nginx.conf

user  nginx;
worker_processes  auto;

pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
    accept_mutex on;
}

http {
    include mime.types;
    default_type application/octet-stream;
    sendfile        on;

    upstream ElephantBook {
        server web:8000 fail_timeout=0;
    }

    map $sent_http_content_type $expires {
        default                    1D;
        ~image/                    max;
        text/html                  off;
    }

    server {
        listen 80;
        listen [::]:80;
        return 308 https://$host$request_uri;
    }

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        keepalive_timeout  5;

        ssl_certificate /fullchain.pem;
        ssl_certificate_key /privkey.pem;

        proxy_connect_timeout       600;
        proxy_send_timeout          600;
        proxy_read_timeout          600;
        send_timeout                600;

        expires $expires;

        gzip on;
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_types
            text/plain
            text/css
            text/xml
            application/json
            application/javascript
            image/svg+xml;

        location / {
            proxy_pass http://ElephantBook;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_redirect off;
            client_max_body_size 1024M;
            client_body_buffer_size 1024M;
            limit_except GET HEAD POST PATCH { 
                deny all;
            }
        }

        location /static/ {
            alias /static/;
        }
        
        location /media/ {
            alias /media/;
        }

        location = /robots.txt {
            log_not_found off;
            access_log    off;
            return 200 "User-agent: *\nDisallow: /\n";
        }

        add_header X-Content-Type-Options    "nosniff" always;
        add_header Referrer-Policy           "same-origin" always;
        add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
        add_header Permissions-Policy        "interest-cohort=()" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options           "SAMEORIGIN" always;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
    }
}