upstream php-fpm {
    server unix:/var/run/php-fpm/php-fpm.sock;
}

server {
    listen 80;
    server_name survey.nlhcbi.com;

    # Redirect https.
    return 301 https://survey.nlhcbi.com;
}

server {
    listen 443 ssl spdy;
    server_name survey.nlhcbi.com;

    charset utf-8;

    access_log /var/log/nginx/survey.nlhcbi.com-access_log;
    error_log /var/log/nginx/survey.nlhcbi.com-error_log;

    # Prevent clickjacking.
    add_header X-Frame-Options SAMEORIGIN;

    # Prevent files are not sniffed to anything else.
    add_header X-Content-Type-Options nosniff;

    # Defend against XSS atacks (todo working URL for reporting).
    # add_header Content-Security-Policy "default-src https: 'self'; script-src 'self' style-src 'self' 'unsafe-inline'; media-src 'self'; font-src 'self' data:; upgrade-insecure-requests; report-uri /csp_report;";

    location / {
        root   /var/www/limesurvey;
        index  index.php;
	try_files $uri /index.php?$args $uri/ =404;
    }

    location ~ /(data|conf|bin|inc)/ {
      deny all;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # pass the PHP scripts to FastCGI socket
    #
    location ~ \.php$ {
        fastcgi_split_path_info  ^(.+\.php)(.*)$;
        root        /var/www/limesurvey;
        try_files   $uri index.php $uri/ =404;
	# fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_pass php-fpm;	
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
       deny  all;
    }

    # Settings for SSL.
    include /etc/nginx/conf.d/ssl.conf;

    ssl_certificate      /etc/pki/tls/certs/nlhcbi.com.chained.cer;
    ssl_certificate_key  /etc/pki/tls/private/nlhcbi.com.key;
}