# Nginx Configuration for BTM Koperasi # Copy this to aaPanel → Website → Config → Nginx # HTTPS redirect server { listen 80; server_name your-domain.com www.your-domain.com; return 301 https://$server_name$request_uri; } # Main HTTPS server server { listen 443 ssl http2; server_name your-domain.com www.your-domain.com; # SSL Configuration ssl_certificate /www/server/panel/vhost/certs/your-domain.com/fullchain.pem; ssl_certificate_key /www/server/panel/vhost/certs/your-domain.com/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1d; # Document root root /www/wwwroot/btm-koperasi/public; index index.php index.html; # Max upload size client_max_body_size 50M; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline' 'unsafe-eval';" always; # Hide PHP version fastcgi_hide_header X-Powered-By; # Gzip compression gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml; gzip_min_length 256; # Main location location / { try_files $uri $uri/ /index.php?$query_string; } # PHP-FPM configuration location ~ \.php$ { fastcgi_pass unix:/tmp/php-cgi-83.sock; # Adjust socket based on PHP version fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; fastcgi_buffer_size 128k; fastcgi_buffers 4 256k; fastcgi_busy_buffers_size 256k; # Prevent execution of uploaded files location ~ ^/uploads/ { fastcgi_pass off; return 404; } } # Deny access to sensitive files location ~ /\.ht { deny all; } location ~ /\.git { deny all; } location ~ /\.env { deny all; } # Deny access to composer and package files location ~* /(composer\.json|composer\.lock|package\.json|package-lock\.json|phpunit\.xml|\.gitignore|\.env\.example)$ { deny all; } # Cache static assets location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf|txt|woff|woff2|ttf|eot|svg)$ { expires 30d; add_header Cache-Control "public, immutable"; access_log off; # Versioned assets (longer cache) location ~* \.[0-9a-f]{8,}\.(css|js|jpg|jpeg|png|gif|ico|woff|woff2)$ { expires 1y; add_header Cache-Control "public, immutable"; } } # Health check endpoint location /health { access_log off; return 200 "OK\n"; add_header Content-Type text/plain; } # Laravel storage (if serving directly) location /storage/ { alias /www/wwwroot/btm-koperasi/storage/app/public/; expires 7d; add_header Cache-Control "public"; # Prevent PHP execution in storage location ~ \.php$ { deny all; } } # Logs access_log /www/wwwlogs/btm-koperasi-access.log; error_log /www/wwwlogs/btm-koperasi-error.log; } # Optional: WWW redirect server { listen 443 ssl http2; server_name www.your-domain.com; ssl_certificate /www/server/panel/vhost/certs/your-domain.com/fullchain.pem; ssl_certificate_key /www/server/panel/vhost/certs/your-domain.com/privkey.pem; return 301 https://your-domain.com$request_uri; }