server { listen 80 ; server_name localhost; gzip on; access_log /var/log/nginx/mediacms.io.access.log; error_log /var/log/nginx/mediacms.io.error.log warn; # # redirect to https if logged in # if ($http_cookie ~* "sessionid") { # rewrite ^/(.*)$ https://localhost/$1 permanent; # } # # redirect basic forms to https # location ~ (login|login_form|register|mail_password_form)$ { # rewrite ^/(.*)$ https://localhost/$1 permanent; # } # HSTS header add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # CSP header add_header Content-Security-Policy " default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: blob:; media-src 'self' blob:; frame-src 'self'; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; upgrade-insecure-requests; " always; location /static { alias /home/mediacms.io/mediacms/static ; } location /media/original { alias /home/mediacms.io/mediacms/media_files/original; } location /media { alias /home/mediacms.io/mediacms/media_files ; } location / { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; include /etc/nginx/sites-enabled/uwsgi_params; uwsgi_pass 127.0.0.1:9000; } } server { listen 443 ssl; server_name localhost; ssl_certificate_key /etc/letsencrypt/live/localhost/privkey.pem; ssl_certificate /etc/letsencrypt/live/localhost/fullchain.pem; ssl_dhparam /etc/nginx/dhparams/dhparams.pem; ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; gzip on; access_log /var/log/nginx/mediacms.io.access.log; error_log /var/log/nginx/mediacms.io.error.log warn; location /static { alias /home/mediacms.io/mediacms/static ; } location /media/original { alias /home/mediacms.io/mediacms/media_files/original; #auth_basic "auth protected area"; #auth_basic_user_file /home/mediacms.io/mediacms/deploy/local_install/.htpasswd; } location /media { alias /home/mediacms.io/mediacms/media_files ; } location / { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; include /etc/nginx/sites-enabled/uwsgi_params; uwsgi_pass 127.0.0.1:9000; } }