set -e
set -x
set -u
. build.profile
tee ${CONF} <<_EOP_
# generated by ${0} in $PWD
worker_processes 1;
events {
worker_connections 1024;
http {
include mime.types;
default_type application/octet-stream;
client_max_body_size 100M;
keepalive_timeout 65;
upstream gunicorn_socket {
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response (in case the Unicorn master nukes a
# single worker for timing out).
server unix:${DEVSHM}/gunicorn.sock fail_timeout=0;
server {
server_name ${PAPERLESS_BIND_ADDR};
access_log ${LOGDIR}/nginx-access.log;
if [ -v PAPERLESS_HTTPS ]; then
tee -a ${CONF} <<_EOP_
ssl_certificate ${NGINX_SSL_CERTIFICATE}; # from build.local
ssl_certificate_key ${NGINX_SSL_CERTIFICATE_KEY}; # from build.local
ssl_dhparam ${NGINX_SSL_DHPARAM}; # src/
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
tee -a ${CONF} <<_EOP_
log_subrequest off;
proxy_buffering off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
error_page 400 404 405 502 =200 /chicken.html;
location / {
proxy_pass http://gunicorn_socket/;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host \$server_name;
add_header Referrer-Policy "strict-origin-when-cross-origin";