Last active
July 20, 2020 03:31
-
-
Save NanoDano/36deda70f88b0e36017dce31b4ea183d to your computer and use it in GitHub Desktop.
Example Nginx config for Python WSGI app with LetsEncrypt SSL, HTTP basic auth protected dev, and forced HTTPS+WWW
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################### | |
| ## DEFAULT CATCH ALL SERVERS ## | |
| ############################### | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name _; | |
| root /usr/share/nginx/html; | |
| } | |
| server { | |
| listen 443 ssl http2; | |
| listen [::]:443 ssl http2; | |
| server_name _; | |
| root /usr/share/nginx/html; | |
| ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; | |
| } | |
| ###################### | |
| ## Dev ############### | |
| ###################### | |
| server { | |
| listen 8000 ssl; | |
| server_name www.example.net; | |
| location /static/ { | |
| alias /srv/example.net-dev/django/static/; | |
| } | |
| location / { | |
| include uwsgi_params; # or proxy_params for gunicorn | |
| uwsgi_pass 127.0.0.1:8001; # or proxy_pass for gunicorn | |
| proxy_set_header X-Real-IP $remote_addr; | |
| } | |
| auth_basic "Restricted access to example.net"; | |
| auth_basic_user_file /srv/example.net-dev/.htpasswd; | |
| ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; | |
| } | |
| ############################################## | |
| ## Redirect HTTP to HTTPS+WWW ################ | |
| ############################################## | |
| server { | |
| listen 80; | |
| server_name example.net www.example.net; | |
| # Allow certbot/acme challenges to hit HTTP | |
| root /srv/example.net/public; | |
| location /.well-known/acme-challenge/ { | |
| alias /srv/www.example.net/public/.well-known/acme-challenge/; | |
| } | |
| return 301 https://www.example.net$request_uri; | |
| } | |
| ################################################ | |
| ## Redirect HTTPS w/o WWW to HTTPS+WWW ######### | |
| ################################################ | |
| server { | |
| listen 0.0.0.0:443 ssl; | |
| server_name example.net; | |
| ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; | |
| return 301 https://www.example.net$request_uri; | |
| } | |
| ############################################ | |
| ## Final HTTPS+WWW destination ############# | |
| ############################################ | |
| server { | |
| listen 443 ssl; | |
| server_name www.example.net; | |
| location /static/ { | |
| alias /srv/example.net-dev/django/static/; | |
| } | |
| location / { | |
| include uwsgi_params; | |
| uwsgi_pass 127.0.0.1:8002; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| } | |
| ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment