server { listen 8443 ssl http2; listen [::]:8443 ssl http2; server_name zabbix; server_name_in_redirect off; index index.php; access_log /dev/fd/1 main; error_log /dev/fd/2 error; set $webroot '/usr/share/zabbix'; root $webroot; large_client_header_buffers 8 8k; client_max_body_size 10M; ssl_certificate /etc/ssl/nginx/ssl.crt; ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_dhparam /etc/ssl/nginx/dhparam.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; location =/nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } location = /favicon.ico { log_not_found off; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). location ~ /\. { deny all; access_log off; log_not_found off; } # caching of files location ~* \.ico$ { expires 1y; } location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ { expires 14d; } location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/|vendor\/) { deny all; return 404; } location ~ ^/(status|ping)$ { access_log off; fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $webroot$fastcgi_script_name; fastcgi_index index.php; include fastcgi_params; } location / { try_files $uri $uri/ /index.php?$args; } location ~ .php$ { fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $webroot$fastcgi_script_name; include fastcgi_params; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_intercept_errors on; fastcgi_ignore_client_abort off; fastcgi_connect_timeout 60; fastcgi_send_timeout 180; fastcgi_read_timeout {FCGI_READ_TIMEOUT}; fastcgi_buffer_size 128k; fastcgi_buffers 4 256k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; } }