server {
	listen				80;		# ipv4 http
	listen				[::]:80;	# ipv6 http

	listen				443 ssl;	# ipv4 https
	listen				[::]:443 ssl;	# ipv6 https

	server_name			hamburg.freifunk.net www.hamburg.freifunk.net freifunk.ffhh;

        access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.

	# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
	# So stellen wir sicher, dass keine IPs geloggt werden.
	error_log /dev/null crit;

	client_max_body_size		16M;

	root				/var/www/wordpress;
	index				index.php index.html index.htm;


        ssl_certificate                 /etc/ssl/certs/hamburg.freifunk.net.crt;
        ssl_certificate_key             /etc/ssl/private/hamburg.freifunk.net.key;

	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;

	# Only strong ciphers in PFS mode
	ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


	# Don't allow to get framed by sites that aren't on the same domain
	add_header X-Frame-Options SAMEORIGIN;

	# Tell clients never to use http or self-signed (!) certificates
	# There's no way to bypass this option after it has been cached!
	#add_header Strict-Transport-Security max-age=31536000;

	# This order might seem weird - this is attempted to match last if rules below fail.
	# http://wiki.nginx.org/HttpCoreModule
	location / {
		index index.php;
		try_files $uri $uri/ /index.php?$args;
	}

	# Directives to send expires headers and turn off 404 error logging.
	location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
		expires 24h;
		log_not_found off;
	}

	location ~ \.php$ {
		fastcgi_pass unix:/var/run/php5-fpm.sock;
        	fastcgi_index index.php;
        	fastcgi_param SCRIPT_FILENAME /var/www/wordpress$fastcgi_script_name;
#        	fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name;
        	include /etc/nginx/fastcgi_params;
	}
}