server {
                listen 80 default_server;
                listen [::]:80 default_server;
                location / {
                return 301 https://www.domain.com$request_uri;
    }
}

server {
                listen 443 ssl http2;
                server_name www.domain.com assets.domain.com; # assets.domain.com added for origin pull.
                access_log /var/log/nginx/domain.com-access.log;
                error_log /var/log/nginx/domain.com-error.log;
                root /usr/share/nginx/www/www.domain.com;
                autoindex off;
                add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
                add_header X-Frame-Options "SAMEORIGIN" always;
                add_header X-XSS-Protection "1; mode=block" always;
                add_header X-Content-Type-Options "nosniff" always;
                add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;";
                add_header "Cache-Control" "no-transform";
                add_header Alternate-Protocol  443:npn-spdy/3;
                add_header X-Your-Custom-Header $yourcustomheader;

                ssl                  on;
                ssl_certificate      /etc/nginx/ssl/www.domain.com.crt;
                ssl_certificate_key  /etc/nginx/ssl/www.domain.com.key;
                ssl_session_tickets on;
                ssl_session_cache shared:SSL:15m;
                ssl_session_timeout 4h;
                ssl_prefer_server_ciphers On;
                ssl_dhparam /etc/ssl/certs/dhparam.pem; # Run cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096
                ssl_protocols TLSv1.1 TLSv1.2;
                ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
                ssl_ecdh_curve secp384r1;
                ssl_stapling on;
                ssl_stapling_verify on;
                ssl_trusted_certificate /etc/nginx/ssl/www.domain.com.crt;
                resolver 1.1.1.1 2.2.2.2 valid=5m; #Add your local resolvers here.
                resolver_timeout 10s;
                spdy_keepalive_timeout 5m;
                keepalive_timeout 5m;
                spdy_headers_comp 8;

       location /wp-admin {
                allow 1.1.1.1; #Your public ip here
                allow 2.2.2.2; #Second public ip
                deny all;
                index index.php index.html;
                try_files $uri $uri/ /index.php?$args;
        }

        location / {
                index index.php index.html;
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                include fastcgi_params;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_pass unix:/var/run/php/php7.0-fpm-domain.com.sock; # Switch to your current socket
                #fastcgi_pass 127.0.0.1:9000; # Uncomment if you want to switch to TCP and comment above.
        }

        location = /robots.txt  { access_log off; log_not_found off; }
        location = /favicon.ico { access_log off; log_not_found off; }

        location ~* \.(?:manifest|appcache|html?|xml|json)$ {
        expires -1
        }

        location ~* \.(?:rss|atom)$ {
        expires 1h;
        add_header Cache-Control "public";
        }

        location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|css|js|ttf|ttc|otf|eot|woff|woff2)$ {
                access_log        off;
                expires           max;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }

        location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
        deny all;
        }

}