Der perfekte Rootserver (Support Thread)

[TakeThisBitch]

Du kannst mailserver einfach deaktivieren. Dann musst du nur die config beim hoster so lassen wie es ist. Das sollte klappen

Gesendet von meinem C6903 mit Tapatalk

[_daniel4711]

Quote:

Originally Posted by REtender

Schau mal in der Userconfig:


Nachträglich kann man das nur über Nginx ändern -> Vhosts-Konfiguration (/etc/nginx/sites-available) denke ich mal
Wenn man "redirect www to https nginx" googled finden sich Beispiele von configs bzw. Ansätzen... ich bin gerade leider auf dem Sprung, vll hilft es ja dennoch.

Google hat nur mäßigen Erfolg gehabt. Ich zieh das ganze nochmal neu auf.
Ein nettes zusätzliches Future wäre die Integration von Froxlor oder Ajenti V.

Ansonsten super Arbeit!!

Mit der aktuellen Installation klappt es leider nicht mehr. Ich bekomme einfach kein gültiges Zertifikat mehr erstellt.

 Spoiler

Dies ist keine sichere Verbindung

Unbefugte Dritte könnten versuchen, Ihre Informationen von zu stehlen, z. B. Passwörter, Nachrichten oder Kreditkartendaten. NET::ERR_CERT_AUTHORITY_INVALID

[TakeThisBitch]

Wenn ich das mache:

Code:

cd ~/sources/letsencrypt

Code:

./letsencrypt-auto --agree-tos --renew-by-default --email [email][/email] --rsa-key-size 4096 -d deinedomain.tld -d [url=http://www.deinedomain.tld]hattie[/url] -d mail.deinedomain.tld -d autodiscover.deinedomain.tld -d autoconfig.deinedomain.tld -d dav.deinedomain.tld certonly

Dann fragt er "How would you like to authenticate with the ACME CA?"

1 Place files in webroot directory (webroot)
2 Automatically use a temporary webserver (standalone)

Wäre es nicht der zweite Punkt?
Denn das Ergebnis von Punkt 2 ist


Mag jetzt da auch nix falsch machen zwangsläufig.

Muss ich jetzt

1. den ersten Punkt nehmen oder
2. nginx vorher stoppen?

[Axiades]

Moinsen,

ich habe leider derzeit ein Problem mit der Installation von Joomla 3.6 auf dem Nginx Webserver.

Wass muss ich ändern dass der Server ALLEs Erfolgreich abschließt

[REtender]

Sooo, nach einer langen Nacht hat Ajenti nun auch ein automatisch generiertes sicheres Passwort

Die Vorbereitungen für eine Openvpn Installation laufen schon, aber ob ich das zeitnah schaffe


Falls es wer testen mag

[Axiades]

Quote:

Originally Posted by REtender

Sooo, nach einer langen Nacht hat Ajenti nun auch ein automatisch generiertes sicheres Passwort

Die Vorbereitungen für eine Openvpn Installation laufen schon, aber ob ich das zeitnah schaffe


Falls es wer testen mag

Wie Lang dauert es noch ca. bis OpenVPN einsatzbereit währe ?!

[REtender]

Quote:

Originally Posted by Axiades

Wie Lang dauert es noch ca. bis OpenVPN einsatzbereit währe ?!

Rechne nicht zeitnah damit
Aktuell bin ich im RL sehr beschäftigt und ich muss mich selbst genau mit einer sicheren Umsetzung auseinander setzen, damit da kein totaler Murks bei rumkommt

[Entonsammler]

.

[TakeThisBitch]

Wann hast du das gemacht? Das dauert bis zu 48 Stunden. Oder es kann bis zu 48 Stunden dauern.



Gesendet von meinem C6903 mit Tapatalk

[Entonsammler]

Hat sich schon geklärt .
Ich hab ne Frage zu Roundcube, wo steht der Benutzer und Pw (Bin wieder mal zu Blind)

[TakeThisBitch]

In der gleichen file wie alle anderen Passwörter im root Verzeichnis

Gesendet von meinem C6903 mit Tapatalk

[Entonsammler]

da steht zwar was zur Database davon aber nicht dazu selbst wie bei mailcow,
habe mit Benutzernamen und Passwörtern schon rumprobiert

[Axiades]

Quote:

Originally Posted by REtender

Rechne nicht zeitnah damit
Aktuell bin ich im RL sehr beschäftigt und ich muss mich selbst genau mit einer sicheren Umsetzung auseinander setzen, damit da kein totaler Murks bei rumkommt

Allaska ^^

Dann weiß ich schonmal Bescheid ^^

Gibt es den eine Möglichkeit OpenVPN sobald es im Script ist nachzukonfigurieren per Update Script?

