server {
    listen       [::]:443 ssl;
    listen       443 ssl;
    server_name  myhost;

    # ssl_certificate ...;

    add_header X-Xss-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=15768000";
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header Content-Security-Policy "child-src 'none'; object-src 'none'";

    client_max_body_size 250M;
    error_page  403 404 https://$server_name/404;

    location / {
        proxy_pass               http://127.0.0.1:8000;
        proxy_set_header         Host              $host;
        proxy_set_header         X-Real-IP         $remote_addr;
        proxy_set_header         X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header         X-Forwarded-Proto $scheme;
        proxy_redirect           http:// https://;
        proxy_connect_timeout    1800;
        proxy_read_timeout       1800;
        proxy_max_temp_file_size 8192m;
    }

    # static files
    location /static {
        root /myroot/ram/storage;
    }

    # media files
    location ~ ^/media/(images|uploads) {
        root /myroot/ram/storage;
    }

    # protected filed to be served via X-Accel-Redirect
    location /private {
    	internal;
        alias /myroot/ram/storage/media;
    }
}