julrich/Tandoor nginx.conf

## Tandoor nginx.conf
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
    "" "";
    default "immutable";
}

##
# Connection header for WebSocket reverse proxy
##
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    server_name redacted.com;

    # Path to the root of the domain
    root /usr/share/webapps;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/

    # Prevent nginx HTTP Server Detection
    server_tokens off;

    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;

    add_header Strict-Transport-Security "max-age=31536000" always;

    # Add .mjs as a file extension for javascript
    # Either include it in the default mime.types list
    # or include you can include that list explicitly and add the file extension
    # only for Nextcloud like below:
    include mime.types;

	location /tandoor {
	    # Proxy Header Settings
	    proxy_set_header Connection $connection_upgrade;
	    proxy_set_header Early-Data $ssl_early_data;
	    proxy_set_header Host $host;
	    proxy_set_header Proxy "";
	    proxy_set_header Upgrade $http_upgrade;
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	    proxy_set_header X-Forwarded-Host $host;
	    proxy_set_header X-Forwarded-Method $request_method;
	    proxy_set_header X-Forwarded-Port $server_port;
	    proxy_set_header X-Forwarded-Proto $scheme;
	    proxy_set_header X-Forwarded-Server $host;
	    proxy_set_header X-Forwarded-Ssl on;
	    proxy_set_header X-Forwarded-Uri $request_uri;
	    proxy_set_header X-Original-Method $request_method;
	    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
	    proxy_set_header X-Real-IP $remote_addr;

	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	    proxy_set_header X-Script-Name /tandoor; # change to subfolder name
	    proxy_cookie_path / /tandoor; # change to subfolder name

	    proxy_pass http://unix:/var/run/tandoor.socket;
	}

	location /static/ {
	    alias /usr/share/tandoor/staticfiles/;
  	}

	location /media/ {
    	    alias /var/lib/tandoor/mediafiles/;
	}

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
	# Set the `immutable` cache control options only for assets with a cache busting `v` argument
	map $arg_v $asset_immutable {
	"" "";
	default "immutable";
	}

	##
	# Connection header for WebSocket reverse proxy
	##
	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}

	server {
	server_name redacted.com;

	# Path to the root of the domain
	root /usr/share/webapps;

	# Use Mozilla's guidelines for SSL/TLS settings
	# https://mozilla.github.io/server-side-tls/ssl-config-generator/

	# Prevent nginx HTTP Server Detection
	server_tokens off;

	# HSTS settings
	# WARNING: Only add the preload option once you read about
	# the consequences in https://hstspreload.org/. This option
	# will add the domain to a hardcoded list that is shipped
	# in all major browsers and getting removed from this list
	# could take several months.
	#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;

	add_header Strict-Transport-Security "max-age=31536000" always;

	# Add .mjs as a file extension for javascript
	# Either include it in the default mime.types list
	# or include you can include that list explicitly and add the file extension
	# only for Nextcloud like below:
	include mime.types;

	location /tandoor {
	# Proxy Header Settings
	proxy_set_header Connection $connection_upgrade;
	proxy_set_header Early-Data $ssl_early_data;
	proxy_set_header Host $host;
	proxy_set_header Proxy "";
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Method $request_method;
	proxy_set_header X-Forwarded-Port $server_port;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-Ssl on;
	proxy_set_header X-Forwarded-Uri $request_uri;
	proxy_set_header X-Original-Method $request_method;
	proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
	proxy_set_header X-Real-IP $remote_addr;

	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Script-Name /tandoor; # change to subfolder name
	proxy_cookie_path / /tandoor; # change to subfolder name

	proxy_pass http://unix:/var/run/tandoor.socket;
	}

	location /static/ {
	alias /usr/share/tandoor/staticfiles/;
	}

	location /media/ {
	alias /var/lib/tandoor/mediafiles/;
	}

	listen [::]:443 ssl ipv6only=on; # managed by Certbot
	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
	}