# https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/

server {
  listen 80;
  server_name DOMAIN.LTD;
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name DOMAIN.LTD;

  root /var/www/DOMAIN.LTD/app/web;
  index index.html index.php;

  charset utf-8;

  location / {
    try_files $uri $uri/ /index.php?$query_string;
  }

  location = /favicon.ico { access_log off; log_not_found off; }
  location = /robots.txt  { access_log off; log_not_found off; }

  access_log on;
  error_log /var/www/DOMAIN.LTD/log/error.log;

  sendfile off;

  client_max_body_size 100m;

  #SSL Certificates
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/fullchain.pem";
  ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
  ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
  # ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 10m;
  ssl_ciphers HIGH:!aNULL:!MD5;
  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers  on;

  add_header Strict-Transport-Security "max-age=31536000;
  #includeSubDomains" always;

  location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass 127.0.0.1;
    fastcgi_index index.php;
    include fastcgi.conf;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_intercept_errors off;
    fastcgi_buffer_size 16k;
    fastcgi_buffers 4 16k;
  }

  location ~ /\.ht {
    deny all;
  }

  # website should not be displayed inside a <frame>, an <iframe> or an <object>
  add_header X-Frame-Options SAMEORIGIN;

}