pretix-congressschedule/docker/pretix/nginx/nginx.conf

user www-data www-data;
worker_processes auto;
pid /var/run/nginx.pid;
daemon off;
worker_rlimit_nofile 262144;

events {
    worker_connections 16384;
    multi_accept on;
    use epoll;
}

http {
        server_tokens off;
        sendfile on;
        charset utf-8;
        tcp_nopush on;
        tcp_nodelay on;

        log_format private '[$time_local] $host "$request" $status $body_bytes_sent';

        types_hash_max_size 2048;
        server_names_hash_bucket_size 64;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        add_header X-Content-Type-Options nosniff;

        access_log /var/log/nginx/access.log private;
        error_log /var/log/nginx/error.log;
        add_header Referrer-Policy same-origin;

        gzip on;
        gzip_disable "msie6";
        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml;
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 16 8k;

        include /etc/nginx/conf.d/*.conf;

    server {
        listen 80 backlog=4096 default_server;
        listen [::]:80 ipv6only=on default_server;
        server_name _;

        index index.php index.html;
        root /var/www;

        location /media/ {
            alias /data/media/;
            expires 7d;
            access_log off;
        }
        location ^~ /media/cachedfiles {
            deny all;
            return 404;
        }
        location ^~ /media/invoices {
            deny all;
            return 404;
        }
        location /static/ {
            alias /pretix/src/pretix/static.dist/;
            access_log off;
            expires 365d;
            add_header Cache-Control "public";
            add_header Access-Control-Allow-Origin "*";
            gzip on;
        }
        location / {
            # Very important:
            #   proxy_pass http://unix:/tmp/pretix.sock:;
            # is not the same as
            #   proxy_pass http://unix:/tmp/pretix.sock:/;
            # In the latter case, nginx will apply its URL parsing, in the former it doesn't.
            # There are situations in which pretix' API will deal with "file names" containing %2F%2F, which
            # nginx will normalize to %2F, which can break ticket validation.
            proxy_pass http://unix:/tmp/pretix.sock:;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
        }
    }
}