# suitably anonymised
server {
    listen       1.2.3.4:80;
    listen       1.2.3.4:443 ssl;
    server_name  mydomain.com

    root /var/websites/mydomain/wordpress;
    index index.php index.html index.htm;

    access_log   /var/websites/mydomain/log/access-nginx.log;

    #rewrite_log  on;
    error_log    /var/websites/mydomain.com/log/errors-nginx.log debug;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/chain.pem;

    include /etc/nginx/strong_ssl_options;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    set $wordpress_auth "";
    if ($http_cookie ~* "wordpress_logged_in_[^=]*=([^%]+)%7C") {
        set $wordpress_auth wordpress_logged_in_$1;
    }

    location / {
        # redirect insecure requests to https
        if ( $scheme != "https" ) {
            return 301    https://$host$request_uri;
        }

        if ( $scheme = "https" ) {
            add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        }

        if (!-e $request_filename) {
            rewrite ^.*$ /index.php last;
        }
    }

    location ~ [^/]\.php(/|$) {
        if ( $request_uri ~ ^([^?]+?\.php)?(?<my_path_info>\/[^?]*?)?(\?.*)?$ ) {
            # deliberately empty block
        }

        if ( $my_path_info = "" ) {
            set $my_path_info "/";
        }

        fastcgi_param PATH_INFO $my_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$my_path_info;

        include fastcgi_params; # these are in /etc/nginx

        fastcgi_index index.php;

        # php-fpm is configured in /etc/nginx/conf.d/00_upstream_backends.conf
        fastcgi_pass php-fpm;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        #fastcgi_intercept_errors on;

        # Mitigate https://httpoxy.org/ vulnerabilities
        fastcgi_param HTTP_PROXY "";
    }

}
