server {
    listen 80;
    # listen 443 ssl http2;
    server_name {{domain}};
    # ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem; # managed by Certbot
    # ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem; # managed by Certbot
    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    # add_header X-Content-Type-Options nosniff;
    # add_header X-XSS-Protection "1; mode=block";

    root /var/www/root;
    index index.html index.php;
    access_log /var/log/nginx/access.log main;

# block cocksucking bots
    if ($http_user_agent ~ (Ahrefs|MJ12bot|LinkpadBot|MauiBot|BLEXBot|SMTBot|SemrushBot|Nimbostratus-Bot)) {
            return 444;
    }

# https redirect
    if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

    location / {
        try_files $uri $uri/ =404;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
#         access_log off;
    }
    location ^~ /.well-known/acme-challenge { }
    location ~ .*.php$ {
        include /etc/nginx/fastcgi.conf;
        fastcgi_pass  unix:/run/php/php-other.sock;
        fastcgi_index index.php;
    }
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }
}