Quote:

Originally Posted by Themanwhoisit

da steht zwar was zur Database davon aber nicht dazu selbst wie bei mailcow,
habe mit Benutzernamen und Passwörtern schon rumprobiert

Du musst im MailCow eine E-Mail Adresse anlegen um dich im Roundcube anzumelden..

[TakeThisBitch]

Hat jemand ein kleines how to zum updaten von nginx in diesem System?

[REtender]

Quote:

Originally Posted by TakeThisBitch

Hat jemand ein kleines how to zum updaten von nginx in diesem System?

Man könnte bestimmt den Update Script von mxiiii umschreiben


Edit:

Ich habe die update_server.sh mal grob "entmüllt".
Es funktioniert so DEFINITIV NICHT! Es ist nur ein Ansatz falls wer basteln möchte.

 Spoiler

Code:

source ~/updateconfig.cfg

IPADR=$(ifconfig eth0 | awk -F ' *|:' '/inet /{print $4}')

# Some nice colors
red() { echo "$(tput setaf 1)$*$(tput setaf 9)"; }
green() { echo "$(tput setaf 2)$*$(tput setaf 9)"; }
yellow() { echo "$(tput setaf 3)$*$(tput setaf 9)"; }
magenta() { echo "$(tput setaf 5)$*$(tput setaf 9)"; }
cyan() { echo "$(tput setaf 6)$*$(tput setaf 9)"; }
textb() { echo $(tput bold)${1}$(tput sgr0); }
greenb() { echo $(tput bold)$(tput setaf 2)${1}$(tput sgr0); }
redb() { echo $(tput bold)$(tput setaf 1)${1}$(tput sgr0); }
yellowb() { echo $(tput bold)$(tput setaf 3)${1}$(tput sgr0); }
pinkb() { echo $(tput bold)$(tput setaf 5)${1}$(tput sgr0); }

# Some nice variables
info="$(textb [INFO] -)"
warn="$(yellowb [WARN] -)"
error="$(redb [ERROR] -)"
fyi="$(pinkb [INFO] -)"
ok="$(greenb [OKAY] -)"

echo
echo "$(yellowb +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+)"
echo " $(textb Perfect) $(textb Rootserver) $(textb Update) $(textb by)" "$(cyan MXIIII)"
echo "$(yellowb +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+)"
echo
if [ "$CONFIG_COMPLETED" != '1' ]; then
echo "${error} Please check the userconfig and set a valid value for the variable \"$(textb CONFIG_COMPLETED)\" to continue." | awk '{ print strftime("[%H:%M:%S] |"), $0 }'
exit 1
fi

echo "${info} Backup..."
rm /root/backup/ -r >/dev/null 2>&1
mkdir /root/backup/nginx >/dev/null 2>&1
cp -R /etc/nginx/* /root/backup/nginx

echo "${info} Install..."
echo
echo "$(yellowb +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+)"
echo " $(textb Perfect) $(textb Rootserver) $(textb Update) $(textb by)" "$(cyan MXIIII)"
echo "$(yellowb +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+)"
echo
echo "${info} Backup..."
echo "${info} Install..."
echo "${info} NGINX Update..."
echo "${warn} Some of the tasks could take a long time, please be patient!"
service nginx stop

cd ~/sources
echo "${info} Downloading Nginx..."
wget -nc http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz >/dev/null 2>&1
tar -xzf nginx-${NGINX_VERSION}.tar.gz
cd nginx-${NGINX_VERSION}

