upstream {{ site_name }}_django_wsgi { keepalive 2; # Cache 2 connections. server unix:/tmp/{{ site_name }}_uwsgi.sock; } server { listen 80; server_name {{ env.domain }}; return 301 https://{{ env.domain }}$request_uri; } server { listen 443 ssl http2; server_name {{ env.domain }}; client_max_body_size 50M; ssl_certificate /etc/letsencrypt/live/{{ env.domain }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ env.domain }}/privkey.pem; # Ask for HTTPS for 180 days. add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; # Advise browsers not to use content type sniffing to reduce chance of XSS attacks. add_header X-Content-Type-Options nosniff; # Advise browser to only load external content from these sites. add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://code.jquery.com/jquery-3.5.1.min.js https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js https://js.stripe.com/v3/ https://r.stripe.com/0"; location / { # Django web application including static files (via WhiteNoise). uwsgi_pass symposion_django_wsgi; include uwsgi_params; # Disable gzip compression when where traffic might be over SSL # to avoid an attack that may compromise Django's CSRF # protection. See: # https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ gzip off; } location /media/ { # User-uploaded files and generated reports. alias {{ project_dir }}/media/; expires 1y; } location /.well-known/ { # Used for "acmi-challenge". alias {{ project_dir }}/htdocs/.well-known/; } }