# Upstreams upstream backend{{ app_instance_id }} { server 127.0.0.1:{{ app_port }}; } map $http_user_agent $log_ua { ~Monit 0; default 1; } server { listen 80; server_name {{ app_domain | mandatory }}; # enforce https return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name {{ app_domain | mandatory }}; ssl_certificate /etc/letsencrypt/live/{{ app_domain }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ app_domain }}/privkey.pem; # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this # topic first. # add_header Strict-Transport-Security "max-age=15768000; # includeSubDomains; preload;"; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Strict-Transport-Security "max-age=15768000"; # Path to the root of your installation root {{ app_instance_root }}/; access_log {{ www_log | mandatory }}/{{ app_instance_id }}/access.log combined if=$log_ua; error_log {{ www_log | mandatory }}/{{ app_instance_id }}/error.log; # set max upload size client_max_body_size 512M; location / { proxy_pass http://backend{{ app_instance_id }}/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; proxy_set_header X-Forward-Proto http; proxy_set_header X-Nginx-Proxy true; proxy_redirect off; } }