{% set domain_name = item.nginx_domain_name %} {% set domain_aliases = item.nginx_domain_aliases | default("") %} {% set use_https = item.use_https | default("no") %} {% if use_https == "yes" %} # http -> https vhost server { listen 80; server_name {{ domain_name }} {{ domain_aliases }}; # redirect http -> https location / { # ? in rewrite makes sure nginx doesn't append query string again # see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite rewrite ^ https://{{ domain_name }}$request_uri? permanent; } } {% endif %} server { listen {% if use_https == "yes" %} 443 ssl spdy{% else %} 80{% endif %}; root {{ nginx_root_prefix }}/{{ domain_name }}; {# assumes you only want the main domain name listening for https #} server_name {{ domain_name }} {% if use_https == "no" %} {{ domain_aliases }}{% endif %}; index index.php index.html; access_log /var/log/nginx/{{ domain_name }}-access.log; error_log /var/log/nginx/{{ domain_name }}-error.log; {% if use_https == "yes" %} {% include 'https.j2' %} {% endif %} location / { try_files $uri $uri/ =404; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } location ~ \.php$ { # Zero-day exploit defense. # http://forum.nginx.org/read.php?2,88845,page=3 # Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi. # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked. try_files $uri =404; #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock; fastcgi_index index.php; # set script path relative to document root in server block fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }