Solved.
Here's the configuration that works for me:
server {
listen 80;
server_name example.org;
return 301 https://$server_name$request_uri;
}
server {
listen 80;
server_name www.example.org;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
ssl on;
server_name example.org;
root /var/www/soon;
server_tokens off;
ssl_certificate /etc/ssl/certs/example.org.certchain.crt;
ssl_certificate_key /etc/ssl/private/example.org.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
# HSTS
add_header Strict-Transport-Security max-age=15768000;
location /support/webmail/ {
alias /var/www/webmail/;
autoindex off;
index index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
}