upstream c3lf-sys3 { server unix:/var/www/c3lf-sys3/web.sock; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { server_name {{ web_domain }}; client_max_body_size 1024M; location / { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT'; add_header 'Content-Security-Policy' "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: wss:;"; root /var/www/c3lf-sys3/repo/web/dist; index index.html index.htm index.nginx-debian.html; try_files $uri $uri/ /index.html; } location /ws { proxy_http_version 1.1; #auth_basic off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass http://c3lf-sys3; } location ~ ^/(api|media)/ { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_redirect off; proxy_buffering off; proxy_pass http://c3lf-sys3; location ~ ^/api/1 { auth_basic C3LF; auth_basic_user_file conf.d/lf-prod.htpasswd; } } location /djangoadmin { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_redirect off; proxy_buffering off; proxy_pass http://c3lf-sys3; } location /redirect_media/ { internal; alias /var/www/c3lf-sys3/userfiles/; } location /redirect_thumbnail/ { internal; alias /var/www/c3lf-sys3/userfiles/thumbnails/; } location /static/ { alias /var/www/c3lf-sys3/staticfiles/; } location /metrics { allow 95.156.226.90; allow 127.0.0.1; allow ::1; deny all; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_redirect off; proxy_buffering off; proxy_pass http://c3lf-sys3; } listen 443 ssl http2; # managed by Certbot ssl_certificate /etc/letsencrypt/live/{{ web_domain }}/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/{{ web_domain }}/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = {{ web_domain }}) { return 301 https://$host$request_uri; } # managed by Certbot server_name {{ web_domain }}; listen 80; return 404; # managed by Certbot }