user www-data www-data; worker_processes auto; pid /var/run/nginx.pid; daemon off; worker_rlimit_nofile 262144; events { worker_connections 16384; multi_accept on; use epoll; } http { server_tokens off; sendfile on; charset utf-8; tcp_nopush on; tcp_nodelay on; log_format private '[$time_local] $host "$request" $status $body_bytes_sent'; types_hash_max_size 2048; server_names_hash_bucket_size 64; include /etc/nginx/mime.types; default_type application/octet-stream; add_header X-Content-Type-Options nosniff; access_log /var/log/nginx/access.log private; error_log /var/log/nginx/error.log; add_header Referrer-Policy same-origin; gzip on; gzip_disable "msie6"; gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; include /etc/nginx/conf.d/*.conf; server { listen 80 backlog=4096 default_server; listen [::]:80 ipv6only=on default_server; server_name _; index index.php index.html; root /var/www; location /media/ { alias /data/media/; expires 7d; access_log off; } location ^~ /media/cachedfiles { deny all; return 404; } location ^~ /media/invoices { deny all; return 404; } location /static/ { alias /pretix/src/pretix/static.dist/; access_log off; expires 365d; add_header Cache-Control "public"; add_header Access-Control-Allow-Origin "*"; gzip on; } location / { # Very important: # proxy_pass http://unix:/tmp/pretix.sock:; # is not the same as # proxy_pass http://unix:/tmp/pretix.sock:/; # In the latter case, nginx will apply its URL parsing, in the former it doesn't. # There are situations in which pretix' API will deal with "file names" containing %2F%2F, which # nginx will normalize to %2F, which can break ticket validation. proxy_pass http://unix:/tmp/pretix.sock:; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; } } }