Amazon Linux 환경설정 생성기

자동완성

일반 PHP 사이트

일반적인 PHP 사이트 (그누보드 등)

/etc/nginx/conf.d/samplesite.com.confserver {
    listen       80;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;
 
    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;
 
    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log warn;
  
    location / {
        index  index.php index.html;
    }
  
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
  
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
  
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ {
        deny all;
    }
  
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ {
        deny all;
    }
  
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
  
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
  
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }
  
    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
  
        fastcgi_pass unix:/var/run/php-fpm/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 4k; # default 8 4k
 
        include fastcgi_params;
    }
}

/etc/nginx/conf.d/samplesite.com.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64	`server {` `listen 80;` `server_name samplesite.com www.samplesite.com anothersite.net;` `root` `/home/myuser1/www;` `#set same size as post_max_size(php.ini or php_admin_value).` `client_max_body_size 10M;` `access_log` `/var/log/nginx/samplesite.com.access.log main;` `error_log` `/var/log/nginx/samplesite.com.error.log warn;` `location / {` `index index.php index.html;` `}` `# Allow Lets Encrypt Domain Validation Program` `location ^~ /.well-known/acme-challenge/` `{` `allow all;` `}` `# Block dot file (.htaccess .htpasswd .svn .git .env and so on.)` `location ~ /\. {` `deny all;` `}` `# Block (log file, binary, certificate, shell script, sql dump file) access.` `location ~* \.(log\|binary\|pem\|enc\|crt\|conf\|cnf\|sql\|sh\|key)$ {` `deny all;` `}` `# Block access` `location ~* (composer\.json\|composer\.lock\|composer\.phar\|contributing\.md\|license\.txt\|readme\.rst\|readme\.md\|readme\.txt\|copyright\|artisan\|gulpfile\.js\|package\.json\|phpunit\.xml)$ {` `deny all;` `}` `location =` `/favicon.ico {` `log_not_found off;` `access_log off;` `}` `location =` `/robots.txt {` `log_not_found off;` `access_log off;` `}` `# Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).` `location ~* /(?:uploads\|default/files\|data)/.\.php$ {` `deny all;` `}` `# Add PHP handler` `location ~ [^/]\.php(/\|$) {` `fastcgi_split_path_info ^(.+?\.php)(/.)$;` `if` `(!-f $document_root$fastcgi_script_name) {` `return` `404;` `}` `fastcgi_pass unix:/var/run/php-fpm/myuser1.sock;` `fastcgi_index index.php;` `fastcgi_buffers 64 4k;` `# default 8 4k` `include fastcgi_params;` `}` `}`

짧은 주소 사이트

짧은 주소 사이트(워드프레스, 드루팔, CI, Laravel)에서는 try_files 구문을 통해 응답을 index.php 파일로 보내도록 설정합니다.

/etc/nginx/conf.d/samplesite.com.confserver {
    listen       80;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;
 
    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;
 
    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log warn;
  
    location / {
        index  index.php index.html;
        try_files $uri $uri/ /index.php?$args;
    }
  
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
  
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
  
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ {
        deny all;
    }
  
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ {
        deny all;
    }
  
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
  
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
  
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }
  
    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
  
        fastcgi_pass unix:/var/run/php-fpm/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 4k; # default 8 4k
 
