user www-data; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; map $http_host $this_host { "" $host; default $http_host; } map $http_x_forwarded_proto $the_scheme { default $http_x_forwarded_proto; "" $scheme; } map $http_x_forwarded_host $the_host { default $http_x_forwarded_host; "" $this_host; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; listen 443 ssl; if ($scheme = http) { rewrite ^ https://$host$request_uri? permanent; } ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_ecdh_curve sect571r1:secp521r1:brainpoolP512r1:secp384r1; add_header Strict-Transport-Security "max-age=31536000; preload"; # Add headers to serve security related headers add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy "same-origin"; root /var/www/html; client_max_body_size 10G; # 0=unlimited - set max upload size fastcgi_buffers 64 4K; gzip off; location / { proxy_pass http://wekan:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-For $remote_addr; } } }