symposion_app/deploy/nginx.conf

upstream {{ site_name }}_django_wsgi {
    keepalive 2;  # Cache 2 connections.
    server unix:/run/{{ site_name }}/django_uwsgi.sock;
}

# server {
#     listen 80;
#     server_name {{ env.domain }};
#     return 301 https://{{ env.domain }}$request_uri;
# }

server {
    listen 80; # 443 ssl http2;
    server_name {{ env.domain }};
    client_max_body_size 50M;

    ssl_certificate /etc/letsencrypt/live/{{ env.domain }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ env.domain }}/privkey.pem;

    # Ask for HTTPS for 180 days.
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";

    # Advise browsers not to use content type sniffing to reduce chance of XSS attacks.
    add_header X-Content-Type-Options nosniff;

    # Advise browser to only load external content from these sites.
    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'";

    location / {
        # Django web application including static files (via WhiteNoise).
        uwsgi_pass {{ site_name }}_django_wsgi;
        include uwsgi_params;

        # Disable gzip compression when where traffic might be over SSL
        # to avoid an attack that may compromise Django's CSRF
        # protection. See:
        # https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
        gzip off;
    }

    location /media/ {
        # User-uploaded files and generated reports.
        alias {{ project_dir }}/media/;
        expires 1y;
    }

    location /.well-known/ {
        # Used for "acmi-challenge".
        alias {{ project_dir }}/htdocs/.well-known/;
    }
}
Add uWSGI and Nginx configs 2023-04-06 10:35:08 +00:00			`upstream {{ site_name }}_django_wsgi {`
			`keepalive 2; # Cache 2 connections.`
			`server unix:/run/{{ site_name }}/django_uwsgi.sock;`
			`}`

			`# server {`
			`# listen 80;`
			`# server_name {{ env.domain }};`
			`# return 301 https://{{ env.domain }}$request_uri;`
			`# }`

			`server {`
			`listen 80; # 443 ssl http2;`
			`server_name {{ env.domain }};`
			`client_max_body_size 50M;`

			`ssl_certificate /etc/letsencrypt/live/{{ env.domain }}/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/{{ env.domain }}/privkey.pem;`

			`# Ask for HTTPS for 180 days.`
			`add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";`

			`# Advise browsers not to use content type sniffing to reduce chance of XSS attacks.`
			`add_header X-Content-Type-Options nosniff;`

			`# Advise browser to only load external content from these sites.`
			`add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'";`

			`location / {`
			`# Django web application including static files (via WhiteNoise).`
			`uwsgi_pass {{ site_name }}_django_wsgi;`
			`include uwsgi_params;`

			`# Disable gzip compression when where traffic might be over SSL`
			`# to avoid an attack that may compromise Django's CSRF`
			`# protection. See:`
			`# https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/`
			`gzip off;`
			`}`

			`location /media/ {`
			`# User-uploaded files and generated reports.`
			`alias {{ project_dir }}/media/;`
			`expires 1y;`
			`}`

			`location /.well-known/ {`
			`# Used for "acmi-challenge".`
			`alias {{ project_dir }}/htdocs/.well-known/;`
			`}`
			`}`