        include fastcgi_params;
    }
}

/etc/nginx/conf.d/samplesite.com.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65	`server {` `listen 80;` `server_name samplesite.com www.samplesite.com anothersite.net;` `root` `/home/myuser1/www;` `#set same size as post_max_size(php.ini or php_admin_value).` `client_max_body_size 10M;` `access_log` `/var/log/nginx/samplesite.com.access.log main;` `error_log` `/var/log/nginx/samplesite.com.error.log warn;` `location / {` `index index.php index.html;` `try_files $uri $uri/` `/index.php?$args;` `}` `# Allow Lets Encrypt Domain Validation Program` `location ^~ /.well-known/acme-challenge/` `{` `allow all;` `}` `# Block dot file (.htaccess .htpasswd .svn .git .env and so on.)` `location ~ /\. {` `deny all;` `}` `# Block (log file, binary, certificate, shell script, sql dump file) access.` `location ~* \.(log\|binary\|pem\|enc\|crt\|conf\|cnf\|sql\|sh\|key)$ {` `deny all;` `}` `# Block access` `location ~* (composer\.json\|composer\.lock\|composer\.phar\|contributing\.md\|license\.txt\|readme\.rst\|readme\.md\|readme\.txt\|copyright\|artisan\|gulpfile\.js\|package\.json\|phpunit\.xml)$ {` `deny all;` `}` `location =` `/favicon.ico {` `log_not_found off;` `access_log off;` `}` `location =` `/robots.txt {` `log_not_found off;` `access_log off;` `}` `# Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).` `location ~* /(?:uploads\|default/files\|data)/.\.php$ {` `deny all;` `}` `# Add PHP handler` `location ~ [^/]\.php(/\|$) {` `fastcgi_split_path_info ^(.+?\.php)(/.)$;` `if` `(!-f $document_root$fastcgi_script_name) {` `return` `404;` `}` `fastcgi_pass unix:/var/run/php-fpm/myuser1.sock;` `fastcgi_index index.php;` `fastcgi_buffers 64 4k;` `# default 8 4k` `include fastcgi_params;` `}` `}`

HTTPS 짧은주소

https 관련 구문을 설정합니다.

인증서 발급업체에서 인증서 파일을 발급받아 준비해야 합니다. 또는 https://blog.lael.be/post/5107 글을 통해 직접 인증서 파일을 발급할 수 있습니다.
다음 명령어로 dhparam.pem 파일을 먼저 생성해야 합니다. (서버 내에 1회만 실행하면 됨. 중복실행해도 문제없음)

root 사용자 권한으로 아래 명령어 실행 (서버내 1회)openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

root 사용자 권한으로 아래 명령어 실행 (서버내 1회)
1	`openssl dhparam -out` `/etc/ssl/certs/dhparam.pem 2048`

/etc/nginx/conf.d/samplesite.com.confserver {
    listen       80;
    server_name  samplesite.com www.samplesite.com anothersite.net;
  
    return       301 https://$server_name$request_uri;
}
  
  
server {
    listen       443 ssl http2;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;
     
    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;
  
    ssl_certificate /home/myuser1/ssl/mergedssl.crt;
    ssl_certificate_key /home/myuser1/ssl/ssl.dec.key;
    ssl_dhparam "/etc/ssl/certs/dhparam.pem";
      
    # Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
    add_header Strict-Transport-Security "max-age=31536000";
      
    # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score.
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
      
    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log warn;
  
    location / {
        index  index.php index.html;
        try_files $uri $uri/ /index.php?$args;
    }
  
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
  
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
  
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ {
        deny all;
    }
  
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ {
        deny all;
    }
  
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
  
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
  
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }
  
    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
  
        fastcgi_pass unix:/var/run/php-fpm/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 4k; # default 8 4k
 
