* Config updated. Fidelix helped with report.

README.md

@@ -63,8 +63,6 @@
    [ssl-cert](http://packages.debian.org/sid/ssl-cert "ssl-cert debian
    pkg") package.
 
-
-
    If you're on Debian or any of its derivatives like Ubuntu you need
    either the
    [thttpd-util](http://packages.debian.org/search?keywords=thttpd-util)

fastcgi_params

@@ -1,4 +1,4 @@
-# -*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*-
+# -*- mode: conf; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
 ### fastcgi parameters.
 fastcgi_param  QUERY_STRING       $query_string;
 fastcgi_param  REQUEST_METHOD     $request_method;
@@ -19,6 +19,14 @@ fastcgi_param  REMOTE_PORT        $remote_port;
 fastcgi_param  SERVER_ADDR        $server_addr;
 fastcgi_param  SERVER_PORT        $server_port;
 fastcgi_param  SERVER_NAME        $server_name;
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 
-# PHP only, required if PHP was built with --enable-force-cgi-redirect
+## PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param  REDIRECT_STATUS    200;
+## HTTPS 'on' parameter.  This requires Nginx version 1.1.11 or
+## later. The if_not_empty flag was introduced in 1.1.11.  See:
+## http://nginx.org/en/CHANGES. If using a version that doesn't
+## support this comment out the line below.
+fastcgi_param  HTTPS              $https if_not_empty;
+## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above.
+#fastcgi_param  HTTPS            $https  

map_https_fcgi.conf

@@ -0,0 +1,7 @@
+# -*- mode: conf; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+### Implement the $https_if_not_empty variable for Nginx versions below 1.1.11.
+
+map $scheme $https {
+    default '';
+    https on;
+}

nginx.conf

@@ -8,7 +8,7 @@ pid        /var/run/nginx.pid;
 worker_rlimit_nofile 8192;
 
 events {
-    worker_connections  4096;
+    worker_connections 4096;
     ## epoll is preferred on 2.6 Linux
     ## kernels. Cf. http://www.kegel.com/c10k.html#nb.epoll
     use epoll;
@@ -18,44 +18,49 @@ events {
 
 http {
     ## MIME types.
-    include     /etc/nginx/mime.types;
-    default_type  application/octet-stream;
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
 
     ## FastCGI.
-    include     /etc/nginx/fastcgi.conf;
+    include /etc/nginx/fastcgi.conf;
 
     ## Default log and error files.
-    access_log  /var/log/nginx/access.log;
-    error_log   /var/log/nginx/error.log;
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
 
     ## Use sendfile() syscall to speed up I/O operations and speed up
     ## static file serving.
-    sendfile        on;
+    sendfile on;
     ## Handling of IPs in proxied and load balancing situations.
-    set_real_ip_from        0.0.0.0/32; # all addresses get a real IP.
-    real_ip_header     X-Forwarded-For; # the ip is forwarded from the load balancer/proxy
+    set_real_ip_from 0.0.0.0/32; # all addresses get a real IP.
+    real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy
 
     ## Define a zone for limiting the number of simultaneous
-    ## connections nginx accepts. 1m means 3200 simultaneous
+    ## connections nginx accepts. 1m means 32000 simultaneous
     ## sessions. We need to define for each server the limit_conn
     ## value refering to this or other zones.
-    limit_zone arbeit $binary_remote_addr 1m;
+    ## ** This syntax requires nginx version >=
+    ## ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older
+    ## ** version then use the limit_zone directive below
+    ## ** instead. Comment out this
+    ## ** one if not using nginx version >= 1.1.8.
+    limit_conn_zone $binary_remote_addr zone=arbeit:10m;
 
     ## Timeouts.
-    client_body_timeout             60;   
+    client_body_timeout             60;
     client_header_timeout           60;
     keepalive_timeout            10 10;
     send_timeout                    60;
 
     ## Reset lingering timed out connections. Deflect DDoS.
     reset_timedout_connection on;
-    
+
     ## Body size.
     client_max_body_size 10m;
 
