# 1) HTTP → HTTPS redirect server { listen 80; listen [::]:80; server_name {{ analytics_domain }}; return 301 https://$host$request_uri; } # 2) HTTPS site server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ analytics_domain }}; # Logs access_log /var/log/nginx/{{ umami_nginx_site_name }}.access.log; error_log /var/log/nginx/{{ umami_nginx_site_name }}.error.log; # TLS certs ssl_certificate /etc/letsencrypt/live/{{ analytics_domain }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ analytics_domain }}/privkey.pem; location = /script.js { proxy_pass http://{{ umami_nginx_upstream_host }}:{{ umami_nginx_upstream_port }}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location = /api/send { proxy_pass http://{{ umami_nginx_upstream_host }}:{{ umami_nginx_upstream_port }}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; limit_except POST OPTIONS { deny all; } proxy_hide_header Access-Control-Allow-Origin; proxy_hide_header Access-Control-Allow-Methods; proxy_hide_header Access-Control-Allow-Headers; proxy_hide_header Access-Control-Max-Age; add_header Access-Control-Allow-Origin "$http_origin" always; add_header Access-Control-Allow-Methods "POST, OPTIONS" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization" always; add_header Access-Control-Max-Age 86400 always; add_header Vary "Origin" always; if ($request_method = OPTIONS) { return 204; } } location / { {% for cidr in nginx_dashboard_allowlist %} allow {{ cidr }}; {% endfor %} deny all; proxy_pass http://{{ umami_nginx_upstream_host }}:{{ umami_nginx_upstream_port }}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }