server {
    listen      443 ssl;
    server_name REPLACEME.TLD;
    root        /srv/http/REPLACEME.TLD/public;

    ssl_certificate     /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/REPLACEME.TLD/privkey.pem;

    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache         shared:SSL:10m;
    ssl_session_timeout       5m;
    ssl_ciphers               HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    index   index.php index.html;
    charset utf-8;

    location / { try_files $uri $uri/ /index.php?$query_string; }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass            unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index           index.php;
        include                 fastcgi.conf;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }
    location ~ /\.ht { deny all; }
}