     ## TCP options.
-    tcp_nodelay        on;
-    tcp_nopush         on;
+    tcp_nodelay on;
+    tcp_nopush on;
 
     ## Compression.
     gzip              on;
@@ -83,7 +88,7 @@ http {
     ## http://nginx.org/pipermail/nginx/2010-November/023736.html.
     ssl_session_cache shared:SSL:10m;
     ssl_session_timeout 10m;
-    
+
     ## For the filefield_nginx_progress module to work. From the
     ## README. Reserve 1MB under the name 'uploads' to track uploads.
     upload_progress uploads 1m;
@@ -96,11 +101,19 @@ http {
     ## Include the upstream servers for PHP FastCGI handling config.
     include upstream_phpcgi.conf;
 
+    ## If using Nginx version >= 1.1.11 then there's a $https variable
+    ## that has the value 'on' if the used scheme is https and '' if not.
+    ## See: http://trac.nginx.org/nginx/changeset/4380/nginx
+    ## http://trac.nginx.org/nginx/changeset/4333/nginx and
+    ## http://trac.nginx.org/nginx/changeset/4334/nginx. If using a
+    ## previous version then uncomment out the line below.
+    #include map_https_fcgi.conf;
+
     ## Include the upstream servers for Apache handling the PHP
     ## processes. In this case Nginx functions as a reverse proxy.
     #include reverse_proxy.conf;
     #include upstream_phpapache.conf;
-    
-    ## Include all vhosts. 
+
+    ## Include all vhosts.
     include /etc/nginx/sites-enabled/*;
 }

sites-available/chive.example.com.conf

@@ -55,16 +55,16 @@ server {
 
         ## Protect these locations. Replicating the .htaccess
         ## rules throughout the chive distro.
-        location /priv/chive/protected {
+        location /protected {
             internal;
         }
 
-        location /priv/chive/yii {
+        location /yii {
             internal;
         }
 
         ## Static file handling.
-        location ~* /priv/.+\.(?:css|gif|htc|js|jpe?g|png|swf)$ {
+        location ~* .+\.(?:css|gif|htc|js|jpe?g|png|swf)$ {
             expires max;
             ## No need to bleed constant updates. Send the all shebang in one
             ## fell swoop.
@@ -77,13 +77,15 @@ server {
         }
     }
 
-    # # The 404 is signaled through a static page.
-    # error_page  404  /404.html;
+    ## We need to capture the case where the index.php is missing,
+    ## hence we drop out of the path info thingie.
+    location ~* /([^\.])$ {
+        return 302 /index.php/$1;
+    }
 
-    # ## All server error pages go to 50x.html at the document root.
-    # error_page 500 502 503 504  /50x.html;
-    # location = /50x.html {
-    #       root   /var/www/nginx-default;
-    # }
+    ## Close up git repo access.
+    location ^~ /.git {
+        return 404;
+    }
 
 } # server

sites-available/secure.chive.example.com.conf

@@ -35,8 +35,8 @@ server {
     keepalive_timeout 75 75;
 
     ## Parameterization using hostname of access and log filenames.
-    access_log  /var/log/nginx/chive.example.com_access.log;
-    error_log   /var/log/nginx/chive.example.com_error.log;
+    access_log /var/log/nginx/chive.example.com_access.log;
+    error_log /var/log/nginx/chive.example.com_error.log;
 
     ## Server certificate and key.
     ssl_certificate /etc/ssl/certs/chive.example.com-cert.pem;
@@ -82,15 +82,15 @@ server {
 
         ## Protect these locations. Replicating the .htaccess
         ## rules throughout the chive distro.
-        location /priv/chive/protected {
+        location /protected {
             internal;
         }
-        location /priv/chive/yii {
+        location /yii {
             internal;
         }
 
         ## Static file handling.
-        location ~* /priv/.+\.(?:css|gif|htc|js|jpe?g|png)$ {
+        location ~* .+\.(?:css|gif|htc|js|jpe?g|png)$ {
             expires max;
             ## No need to bleed constant updates. Send the all shebang in one
             ## fell swoop.
@@ -103,13 +103,15 @@ server {
         }
     }
 
-    # # The 404 is signaled through a static page.
-    # error_page  404  /404.html;
+    ## We need to capture the case where the index.php is missing,
+    ## hence we drop out of the path info thingie.
+    location ~* /([^\.])$ {
+        return 302 /index.php/$1;
+    }
 
-    # ## All server error pages go to 50x.html at the document root.
-    # error_page 500 502 503 504  /50x.html;
-    # location = /50x.html {
-    #   root   /var/www/nginx-default;
-    # }
+    ## Close up git repo access.
+    location ^~ /.git {
+        return 404;
+    }
 
 } # server