server { listen 80; listen [::]:80; ## listen for ipv4; this line is default and implied root /dev/null; server_name weblate.taler.net; include conf.d/acme-challenge.conf; location / { rewrite ^ https://$host$request_uri? permanent; } } server { listen 443 ssl; listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /home/weblate/; # Make site accessible from http://localhost/ server_name weblate.taler.net; ssl_certificate /etc/letsencrypt/live/weblate.taler.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/weblate.taler.net/privkey.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header Content-Security-Policy "default-src 'self' https://weblate.taler.net/;"; add_header Referrer-Policy "same-origin"; include conf.d/acme-challenge.conf; location ~ ^/favicon.ico$ { # DATA_DIR/static/favicon.ico alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/static/favicon.ico; expires 30d; } location /static/ { # DATA_DIR/static/ alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/static/; expires 30d; } location /media/ { # DATA_DIR/media/ alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/media/; expires 30d; } location / { include conf.d/uwsgi_params; # Needed for long running operations in admin interface uwsgi_read_timeout 3600; # Adjust based to uwsgi configuration: uwsgi_pass unix:///home/weblate/uwsgi.sock; # uwsgi_pass 127.0.0.1:8080; } include conf.d/favicon_robots.conf; }