ansible/roles/nginx/templates/nginx-ssl.conf from repman-io/repman

ansible/roles/nginx/templates/nginx-ssl.conf
Summary

Maintainability

Test Coverage

Issues
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 1024;
}

http {
    server_tokens off;
    fastcgi_read_timeout {{ nginx_read_timeout }};
    client_max_body_size {{ nginx_client_max_body_size }};
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" '
                      '$upstream_response_time';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    # HTTP Host Header poisoning mitigation
    server {
        listen 443;
        server_name _;

        ssl_certificate {{ nginx_vhost_ssl_crt_path }};
        ssl_certificate_key {{ nginx_vhost_ssl_key_path }};

        ssl_session_tickets off;

        return 444;
    }

    server {
        listen       80;
        listen       [::]:80;
        listen       {{ nginx_port }} default_server ssl http2;
        listen       [::]:{{ nginx_port }} ssl http2;
        server_name  {{ nginx_servername }};
        root {{ app_current_dir }}/public;

        ssl_certificate {{ nginx_vhost_ssl_crt_path }};
        ssl_certificate_key {{ nginx_vhost_ssl_key_path }};

        if ($scheme = http) {
            return 301 https://$server_name$request_uri;
        }

        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_protocols TLSv1.2;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_prefer_server_ciphers on;
        ssl_session_tickets off;
        ssl_dhparam {{ dhparam_file }};

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

        location / {
            # try to serve file directly, fallback to index.php
            try_files $uri /index.php$is_args$args;
        }

        location ~ ^/index\.php(/|$) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            fastcgi_pass unix:{{ php_fastcgi_listen }};
            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_param DOCUMENT_ROOT $realpath_root;
            include fastcgi_params;
            internal;
        }

        error_log "{{ nginx_app_error_log }}";
        access_log "{{ nginx_app_access_log }}"  main;
    }
}