extras/ansible/roles/frontend/templates/nginx-site.conf.j2
upstream myblog {
{% for host in (groups.get('all', []) + groups.get('middleware', [])) %}
server {{ hostvars[host]['uwsgi_bind_addr'] }}:{{ uwsgi_bind_port }};
{% endfor %}
}
server {
listen 80;
server_name {{ server_url }};
add_header Strict-Transport-Security max-age=15768000;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name {{ server_url }};
# Log
access_log /var/log/nginx/myblog.log;
error_log /var/log/nginx/myblog.err.log warn;
# Misc
client_max_body_size 10M;
# SSL
ssl on;
ssl_certificate {{ ssl_cert_addr }};
ssl_certificate_key {{ ssl_key_addr }};
ssl_dhparam {{ dhparam_pem_addr }};
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# Headers
add_header X-Frame-Options "SAMEORIGIN";
location / {
root /var/www/;
uwsgi_pass myblog;
include uwsgi_params;
}
location = /robots.txt {
root /var/www/;
access_log off;
log_not_found off;
}
location ~ ^/static/ {
root /var/www/;
autoindex on;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location ~ ^/media/ {
proxy_pass https://media.{{ server_url }};
proxy_redirect off;
proxy_set_header X-Forwarded-For $remote_addr;
}
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~ ~$ { access_log off; log_not_found off; deny all; }
}