./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--user=www-data \
--group=www-data \
--without-http_autoindex_module \
--without-http_browser_module \
--without-http_empty_gif_module \
--without-http_userid_module \
--without-http_split_clients_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_geoip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-mail \
--with-mail_ssl_module \
--with-file-aio \
--with-ipv6 \
--with-debug \
--with-pcre \
--with-cc-opt='-O2 -g -pipe -Wall -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' \
--with-openssl=$HOME/sources/openssl-${OPENSSL_VERSION} \
--add-module=$HOME/sources/ngx_pagespeed-release-${NPS_VERSION}-beta >/dev/null 2>&1

echo "${info} NGINX Install..."
make >/dev/null 2>&1

checkinstall --install=no -y >/dev/null 2>&1

dpkg -i nginx_${NGINX_VERSION}-1_amd64.deb >/dev/null 2>&1

mv nginx_${NGINX_VERSION}-1_amd64.deb ../
cp -R /root/backup/nginx/* /etc/nginx/

cat > /etc/nginx/sites-available/autodiscover.${MYDOMAIN}.conf <<END
 server {
 			listen 80;
 			server_name autodiscover.${MYDOMAIN} autoconfig.${MYDOMAIN};
 			return 301 https://autodiscover.${MYDOMAIN}\$request_uri;
 }
 
 server {
 			listen 443 ssl http2;
 			server_name autodiscover.${MYDOMAIN} autoconfig.${MYDOMAIN};
 
 			root /var/www/zpush;
 			index index.php;
 			charset utf-8;
 
 			error_page 404 /index.php;
 
 			ssl_certificate 	ssl/${MYDOMAIN}.pem;
 			ssl_certificate_key ssl/${MYDOMAIN}.key;
 			#ssl_trusted_certificate ssl/${MYDOMAIN}.pem;
 			ssl_dhparam	     	ssl/dh.pem;
 			#ssl_ecdh_curve		secp384r1;
 			ssl_session_cache   shared:SSL:10m;
 			ssl_session_timeout 10m;
 			ssl_session_tickets off;
 			ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
 			ssl_prefer_server_ciphers on;
 			ssl_buffer_size 	1400;
 
 			#ssl_stapling 		on;
 			#ssl_stapling_verify on;
 			#resolver 			8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
 			#resolver_timeout 	2s;
 
 			ssl_ciphers 		"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
 
 			#add_header 		Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 			#add_header 		Public-Key-Pins 'pin-sha256="${HPKP1}"; pin-sha256="${HPKP2}"; max-age=5184000; includeSubDomains';
 			add_header 			Cache-Control "public";
 			add_header 			X-Frame-Options SAMEORIGIN;
 			add_header 			Alternate-Protocol  443:npn-http/2;
 			add_header 			X-Content-Type-Options nosniff;
 			add_header 			X-XSS-Protection "1; mode=block";
 			add_header 			X-Permitted-Cross-Domain-Policies "master-only";
 			add_header 			"X-UA-Compatible" "IE=Edge";
 			add_header 			"Access-Control-Allow-Origin" "*";
 			add_header 			Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.youtube.com maps.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com connect.facebook.net; frame-src 'self' *.youtube.com assets.zendesk.com *.facebook.com s-static.ak.facebook.com tautt.zendesk.com; object-src 'self'";
 
 			auth_basic_user_file htpasswd/.htpasswd;
 
 			location ~ ^(.+\.php)(.*)\$ {
 				fastcgi_split_path_info ^(.+\.php)(/.+)\$;
 				try_files \$fastcgi_script_name =404;
 				set \$path_info \$fastcgi_path_info;
 				fastcgi_param PATH_INFO \$path_info;
 				fastcgi_param APP_ENV production;
 				fastcgi_pass unix:/var/run/php5-fpm.sock;
 				fastcgi_index index.php;
 				include fastcgi.conf;
 				fastcgi_intercept_errors on;
 				fastcgi_ignore_client_abort off;
 				fastcgi_buffers 256 16k;
 				fastcgi_buffer_size 128k;
 				fastcgi_connect_timeout 3s;
 				fastcgi_send_timeout 120s;
 				fastcgi_read_timeout 120s;
 				fastcgi_busy_buffers_size 256k;
 				fastcgi_temp_file_write_size 256k;
 			}
 
 			rewrite (?i)^/autodiscover/autodiscover\.xml\$ /autodiscover/autodiscover.php;
 
