nginx.conf

# qed.epa.gov redirect to HTTPS/SSL
server {
       listen         80;
       server_name    qed.epa.gov;
       #return         301 https://$server_name$request_uri;
	return		301 https://$host$request_uri;
}

# qedinternal.epa.gov redirect to HTTPS/SSL
server {
       listen         80;
       server_name    qedinternal.epa.gov;
       #return         301 https://$server_name$request_uri;
	return		301 https://$host$request_uri;
}

# qed.epa.gov django front-end HTTPS/SSL
server {
    #listen [::]443;
    listen 443;

    server_name    qed.epa.gov;

    client_max_body_size 20M;
    client_body_buffer_size 20M;

    # HSTS Policy (max-age=60 == 1 min. 31536000 = 1 year)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl                  on;
    #qed physical location of_certificate /var/www/nginx/certs/qed.epa.gov.chained.crt;
    #qed physical location of key  /var/www/nginx/certs/qed.key;
    ssl_certificate      /etc/nginx/qed/qed.epa.gov.chained.crt;
    ssl_certificate_key  /etc/nginx/qed/qed.key;
    #ssl_certificate      /etc/nginx/qed/qed.epa.gov.chained.crt;
    #ssl_certificate_key  /etc/nginx/qed/qed.key;
    #ssl_certificate_key  /etc/nginx/qed/qedinternal.key;

    ssl_session_timeout  5m;

    #disable ssl2 and ssl3 per
    #https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    #older commented out security block
    #ssl_protocols  SSLv3 TLSv1;
    #ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
    #ssl_prefer_server_ciphers   on;

    location /static_qed/ {
        alias /src/collected_static/;
    }

    location / {
        try_files $uri @uwsgi_django;
    }

    location @uwsgi_django {
        include uwsgi_params;
        uwsgi_pass uwsgi_django:8080;  # 'uwsgi_django' is the hostname given in Docker-Compose YAML 'links' section
        proxy_read_timeout 600;
        proxy_send_timeout 600;
        uwsgi_read_timeout 600s; 
        uwsgi_send_timeout 600s;
	proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # HSTS Policy (max-age=60 == 1 min), 31536000 = 1 year Unknown if proxy_set_header disables inheritance like add_header
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    }

    # nodejs/socket.io route:
    location /socket.io {
        proxy_pass          http://cts_nodejs:4000;  # is this hard-coded port necessary?
        proxy_http_version  1.1;
        proxy_set_header    Upgrade $http_upgrade;
        proxy_set_header    Connection 'upgrade';
        proxy_set_header    Host $host;
    }

}

# qedinternal.epa.gov django front-end HTTPS/SSL
server {
    #listen [::]443;
    listen 443;

    server_name    qedinternal.epa.gov;

    client_max_body_size 2M;

    # HSTS Policy (max-age=60 == 1 min, 31536000 = 1 year)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl                  on;
    #qed physical location of_certificate /var/www/nginx/certs/qed.epa.gov.chained.crt;
    #qed physical location of key  /var/www/nginx/certs/qed.key;
    ssl_certificate      /etc/nginx/qed/qed.epa.gov.chained.crt;
    ssl_certificate_key  /etc/nginx/qed/qed.key;
    #ssl_certificate      /etc/nginx/qed/qed.epa.gov.chained.crt;
    #ssl_certificate_key  /etc/nginx/qed/qed.key;
    #ssl_certificate_key  /etc/nginx/qed/qedinternal.key;

    ssl_session_timeout  5m;

    #disable ssl2 and ssl3 per
    #https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    #older commented out security block
    #ssl_protocols  SSLv3 TLSv1;
    #ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
    #ssl_prefer_server_ciphers   on;

    location /static_qed/ {
        alias /src/collected_static/;
    }

    location / {
        try_files $uri @uwsgi_django;
    }

    location @uwsgi_django {
        include uwsgi_params;
        uwsgi_pass uwsgi_django:8080;  # 'uwsgi_django' is the hostname given in Docker-Compose YAML 'links' section
	proxy_read_timeout 600;
        proxy_send_timeout 600;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # HSTS Policy (max-age=60 == 1 min), Unknown if proxy_set_header disables inheritance like add_header
        add_header Strict-Transport-Security "max-age=60; includeSubDomains" always;
    }

    # nodejs/socket.io route:
    location /socket.io {
        proxy_pass          http://cts_nodejs:4000;  # is this hard-coded port necessary?
        proxy_http_version  1.1;
        proxy_set_header    Upgrade $http_upgrade;
        proxy_set_header    Connection 'upgrade';
        proxy_set_header    Host $host;
    }

    # flower celery monitor
    # location /flower/ {
    #    rewrite ^/flower/(.*)$ /$1 break;
    #    proxy_pass http://uwsgi_flower:5555;
    #    proxy_set_header Host $Host;
    # }

}

# Flask back-end
server {
    #listen [::]7777;
    listen 7777;

    # HSTS Policy (max-age=60 == 1 min, 31536000 = 1 year)
    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    location / {
        try_files $uri @uwsgi_flask;
    }

    location @uwsgi_flask {
        include uwsgi_params;
        uwsgi_pass uwsgi_flask:8080;  # 'uwsgi_flask' is the hostname given in Docker-Compose YAML 'links' section
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # HSTS Policy (max-age=60 == 1 min 31536000 = 1 year), Unknown if proxy_set_header disables inheritance like add_header
        # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    }
}