nginx.conf

user  nginx;
worker_processes 2;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
events {
    worker_connections 2048;
}
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    keepalive_timeout  300;

    # Fix cookie origin error "SameSite=Strict"
    map $upstream_http_set_cookie $new_cookie {
        default "$upstream_http_set_cookie; SameSite=Strict";
    }

    server_tokens off;

    # redirect HTTP to HTTPS, always
    server {
        listen 80;
        server_name booking.tullingelabs.se;
        return 301 https://$server_name$request_uri;
    }

    server {
        listen 443 ssl;

        # SSL configuration
        ssl_certificate /etc/letsencrypt/live/booking.tullingelabs.se/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/booking.tullingelabs.se/privkey.pem;
        
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 1440m;
        ssl_session_tickets off;
        ssl_prefer_server_ciphers off;

        # Ciphers, from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
        ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";

        # Protocols
        ssl_protocols TLSv1.2 TLSv1.3;

        # HSTS
        add_header Strict-Transport-Security "max-age=31536000;" always;

        # Security headers
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header Content-Security-Policy "frame-ancestors 'self'";
        add_header X-Frame-Options DENY;
        add_header Referrer-Policy same-origin;

        location / {
            try_files $uri @app;
            proxy_set_header  X-Real-IP $remote_addr;
        }

        location @app {
            include uwsgi_params;
            uwsgi_pass unix:///tmp/uwsgi.sock;
        }

        location /static {
            alias /app/static;
        }

        # Rewrite Set-Cookie header
        uwsgi_hide_header Set-Cookie;
        add_header Set-Cookie $new_cookie;
        
    }
}
daemon off;