HEX
Server: nginx/1.18.0
System: Linux mail.dakarash.co.id 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User: www-data (33)
PHP: 8.1.2-1ubuntu2.23
Disabled: NONE
$ pwd: /etc/nginx/sites-available/
Upload Files
File: //etc/nginx/sites-available/dakarash_ssl.conf
# ===================== dakarash SSL vhost (rapih) =====================

# --- Apex: dakarash.co.id (HTTPS) ---
server {
    listen 443 ssl http2;
    server_name dakarash.co.id;

    ssl_certificate     /etc/letsencrypt/live/dakarash.co.id-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dakarash.co.id-0001/privkey.pem;

    # (opsional, biasanya Certbot sudah include ini)
    # include /etc/letsencrypt/options-ssl-nginx.conf;

    # Root & index sesuai x-docroot kamu
    root /home/dakarash.co.id/public_html;
    index index.php index.html;

    # Security headers (sudah kamu pakai – dipertahankan)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header Content-Security-Policy "upgrade-insecure-requests" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

    # Serve file langsung, kalau tidak ada lempar ke index.php (WordPress flow)
    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    # PHP handler – PASTIKAN blok ini ADA DI DALAM server{}
    location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;

	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;

	fastcgi_index index.php;
	fastcgi_pass unix:/run/php/php8.1-fpm.sock;


    }

    # Static caching ringan (optional, aman)
    location ~* \.(?:css|js|jpg|jpeg|gif|png|svg|webp|ico|ttf|otf|woff|woff2)$ {
        expires 7d;
        access_log off;
    }

    # (opsional) batas upload
    # client_max_body_size 256m;
}

# --- WWW: redirect 301 ke apex (HTTPS) ---
server {
    listen 443 ssl http2;
    server_name www.dakarash.co.id;

    ssl_certificate     /etc/letsencrypt/live/dakarash.co.id-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dakarash.co.id-0001/privkey.pem;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header Content-Security-Policy "upgrade-insecure-requests" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

    return 301 https://dakarash.co.id$request_uri;
}

# (HTTP :80 biasanya di file lain, tidak di SSL conf ini. Biarkan apa adanya.)
# =====================================================================
@ Telegram