 			location / {
 				try_files \$uri \$uri/ /index.php;
 			}
 
 			location /Microsoft-Server-ActiveSync {
             	rewrite ^(.*)\$  /index.php last;
         	}
 
 			location ~ /(\.ht|Core|Specific) {
                 deny all;
                 return 404;
         	}
 
 			location = /favicon.ico {
 				access_log off;
 				log_not_found off;
 			}
 				
 			location = /robots.txt {
 				allow all;
 				access_log off;
 				log_not_found off;
 			}
 
 			location ~* ^.+\.(css|js)\$ {
 				rewrite ^(.+)\.(\d+)\.(css|js)\$ \$1.\$3 last;
 				expires 30d;
 				access_log off;
 				log_not_found off;
 				add_header Pragma public;
 				add_header Cache-Control "max-age=2592000, public";
 			}
 
 			location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)\$ {
 				expires 30d;
 				access_log off;
 				log_not_found off;
 				add_header Pragma public;
 				add_header Cache-Control "max-age=2592000, public";
 			}
 
			if (\$http_user_agent ~* "FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|Ezooms|Scrapy") {
             	return 403;
             }
 
 }
END

cat > /etc/nginx/sites-available/dav.${MYDOMAIN}.conf <<END
 server {
 			listen 80;
 			server_name dav.${MYDOMAIN};
 			return 301 https://dav.${MYDOMAIN}\$request_uri;
 }
 
 server {
 			listen 443 ssl http2;
 			server_name dav.${MYDOMAIN};
 
 			root /var/www/dav;
 			index server.php;
 			charset utf-8;
 
 			error_page 404 /index.php;
 
 			ssl_certificate 	ssl/${MYDOMAIN}.pem;
 			ssl_certificate_key ssl/${MYDOMAIN}.key;
 			#ssl_trusted_certificate ssl/${MYDOMAIN}.pem;
 			ssl_dhparam	     	ssl/dh.pem;
 			#ssl_ecdh_curve		secp384r1;
 			ssl_session_cache   shared:SSL:10m;
 			ssl_session_timeout 10m;
 			ssl_session_tickets off;
 			ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
 			ssl_prefer_server_ciphers on;
 			ssl_buffer_size 	1400;
 
 			#ssl_stapling 		on;
 			#ssl_stapling_verify on;
 			#resolver 			8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
 			#resolver_timeout 	2s;
 
 			ssl_ciphers 		"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
 
 			#add_header 		Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 			#add_header 		Public-Key-Pins 'pin-sha256="${HPKP1}"; pin-sha256="${HPKP2}"; max-age=5184000; includeSubDomains';
 			add_header 			Cache-Control "public";
 			add_header 			X-Frame-Options SAMEORIGIN;
 			add_header 			Alternate-Protocol  443:npn-http/2;
 			add_header 			X-Content-Type-Options nosniff;
 			add_header 			X-XSS-Protection "1; mode=block";
 			add_header 			X-Permitted-Cross-Domain-Policies "master-only";
 			add_header 			"X-UA-Compatible" "IE=Edge";
 			add_header 			"Access-Control-Allow-Origin" "*";
 			add_header 			Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.youtube.com maps.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com connect.facebook.net; frame-src 'self' *.youtube.com assets.zendesk.com *.facebook.com s-static.ak.facebook.com tautt.zendesk.com; object-src 'self'";
 			
 			auth_basic_user_file htpasswd/.htpasswd;
 
 			location ~ ^(.+\.php)(.*)\$ {
 				fastcgi_split_path_info ^(.+\.php)(/.+)\$;
 				try_files \$fastcgi_script_name =404;
 				set \$path_info \$fastcgi_path_info;
 				fastcgi_param PATH_INFO \$path_info;
 				fastcgi_param APP_ENV production;
 				fastcgi_pass unix:/var/run/php5-fpm.sock;
 				fastcgi_index index.php;
 				include fastcgi.conf;
 				fastcgi_intercept_errors on;
 				fastcgi_ignore_client_abort off;
 				fastcgi_buffers 256 16k;
 				fastcgi_buffer_size 128k;
 				fastcgi_connect_timeout 3s;
 				fastcgi_send_timeout 120s;
 				fastcgi_read_timeout 120s;
 				fastcgi_busy_buffers_size 256k;
 				fastcgi_temp_file_write_size 256k;
 			}
 
