# Common definitions for static content (HTTPS) # TLS/SSL common ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites (2048 bits) ssl_dhparam /etc/ssl/certs/dhparam.pem; # Protocols & Ciphers ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; # Initialize important variables set $CACHE_BYPASS_FOR_DYNAMIC 0; set $CACHE_BYPASS_FOR_STATIC 0; set $PROXY_DOMAIN_OR_IP $host; set $PROXY_TO_PORT 8443; set $SITE_URI "$host$request_uri"; # Generic query string to request a page bypassing Nginx's caching entirely for both dynamic & static content if ($query_string ~* "nocache") { set $CACHE_BYPASS_FOR_DYNAMIC 1; set $CACHE_BYPASS_FOR_STATIC 1; } # Proxy requests to "localhost" if ($host ~* "localhost") { set $PROXY_DOMAIN_OR_IP "127.0.0.1"; } # Proxy cPanel specific subdomains if ($host ~* "^webmail\.") { set $PROXY_DOMAIN_OR_IP "127.0.0.1"; set $PROXY_TO_PORT 2096; } if ($host ~* "^cpanel\.") { set $PROXY_DOMAIN_OR_IP "127.0.0.1"; set $PROXY_TO_PORT 2083; } if ($host ~* "^whm\.") { set $PROXY_DOMAIN_OR_IP "127.0.0.1"; set $PROXY_TO_PORT 2087; } if ($host ~* "^webdisk\.") { set $PROXY_DOMAIN_OR_IP "127.0.0.1"; set $PROXY_TO_PORT 2078; } if ($host ~* "^(cpcalendars|cpcontacts)\.") { set $PROXY_DOMAIN_OR_IP "127.0.0.1"; set $PROXY_TO_PORT 2080; } # Set custom rules like domain/IP exclusions or redirects here include custom_rules; location / { try_files $uri $uri/ @backend; } location @backend { include proxy_params_common; # === MICRO CACHING === # Comment the following line to disable 1 second micro-caching for dynamic HTML content include proxy_params_dynamic; } # Enable browser cache for static content files (TTL is 1 hour) location ~* \.(?:json|xml|rss|atom)$ { include proxy_params_common; include proxy_params_static; expires 1h; } # Enable browser cache for CSS / JS (TTL is 30 days) location ~* \.(?:css|js)$ { include proxy_params_common; include proxy_params_static; expires 30d; } # Enable browser cache for images (TTL is 60 days) location ~* \.(?:ico|jpg|jpeg|gif|png|webp)$ { include proxy_params_common; include proxy_params_static; expires 60d; } # Enable browser cache for archives, documents & media files (TTL is 60 days) location ~* \.(?:3gp|7z|avi|bmp|bz2|csv|divx|doc|docx|eot|exe|flac|flv|gz|less|mid|midi|mka|mkv|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogm|ogv|opus|pdf|ppt|pptx|rar|rtf|swf|tar|tbz|tgz|tiff|txz|wav|webm|wma|wmv|xls|xlsx|xz|zip)$ { set $CACHE_BYPASS_FOR_STATIC 1; include proxy_params_common; include proxy_params_static; expires 60d; } # Enable browser cache for fonts & fix @font-face cross-domain restriction (TTL is 60 days) location ~* \.(eot|ttf|otf|woff|woff2|svg|svgz)$ { include proxy_params_common; include proxy_params_static; expires 60d; add_header Access-Control-Allow-Origin *; } # Prevent logging of favicon and robot request errors location = /favicon.ico { include proxy_params_common; include proxy_params_static; expires 60d; log_not_found off; } location = /robots.txt { include proxy_params_common; include proxy_params_static; expires 1d; log_not_found off; } # Deny access to files like .htaccess or .htpasswd location ~ /\.ht { deny all; }