infobeamer-cms-nginx.conf

server {
    server_name infobeamer-cms.example.org;
    root /var/www/infobeamer-cms/;
    index index.html index.htm;

    listen       80;
    listen       [::]:80;

    location / {
        return 308 https://$host$request_uri;
    }
}

server {
    server_name infobeamer-cms.example.org;
    root /var/www/infobeamer-cms/;
    index index.html index.htm;

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/ssl/certs/infobeamer-cms.example.org/fullchain.pem;
    ssl_certificate_key /etc/ssl/certs/infobeamer-cms.example.org/privkey.pem;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    add_header Referrer-Policy same-origin;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Permissions-Policy interest-cohort=();

    location / {
        proxy_pass           http://127.0.0.1:8000;
        proxy_http_version   1.1;
        proxy_set_header     Host infobeamer-cms.example.org;
        proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header     X-Forwarded-Proto $scheme;
        proxy_set_header     X-Forwarded-Host infobeamer-cms.example.org;
        proxy_buffering      off;
        proxy_read_timeout   60;
        client_max_body_size 5M;
    }

    location /static {
        alias /opt/infobeamer-cms/static;
    }

    location /sync {
        return 403 'forbidden';
    }

}