 			rewrite ^/.well-known/caldav /server.php redirect;
 			rewrite ^/.well-known/carddav /server.php redirect;
 
 			location / {
 				try_files \$uri \$uri/ /server.php?\$args;
 			}
 
 			location ~ /(\.ht|Core|Specific) {
                 deny all;
                 return 404;
         	}
 
 			location = /favicon.ico {
 				access_log off;
 				log_not_found off;
 			}
 				
 			location = /robots.txt {
 				allow all;
 				access_log off;
 				log_not_found off;
 			}
 
 			location ~* ^.+\.(css|js)\$ {
 				rewrite ^(.+)\.(\d+)\.(css|js)\$ \$1.\$3 last;
 				expires 30d;
 				access_log off;
 				log_not_found off;
 				add_header Pragma public;
 				add_header Cache-Control "max-age=2592000, public";
 			}
 
 			location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)\$ {
 				expires 30d;
 				access_log off;
 				log_not_found off;
 				add_header Pragma public;
 				add_header Cache-Control "max-age=2592000, public";
 			}
 
			if (\$http_user_agent ~* "FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|Ezooms|Scrapy") {
             	return 403;
             }
 }
END

cat > /etc/nginx/sites-available/${MYDOMAIN}.conf <<END
 server {
 			listen 				80 default_server;
 			server_name 		${IPADR} ${MYDOMAIN};
 			return 301 			https://${MYDOMAIN}\$request_uri;
 }
 
 server {
 			listen 				443;
 			server_name 		${IPADR} www.${MYDOMAIN} mail.${MYDOMAIN};
 			return 301 			https://${MYDOMAIN}\$request_uri;
 }
 
 server {
 			listen 				443 ssl http2 default deferred;
 			server_name 		${MYDOMAIN};
 
 			root 				/etc/nginx/html;
 			index 				index.php index.html index.htm;
 
 			charset 			utf-8;
 
 			error_page 404 		/index.php;
 
 			ssl_certificate 	ssl/${MYDOMAIN}.pem;
 			ssl_certificate_key ssl/${MYDOMAIN}.key;
 			#ssl_trusted_certificate ssl/${MYDOMAIN}.pem;
 			ssl_dhparam	     	ssl/dh.pem;
 			#ssl_ecdh_curve		secp384r1;
 			ssl_session_cache   shared:SSL:10m;
 			ssl_session_timeout 10m;
 			ssl_session_tickets off;
 			ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
 			ssl_prefer_server_ciphers on;
 			ssl_buffer_size 	1400;
 
 			#ssl_stapling 		on;
 			#ssl_stapling_verify on;
 			#resolver 			8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
 			#resolver_timeout 	2s;
 
 			ssl_ciphers 		"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
 
 			#add_header 		Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 			#add_header 		Public-Key-Pins 'pin-sha256="${HPKP1}"; pin-sha256="${HPKP2}"; max-age=5184000; includeSubDomains';
 			add_header 			Cache-Control "public";
 			add_header 			X-Frame-Options SAMEORIGIN;
 			add_header 			Alternate-Protocol  443:npn-http/2;
 			add_header 			X-Content-Type-Options nosniff;
 			add_header 			X-XSS-Protection "1; mode=block";
 			add_header 			X-Permitted-Cross-Domain-Policies "master-only";
 			add_header 			"X-UA-Compatible" "IE=Edge";
 			add_header 			"Access-Control-Allow-Origin" "*";
 			add_header 			Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.youtube.com maps.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com connect.facebook.net; frame-src 'self' *.youtube.com assets.zendesk.com *.facebook.com s-static.ak.facebook.com tautt.zendesk.com; object-src 'self'";
 
 			pagespeed 			on;
 			pagespeed 			EnableFilters collapse_whitespace;
 			pagespeed 			EnableFilters canonicalize_javascript_libraries;
 			pagespeed 			EnableFilters combine_css;
 			pagespeed 			EnableFilters combine_javascript;
 			pagespeed 			EnableFilters elide_attributes;
 			pagespeed 			EnableFilters extend_cache;
 			pagespeed 			EnableFilters flatten_css_imports;
 			pagespeed 			EnableFilters lazyload_images;
 			pagespeed 			EnableFilters rewrite_javascript;
 			pagespeed 			EnableFilters rewrite_images;
 			pagespeed 			EnableFilters insert_dns_prefetch;
 			pagespeed 			EnableFilters prioritize_critical_css;
 
