server { # HTTP (plaintext) configuration. listen 80; server_name {{ fqdn }}; # Redirect plaintext connections to HTTPS return 301 https://$host$request_uri; } server { # Base settings. root {{ home }}/htdocs/; server_name {{ fqdn }}; # HTTPS (TLS) configuration. listen 443 ssl; listen [::]:443 ssl; ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key; ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem; # Set-up HSTS header for preventing downgrades for users that visited the # site via HTTPS at least once. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; {% for config in additional_nginx_config -%} # {{ config.comment }} {{ config.value }} {% endfor -%} {% if rewrites -%} # Site rewrites. {% for rewrite in rewrites -%} rewrite {{ rewrite }}; {% endfor -%} {% endif %} {% if static_locations -%} # Static locations {% for location in static_locations -%} location {{ location }} { try_files $uri $uri/ =404; } {% endfor -%} {% endif %} # Pass remaining requests to the WSGI server. location / { proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; {% for header, value in proxy_headers | dictsort -%} proxy_set_header {{ header }} {{ value }}; {% endfor -%} proxy_pass http://unix:/run/wsgi/{{ fqdn }}.sock; } {% if environment_indicator -%} # Show environment indicator on HTML pages. sub_filter_types text/html; sub_filter_once on; sub_filter "" "

"; {% endif -%} access_log /var/log/nginx/{{ fqdn }}-access.log; error_log /var/log/nginx/{{ fqdn }}-error.log; }