        include fastcgi_params;
    }
}

/etc/nginx/conf.d/samplesite.com.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87	`server {` `listen 80;` `server_name samplesite.com www.samplesite.com anothersite.net;` `return` `301 https://$server_name$request_uri;` `}` `server {` `listen 443 ssl http2;` `server_name samplesite.com www.samplesite.com anothersite.net;` `root` `/home/myuser1/www;` `#set same size as post_max_size(php.ini or php_admin_value).` `client_max_body_size 10M;` `ssl_certificate` `/home/myuser1/ssl/mergedssl.crt;` `ssl_certificate_key` `/home/myuser1/ssl/ssl.dec.key;` `ssl_dhparam` `"/etc/ssl/certs/dhparam.pem";` `# Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.` `add_header Strict-Transport-Security` `"max-age=31536000";` `# Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score.` `ssl_session_cache shared:SSL:20m;` `ssl_session_timeout 10m;` `ssl_protocols TLSv1 TLSv1.1 TLSv1.2;` `ssl_prefer_server_ciphers on;` `ssl_ciphers` `'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';` `access_log` `/var/log/nginx/samplesite.com.access.log main;` `error_log` `/var/log/nginx/samplesite.com.error.log warn;` `location / {` `index index.php index.html;` `try_files $uri $uri/` `/index.php?$args;` `}` `# Allow Lets Encrypt Domain Validation Program` `location ^~ /.well-known/acme-challenge/` `{` `allow all;` `}` `# Block dot file (.htaccess .htpasswd .svn .git .env and so on.)` `location ~ /\. {` `deny all;` `}` `# Block (log file, binary, certificate, shell script, sql dump file) access.` `location ~* \.(log\|binary\|pem\|enc\|crt\|conf\|cnf\|sql\|sh\|key)$ {` `deny all;` `}` `# Block access` `location ~* (composer\.json\|composer\.lock\|composer\.phar\|contributing\.md\|license\.txt\|readme\.rst\|readme\.md\|readme\.txt\|copyright\|artisan\|gulpfile\.js\|package\.json\|phpunit\.xml)$ {` `deny all;` `}` `location =` `/favicon.ico {` `log_not_found off;` `access_log off;` `}` `location =` `/robots.txt {` `log_not_found off;` `access_log off;` `}` `# Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).` `location ~* /(?:uploads\|default/files\|data)/.\.php$ {` `deny all;` `}` `# Add PHP handler` `location ~ [^/]\.php(/\|$) {` `fastcgi_split_path_info ^(.+?\.php)(/.)$;` `if` `(!-f $document_root$fastcgi_script_name) {` `return` `404;` `}` `fastcgi_pass unix:/var/run/php-fpm/myuser1.sock;` `fastcgi_index index.php;` `fastcgi_buffers 64 4k;` `# default 8 4k` `include fastcgi_params;` `}` `}`

HTTPS 일반

https 관련 구문을 설정합니다.

root 사용자 권한으로 아래 명령어 실행 (서버내 1회)openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

root 사용자 권한으로 아래 명령어 실행 (서버내 1회)
1	`openssl dhparam -out` `/etc/ssl/certs/dhparam.pem 2048`

/etc/nginx/conf.d/samplesite.com.confserver {
    listen       80;
    server_name  samplesite.com www.samplesite.com anothersite.net;
  
    return       301 https://$server_name$request_uri;
}
  
  
server {
    listen       443 ssl http2;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;
     
    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;
  
    ssl_certificate /home/myuser1/ssl/mergedssl.crt;
    ssl_certificate_key /home/myuser1/ssl/ssl.dec.key;
    ssl_dhparam "/etc/ssl/certs/dhparam.pem";
      
    # Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
    add_header Strict-Transport-Security "max-age=31536000";
      
    # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score.
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
      
    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log warn;
  
    location / {
        index  index.php index.html;
    }
  
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
  
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
  
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ {
        deny all;
    }
  
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ {
        deny all;
    }
  
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
  
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
  
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }
  
    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
  
        fastcgi_pass unix:/var/run/php-fpm/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 4k; # default 8 4k
 