 			pagespeed 			FetchHttps enable,allow_self_signed;
 			pagespeed 			FileCachePath /var/lib/nginx/nps_cache;
 			pagespeed 			RewriteLevel CoreFilters;
 			pagespeed 			CssFlattenMaxBytes 5120;
 			pagespeed 			LogDir /var/log/pagespeed;
 			pagespeed 			EnableCachePurge on;
 			pagespeed 			PurgeMethod PURGE;
 			pagespeed 			DownstreamCachePurgeMethod PURGE;
 			pagespeed 			DownstreamCachePurgeLocationPrefix http://127.0.0.1:80/;
 			pagespeed 			DownstreamCacheRewrittenPercentageThreshold 95;
 			pagespeed 			LazyloadImagesAfterOnload on;
 			pagespeed 			LazyloadImagesBlankUrl "data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7";
 
 			pagespeed 			MemcachedThreads 1;
 			pagespeed 			MemcachedServers "localhost:11211";
 			pagespeed 			MemcachedTimeoutUs 100000;
 			pagespeed 			RespectVary on;
 
 			pagespeed 			Disallow "*/pma/*";
 
 			# This will correctly rewrite your subresources with https:// URLs and thus avoid mixed content warnings.
 			# Note, that you should only enable this option if you are behind a load-balancer that will set this header,
 			# otherwise your users will be able to set the protocol PageSpeed uses to interpret the request.
 			#
 			#pagespeed 			RespectXForwardedProto on;
 
 			auth_basic_user_file htpasswd/.htpasswd;
 
 			location ~ \.php\$ {
 				fastcgi_split_path_info ^(.+\.php)(/.+)\$;
 				try_files \$fastcgi_script_name =404;
 				fastcgi_param PATH_INFO \$fastcgi_path_info;
				fastcgi_param PATH_TRANSLATED \$document_root\$fastcgi_path_info;
 				fastcgi_param APP_ENV production;
 				fastcgi_pass unix:/var/run/php5-fpm.sock;
 				fastcgi_index index.php;
 				include fastcgi.conf;
 				fastcgi_intercept_errors off;
 				fastcgi_ignore_client_abort off;
 				fastcgi_buffers 256 16k;
 				fastcgi_buffer_size 128k;
 				fastcgi_connect_timeout 3s;
 				fastcgi_send_timeout 120s;
 				fastcgi_read_timeout 120s;
 				fastcgi_busy_buffers_size 256k;
 				fastcgi_temp_file_write_size 256k;
 			}
 
 			include /etc/nginx/sites-custom/*.conf;
 
 			location / {
 			   	include /etc/nginx/naxsi.rules;
 
 			   	# Uncomment, if you need to remove index.php from the
 				# URL. Usefull if you use Codeigniter, Zendframework, etc.
 				# or just need to remove the index.php
 				#
 			   	#try_files \$uri \$uri/ /index.php?\$args;
 			}
 
 			location ~* /\.(?!well-known\/) {
 			    deny all;
 			    access_log off;
 				log_not_found off;
 			}
 
 			location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
 			    deny all;
 			    access_log off;
 				log_not_found off;
 			}
 
 			location = /favicon.ico {
 				access_log off;
 				log_not_found off;
 			}
 				
 			location = /robots.txt {
 				allow all;
 				access_log off;
 				log_not_found off;
 			}
 
 			location ~* ^.+\.(css|js)\$ {
 				rewrite ^(.+)\.(\d+)\.(css|js)\$ \$1.\$3 last;
 				expires 30d;
 				access_log off;
 				log_not_found off;
 				add_header Pragma public;
 				add_header Cache-Control "max-age=2592000, public";
 			}
 
 			location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)\$ {
 				expires 30d;
 				access_log off;
 				log_not_found off;
 				add_header Pragma public;
 				add_header Cache-Control "max-age=2592000, public";
 			}
 
			if (\$http_user_agent ~* "FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|Ezooms|Scrapy") {
             	return 403;
             }
 }
END
service nginx start