# - <FQHN-wp-site>

server {

   listen 80;
   listen [::]:80;

   server_name <FQHN-wp-site>;

   return 301 https://$host$request_uri;
}

server {

   listen [::]:443 ssl;
   listen 443 ssl;

   server_name <FQHN-wp-site>;

   root /var/www/<DOMAIN.TLD-wp-site>/htdocs;

   # Add index.php to the list if you are using PHP
   #
   index index.php index.html index.htm;

   # Include location directive for Let's Encrypt ACME Challenge
   #
   # Needed for (automated) updating certificate
   #
   include snippets/letsencrypt-acme-challenge.conf;

   ssl on;

   ssl_certificate /var/lib/dehydrated/certs/<FQHN-wp-site>/fullchain.pem;
   ssl_certificate_key /var/lib/dehydrated/certs/<FQHN-wp-site>/privkey.pem;

   # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
   #
   # To generate a dhparam.pem file, run in a terminal
   #    openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
   #
   ssl_dhparam /etc/nginx/ssl/dhparam.pem;

   # Eable session resumption to improve https performance
   ssl_session_cache shared:SSL:50m;
   ssl_session_timeout 10m;
   ssl_session_tickets off;

   #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
   # omit SSLv3 because of POODLE
   # omit  TLSv1 TLSv1.1
   ssl_protocols TLSv1.2 TLSv1.3;

   # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
   # Everything better than SHA1 (deprecated)
   #
   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
   ssl_prefer_server_ciphers on;

   # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
   #
   add_header Strict-Transport-Security max-age=15768000;

   # OCSP Stapling ---
   # fetch OCSP records from URL in ssl_certificate and cache them
   ssl_stapling on;
   ssl_stapling_verify on;

   location = /favicon.ico {
      log_not_found off;
      access_log off;
   }

   location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
   }

   location / {
      # This is cool because no php is touched for static content.
      # include the "?$args" part so non-default permalinks doesn't break when using query string
      try_files $uri $uri/ /index.php?$args;
   }

   location ~ \.php$ {

      #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
      fastcgi_intercept_errors on;

      # regex to split $uri to $fastcgi_script_name and $fastcgi_path
      fastcgi_split_path_info ^(.+?\.php)(/.*)$;

      # Bypass the fact that try_files resets $fastcgi_path_info
      # see: http://trac.nginx.org/nginx/ticket/321
      set $path_info $fastcgi_path_info;
      fastcgi_param PATH_INFO $path_info;

      fastcgi_index   index.php;

      # Use PHP-FPM socket directly
      #
      #fastcgi_pass   unix:/tmp/php-7.4-fpm.www.sock;

      # Use upstream
      #
      fastcgi_pass php-7.4-fpm;

      include fastcgi_params;
      #The following parameter can be also included in fastcgi_params file
      fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;
      fastcgi_param  SCRIPT_NAME       $fastcgi_script_name;
   }

   location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
      expires max;
      log_not_found off;
   }
}