2023-04-06 10:35:08 +00:00
|
|
|
upstream {{ site_name }}_django_wsgi {
|
|
|
|
keepalive 2; # Cache 2 connections.
|
2023-04-20 10:27:50 +00:00
|
|
|
server unix:/tmp/{{ site_name }}_uwsgi.sock;
|
2023-04-06 10:35:08 +00:00
|
|
|
}
|
|
|
|
|
2023-04-18 01:22:20 +00:00
|
|
|
server {
|
|
|
|
listen 80;
|
|
|
|
server_name {{ env.domain }};
|
|
|
|
return 301 https://{{ env.domain }}$request_uri;
|
|
|
|
}
|
2023-04-06 10:35:08 +00:00
|
|
|
|
|
|
|
server {
|
2023-04-18 01:22:20 +00:00
|
|
|
listen 443 ssl http2;
|
2023-04-06 10:35:08 +00:00
|
|
|
server_name {{ env.domain }};
|
|
|
|
client_max_body_size 50M;
|
|
|
|
|
2023-04-18 01:22:20 +00:00
|
|
|
ssl_certificate /etc/letsencrypt/live/{{ env.domain }}/fullchain.pem;
|
|
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ env.domain }}/privkey.pem;
|
2023-04-06 10:35:08 +00:00
|
|
|
|
|
|
|
# Ask for HTTPS for 180 days.
|
|
|
|
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
|
|
|
|
|
|
|
|
# Advise browsers not to use content type sniffing to reduce chance of XSS attacks.
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
|
|
|
|
# Advise browser to only load external content from these sites.
|
2023-04-15 04:55:29 +00:00
|
|
|
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://code.jquery.com/jquery-3.5.1.min.js https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js https://js.stripe.com/v3/ https://r.stripe.com/0";
|
2023-04-06 10:35:08 +00:00
|
|
|
|
2023-04-24 03:14:39 +00:00
|
|
|
location / {
|
2023-04-06 10:35:08 +00:00
|
|
|
# Django web application including static files (via WhiteNoise).
|
2023-04-19 14:00:56 +00:00
|
|
|
uwsgi_pass symposion_django_wsgi;
|
2023-04-06 10:35:08 +00:00
|
|
|
include uwsgi_params;
|
|
|
|
|
|
|
|
# Disable gzip compression when where traffic might be over SSL
|
|
|
|
# to avoid an attack that may compromise Django's CSRF
|
|
|
|
# protection. See:
|
|
|
|
# https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
|
|
|
|
gzip off;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /media/ {
|
|
|
|
# User-uploaded files and generated reports.
|
|
|
|
alias {{ project_dir }}/media/;
|
|
|
|
expires 1y;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /.well-known/ {
|
|
|
|
# Used for "acmi-challenge".
|
|
|
|
alias {{ project_dir }}/htdocs/.well-known/;
|
|
|
|
}
|
|
|
|
}
|