server { listen 80; listen 443 ssl; server_name overcomers.group; access_log /var/log/nginx/overcomers_access.log main ; error_log /var/log/nginx/overcomers_error.log info ; ssl_prefer_server_ciphers off; ssl_protocols TLSv1.1 TLSv1.2; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; add_header Strict-Transport-Security max-age=15768000; ssl_certificate /somepath/certificates/overcomers.group.crt ; ssl_certificate_key /somepath/certificates/overcomers.group.key ; location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/tmp; allow all; } location = /.well-known/acme-challenge/ { return 404; } root /var/www/overcomers; location ~ /(data|conf|bin|inc|vendor)/ { deny all; } location /doku { index index.php; try_files $uri $uri/ @doku; location ~ \.php$ { # Workaround for PHP vulnerability: # http://forum.nginx.org/read.php?2,88845,page=3 try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; keepalive_timeout 0; fastcgi_param HTTPS $https if_not_empty; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/run/php/php7.3-fpm.sock; } } location @doku { rewrite ^/doku/_media/(.*) /doku/lib/exe/fetch.php?media=$1 last; rewrite ^/doku/_detail/(.*) /doku/lib/exe/detail.php?media=$1 last; rewrite ^/doku/_export/([^/]+)/(.*) /doku/doku.php?do=export_$1&id=$2 last; rewrite ^/doku/(.*) /doku/doku.php?id=$1 last; } location / { index index.php index.html index.htm; } location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ { access_log off; } location ~ /\.ht { deny all; } }