publik-common/doc/nginx/sites-available/wcs.conf

server {
        listen 443 http2;
        listen [::]:443 http2;
        server_name ~^demarche ~^form;

        include snippets/publik-ssl.conf;

        access_log  /var/log/nginx/wcs-access.log combined_full;
        error_log  /var/log/nginx/wcs-error.log;

        location ~ ^/static/(.+)$ {
            root /;
            try_files /var/lib/wcs/$host/static/$1
                      /var/lib/wcs/$host/theme/static/$1
                      /var/lib/wcs/collectstatic/$1
                      =404;
            add_header 'X-Content-Type-Options' 'nosniff';
            add_header 'X-XSS-Protection' '1; mode=block';
            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
            add_header 'Access-Control-Allow-Origin' '*';
            include snippets/gzip-statics.conf;
        }

        location ~ ^/media/(.+)$ {
            alias /var/lib/wcs/$host/media/$1;
            add_header 'X-Content-Type-Options' 'nosniff';
            add_header 'X-XSS-Protection' '1; mode=block';
            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
        }

        location /robots.txt {
            alias /var/lib/wcs/www/robots.txt;
        }

        location / {
            proxy_pass         http://unix:/var/run/wcs/wcs.sock;
            proxy_set_header   Host $http_host;
            proxy_set_header   X-Forwarded-SSL on;
            proxy_set_header   X-Forwarded-Protocol ssl;
            proxy_set_header   X-Forwarded-Proto https;
            proxy_set_header   X-Real-IP       $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            add_header 'X-Content-Type-Options' 'nosniff';
            add_header 'X-XSS-Protection' '1; mode=block';
        }
}