        include fastcgi_params;
    }
}

/etc/nginx/conf.d/samplesite.com.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86	`server {` `listen 80;` `server_name samplesite.com www.samplesite.com anothersite.net;` `return` `301 https://$server_name$request_uri;` `}` `server {` `listen 443 ssl http2;` `server_name samplesite.com www.samplesite.com anothersite.net;` `root` `/home/myuser1/www;` `#set same size as post_max_size(php.ini or php_admin_value).` `client_max_body_size 10M;` `ssl_certificate` `/home/myuser1/ssl/mergedssl.crt;` `ssl_certificate_key` `/home/myuser1/ssl/ssl.dec.key;` `ssl_dhparam` `"/etc/ssl/certs/dhparam.pem";` `# Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.` `add_header Strict-Transport-Security` `"max-age=31536000";` `# Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score.` `ssl_session_cache shared:SSL:20m;` `ssl_session_timeout 10m;` `ssl_protocols TLSv1 TLSv1.1 TLSv1.2;` `ssl_prefer_server_ciphers on;` `ssl_ciphers` `'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';` `access_log` `/var/log/nginx/samplesite.com.access.log main;` `error_log` `/var/log/nginx/samplesite.com.error.log warn;` `location / {` `index index.php index.html;` `}` `# Allow Lets Encrypt Domain Validation Program` `location ^~ /.well-known/acme-challenge/` `{` `allow all;` `}` `# Block dot file (.htaccess .htpasswd .svn .git .env and so on.)` `location ~ /\. {` `deny all;` `}` `# Block (log file, binary, certificate, shell script, sql dump file) access.` `location ~* \.(log\|binary\|pem\|enc\|crt\|conf\|cnf\|sql\|sh\|key)$ {` `deny all;` `}` `# Block access` `location ~* (composer\.json\|composer\.lock\|composer\.phar\|contributing\.md\|license\.txt\|readme\.rst\|readme\.md\|readme\.txt\|copyright\|artisan\|gulpfile\.js\|package\.json\|phpunit\.xml)$ {` `deny all;` `}` `location =` `/favicon.ico {` `log_not_found off;` `access_log off;` `}` `location =` `/robots.txt {` `log_not_found off;` `access_log off;` `}` `# Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).` `location ~* /(?:uploads\|default/files\|data)/.\.php$ {` `deny all;` `}` `# Add PHP handler` `location ~ [^/]\.php(/\|$) {` `fastcgi_split_path_info ^(.+?\.php)(/.)$;` `if` `(!-f $document_root$fastcgi_script_name) {` `return` `404;` `}` `fastcgi_pass unix:/var/run/php-fpm/myuser1.sock;` `fastcgi_index index.php;` `fastcgi_buffers 64 4k;` `# default 8 4k` `include fastcgi_params;` `}` `}`

HTTP, HTTPS-일반

http와 https 모두 사용합니다. 어쩔 수 없는 상황이 아니라면, https 하나만 사용하는 것이 좋습니다.

root 사용자 권한으로 아래 명령어 실행 (서버내 1회)openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

root 사용자 권한으로 아래 명령어 실행 (서버내 1회)
1	`openssl dhparam -out` `/etc/ssl/certs/dhparam.pem 2048`

/etc/nginx/conf.d/samplesite.com.confserver {
    listen       80;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;
 
    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;
 
    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log warn;
  
    location / {
        index  index.php index.html;
    }
  
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
  
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
  
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ {
        deny all;
    }
  
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ {
        deny all;
    }
  
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
  
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
  
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }
  
    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
  
        fastcgi_pass unix:/var/run/php-fpm/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 4k; # default 8 4k
 
        include fastcgi_params;
    }
}
  
  
server {
    listen       443 ssl http2;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;
     
    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;
  
    ssl_certificate /home/myuser1/ssl/mergedssl.crt;
    ssl_certificate_key /home/myuser1/ssl/ssl.dec.key;
    ssl_dhparam "/etc/ssl/certs/dhparam.pem";
      
    # Disable HSTS.
    add_header Strict-Transport-Security "max-age=0";
      
    # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score.
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
      
    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log warn;
  
    location / {
        index  index.php index.html;
    }
  
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
  
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
  
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ {
        deny all;
    }
  
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ {
        deny all;
    }
  
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
  
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
  
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }
  
    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
  
        fastcgi_pass unix:/var/run/php-fpm/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 4k; # default 8 4k
 
        include fastcgi_params;
    }
}