map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen %ip%:%nginx_port% ssl %http2%; server_name %domain_idn% %alias_idn%; access_log /usr/local/apache/domlogs/%domain%.bytes bytes; access_log /usr/local/apache/domlogs/%domain%.log combined; error_log /usr/local/apache/domlogs/%domain%.error.log error; ssl_certificate %ssl_cert_path%/%domain%.bundle; ssl_certificate_key %ssl_key_path%/%domain%.key; ssl_protocols TLSv1.2; ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 60m; location / { location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh|webp)$ { root %docroot%; expires max; try_files $uri $uri/ @backend; } error_page 405 = @backend; error_page 500 = @custom; add_header X-Cache "HIT from Backend"; add_header Strict-Transport-Security "max-age=31536000"; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_pass %proxy_protocol%://%proxy_ip%:%proxy_port%; include proxy.inc; } location @backend { internal; proxy_pass %proxy_protocol%://%proxy_ip%:%proxy_port%; include proxy.inc; } location @custom { internal; proxy_pass %proxy_protocol%://%proxy_ip%:%proxy_port%; include proxy.inc; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; } location ~ .*\.(php|jsp|cgi|pl|py)?$ { proxy_pass %proxy_protocol%://%proxy_ip%:%proxy_port%; include proxy.inc; } location ~ /\.ht {deny all;} location ~ /\.svn/ {deny all;} location ~ /\.git/ {deny all;} location ~ /\.hg/ {deny all;} location ~ /\.bzr/ {deny all;} disable_symlinks if_not_owner from=%docroot%; location /.well-known/acme-challenge { default_type "text/plain"; alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge; } location /.well-known/pki-validation { default_type "text/plain"; alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge; } } server { listen %ip%:%nginx_port% ssl %http2%; server_name webmail.%domain_idn%; access_log /usr/local/apache/domlogs/%domain%.bytes bytes; access_log /usr/local/apache/domlogs/%domain%.log combined; error_log /usr/local/apache/domlogs/%domain%.error.log error; ssl_certificate %ssl_cert_path%/%domain%.bundle; ssl_certificate_key %ssl_key_path%/%domain%.key; ssl_protocols TLSv1.2; ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 60m; location / { proxy_pass http://127.0.0.1:2095; include proxy.inc; } location ~ /\.ht {deny all;} location ~ /\.svn/ {deny all;} location ~ /\.git/ {deny all;} location ~ /\.hg/ {deny all;} location ~ /\.bzr/ {deny all;} disable_symlinks if_not_owner from=%docroot%; location /.well-known/acme-challenge { default_type "text/plain"; alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge; } location /.well-known/pki-validation { default_type "text/plain"; alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge; } } server { listen %ip%:%nginx_port% ssl %http2%; server_name mail.%domain_idn%; access_log /usr/local/apache/domlogs/%domain%.bytes bytes; access_log /usr/local/apache/domlogs/%domain%.log combined; error_log /usr/local/apache/domlogs/%domain%.error.log error; ssl_certificate %ssl_cert_path%/%domain%.bundle; ssl_certificate_key %ssl_key_path%/%domain%.key; ssl_protocols TLSv1.2; ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 60m; location / { proxy_pass http://127.0.0.1:2095; include proxy.inc; } location ~ /\.ht {deny all;} location ~ /\.svn/ {deny all;} location ~ /\.git/ {deny all;} location ~ /\.hg/ {deny all;} location ~ /\.bzr/ {deny all;} disable_symlinks if_not_owner from=%docroot%; location /.well-known/acme-challenge { default_type "text/plain"; alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge; } location /.well-known/pki-validation { default_type "text/plain"; alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge; } } server { listen %ip%:%nginx_port% ssl %http2%; server_name cpanel.%domain_idn%; access_log /usr/local/apache/domlogs/%domain%.bytes bytes; access_log /usr/local/apache/domlogs/%domain%.log combined; error_log /usr/local/apache/domlogs/%domain%.error.log error; ssl_certificate %ssl_cert_path%/%domain%.bundle; ssl_certificate_key %ssl_key_path%/%domain%.key; ssl_protocols TLSv1.2; ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 60m; location / { proxy_pass https://127.0.0.1:2083; include proxy.inc; } location /pma { proxy_pass https://127.0.0.1:2031; include proxy.inc; } location /roundcube { proxy_pass https://127.0.0.1:2031; include proxy.inc; } location ~ /\.ht {deny all;} location ~ /\.svn/ {deny all;} location ~ /\.git/ {deny all;} location ~ /\.hg/ {deny all;} location ~ /\.bzr/ {deny all;} disable_symlinks if_not_owner from=%docroot%; location /.well-known/acme-challenge { default_type "text/plain"; alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge; } location /.well-known/pki-validation { default_type "text/plain"; alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge; } }