Modification for production

nginx.conf

@@ -1,12 +1,26 @@
 server {
-    listen 80;
-    listen [::]:80;
-    server_name fic fic.p0m.fr fic.nemunai.re;
+    listen 443 ssl;
+    listen [::]:443 ipv6only=on;
 
     access_log /var/log/nginx/fic.access_log;
-    error_log /var/log/nginx/fic.error_log debug;
+    error_log /var/log/nginx/fic.error_log;
 
-    root /var/www/fic2014-server/htdocs;
+    root /srv/fic2014-server/htdocs;
+    index index.php;
+
+    ssl_certificate /srv/fic2014-server/misc/server.crt;
+    ssl_certificate_key /srv/fic2014-server/misc/server.key;
+    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers		 ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS;
+    ssl_client_certificate /srv/fic2014-server/misc/pki/cacert.crt;
+    ssl_verify_client on;
+    add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";
+
+    if ($ssl_client_s_dn !~ "/C=FR/ST=France/O=Epita/OU=SRS/")
+    {
+	return 401;	
+    }
 
     location / {
       if (-f $request_filename) {
@@ -39,7 +53,7 @@ server {
     {
 	if (!-e $document_root$document_uri) { return 404; }
         include /etc/nginx/fastcgi.conf;
-        fastcgi_pass  127.0.0.1:9000;
+        fastcgi_pass  unix:/var/run/php5-fpm.sock;
         fastcgi_index index.php;
 	break;
     }