;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

## nginx.conf
#user  nobody;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

worker_rlimit_nofile 51200;

events {
    use epoll;
    worker_connections 51200;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    charset utf-8;
    server_tokens off;
    # tengine
    server_info off;
    server_tag off;

    gzip on;
    gzip_vary on;

    gzip_comp_level   6;
    gzip_buffers      16 8k;

    gzip_min_length   1k;
    gzip_proxied      any;
    gzip_http_version 1.0;
    gzip_disable      "msie6";

    gzip_types        text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;

    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 50m;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    tcp_nopush      on;
    tcp_nodelay     on;

    keepalive_timeout  60;

    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 256k;

    server {
        listen       80;
        server_name  _ server_ip;
        rewrite ^(.*) https://domain.com$request_uri permanent;
    }

    include /etc/nginx/vhost/*.conf;
}

## php.conf
location ~ \.php$ {
  # fastcgi_pass   127.0.0.1:9000;
  fastcgi_pass   unix:/tmp/php-fpm.sock;
  fastcgi_index index.php;
  fastcgi_intercept_errors on;
  fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
  include        fastcgi_params;
}

## ssl.conf
ssl_session_cache shared:SSL:10m;
ssl_session_timeout   60m;
ssl_buffer_size 1400;
ssl_session_tickets   on;

ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;

ssl_stapling    on;
ssl_stapling_verify   on;
resolver    8.8.4.4 8.8.8.8  valid=300s;
resolver_timeout    10s;

ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers   on;

# spdy_keepalive_timeout 300;
# spdy_headers_comp 9;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /data/certs/dhparams.pem; # openssl dhparam -out dhparam.pem 4096
	server {
	listen 80;
	server_name domain.com www.domain.com;
	access_log /dev/null;

	if ($request_method !~ ^(GET\|HEAD\|POST)$ ) {
	return 444;
	}

	location ^~ /.well-known/acme-challenge/ {
	alias /data/www/common/;
	try_files $uri =404;
	}
	location / {
	rewrite ^/(.*)$ https://domain.com/$1 redirect; # 302
	# rewrite ^/(.*)$ https://domain.com/$1 permanent; #301
	}

	}

	server {
	listen 443 ssl http2;
	server_name domain.com www.domain.com;
	root /data/www/domain;
	index index.html index.htm;

	# include conf.d/blacklist.conf;

	# dehydrated
	ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;
	include conf.d/ssl.conf;

	access_log /data/log/nginx/domain.access.log main;

	if ($request_method !~ ^(GET\|HEAD\|POST\|OPTIONS)$ ) {
	return 444;
	}

	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root /usr/share/nginx/html;
	}
	}
	#user nobody;
	worker_processes 1;

	error_log /var/log/nginx/error.log warn;
	pid /var/run/nginx.pid;

	worker_rlimit_nofile 51200;

	events {
	use epoll;
	worker_connections 51200;
	}


	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	charset utf-8;
	server_tokens off;
	# tengine
	server_info off;
	server_tag off;

	gzip on;
	gzip_vary on;

	gzip_comp_level 6;
	gzip_buffers 16 8k;

	gzip_min_length 1k;
	gzip_proxied any;
	gzip_http_version 1.0;
	gzip_disable "msie6";

	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;

	server_names_hash_bucket_size 128;
	client_header_buffer_size 32k;
	large_client_header_buffers 4 32k;
	client_max_body_size 50m;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/nginx/access.log main;

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;

	keepalive_timeout 60;

	fastcgi_connect_timeout 300;
	fastcgi_send_timeout 300;
	fastcgi_read_timeout 300;
	fastcgi_buffer_size 64k;
	fastcgi_buffers 4 64k;
	fastcgi_busy_buffers_size 128k;
	fastcgi_temp_file_write_size 256k;

	server {
	listen 80;
	server_name _ server_ip;
	rewrite ^(.*) https://domain.com$request_uri permanent;
	}

	include /etc/nginx/vhost/*.conf;
	}
	location ~ \.php$ {
	# fastcgi_pass 127.0.0.1:9000;
	fastcgi_pass unix:/tmp/php-fpm.sock;
	fastcgi_index index.php;
	fastcgi_intercept_errors on;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	}
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 60m;
	ssl_buffer_size 1400;
	ssl_session_tickets on;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 10s;

	ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
	ssl_prefer_server_ciphers on;

	# spdy_keepalive_timeout 300;
	# spdy_headers_comp 9;

	add_header Strict-Transport-Security max-age=63072000;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	ssl_dhparam /data/certs/dhparams.pem; # openssl dhparam -out dhparam.pem 4096