# DO NOT EDIT - managed by Ansible. upstream almalinux_org_backends { server 127.0.0.1:9000; server 127.0.0.1:9001; server 127.0.0.1:9002; } server { server_name almalinux.org www.almalinux.org staging.almalinux.org; root /var/www/almalinux.org/current/public; listen 443 ssl http2; listen [::]:443 ssl http2; # SSL ssl_certificate /etc/ssl/almalinux.org.cert.pem; ssl_certificate_key /etc/ssl/almalinux.org.key.pem; # . files location ~ /\.(?!well-known) { deny all; } # logging access_log /var/log/nginx/almalinux.org.access.log; error_log /var/log/nginx/almalinux.org.error.log warn; location ~ /static/ { root /var/www/almalinux.org/current/public; # assets, media location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|svgz?|svpng|gif|png|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { # 1 day cache add_header Cache-Control "private, no-transform, must-revalidate, max-age=86400"; etag on; access_log off; } # fonts location ~* \.(?:ttf|ttc|otf|eot|woff2?)$ { # 7 day cache add_header Cache-Control "private, no-transform, must-revalidate, max-age=604800"; add_header Access-Control-Allow-Origin "*"; etag on; access_log off; } } location ~ /media/ { root /var/www/almalinux.org; # media location ~* \.(?:jpe?g|svgz?|svpng|gif|png|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { # 1 day cache add_header Cache-Control "private, no-transform, must-revalidate, max-age=86400"; etag on; access_log off; } } location / { include /etc/nginx/uwsgi_params; uwsgi_param Host $host; uwsgi_param X-Real-IP $remote_addr; uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto; uwsgi_pass almalinux_org_backends; } # favicon.ico location = /favicon.ico { expires 1d; log_not_found off; access_log off; } # robots.txt location = /robots.txt { expires 1d; log_not_found off; access_log off; } # security.txt location = /security.txt { expires 1h; access_log off; root /var/www/_default; } # HTML location ~* \.(?:html|htm?)$ { add_header Cache-Control "no-cache, no-transform, must-revalidate"; etag on; } # assets, media location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|svgz?|svpng|gif|png|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { # 1 hour cache add_header Cache-Control "private, no-transform, must-revalidate, max-age=3600"; etag on; access_log off; } # fonts location ~* \.(?:ttf|ttc|otf|eot|woff2?)$ { # 7 day cache add_header Cache-Control "private, no-transform, must-revalidate, max-age=604800"; add_header Access-Control-Allow-Origin "*"; etag on; access_log off; } # gzip gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; } # HTTP to HTTPS redirect server { listen 80; listen [::]:80; server_name almalinux.org www.almalinux.org staging.almalinux.org almalinux.net almalinux.com; # ACME-challenge location ^~ /.well-known/acme-challenge/ { allow all; default_type 'text/plain'; root /var/www/_letsencrypt; } location / { return 301 https://$host$request_uri; } } # Redirect for .net and .com server { server_name almalinux.net almalinux.com; listen 443 ssl http2; listen [::]:443 ssl http2; # SSL ssl_certificate /etc/ssl/almalinux.com.cert.pem; ssl_certificate_key /etc/ssl/almalinux.com.key.pem; location / { return 301 https://almalinux.org$request_uri; } }