mirror of
https://github.com/jakejarvis/mastodon-utils.git
synced 2025-04-26 03:25:22 -04:00
consolidate nginx headers for static files in /public
This commit is contained in:
parent
d49c1e3e99
commit
55b25d1533
GPG Key ID:
2B0C9CF251E69A39
@ -1,4 +1,4 @@
|
|||||||
# modified from https://github.com/mastodon/mastodon/blob/v4.0.2/dist/nginx.conf
|
# heavily modified from https://github.com/mastodon/mastodon/blob/v4.0.2/dist/nginx.conf
|
||||||
|
|
||||||
map $http_upgrade $connection_upgrade {
|
map $http_upgrade $connection_upgrade {
|
||||||
default upgrade;
|
default upgrade;
|
||||||
@ -15,25 +15,14 @@ upstream streaming {
|
|||||||
|
|
||||||
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
|
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
|
||||||
|
|
||||||
server {
|
|
||||||
listen [::]:80;
|
|
||||||
listen 80;
|
|
||||||
|
|
||||||
server_name fediverse.jarv.is;
|
|
||||||
|
|
||||||
if ($host = fediverse.jarv.is) {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
} # managed by Certbot
|
|
||||||
|
|
||||||
return 403;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen [::]:443 http2 ssl ipv6only=on;
|
listen [::]:443 http2 ssl ipv6only=on;
|
||||||
listen 443 http2 ssl;
|
listen 443 http2 ssl;
|
||||||
|
|
||||||
server_name fediverse.jarv.is;
|
server_name fediverse.jarv.is;
|
||||||
|
|
||||||
|
root /home/mastodon/live/public;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/fediverse.jarv.is/fullchain.pem; # managed by Certbot
|
ssl_certificate /etc/letsencrypt/live/fediverse.jarv.is/fullchain.pem; # managed by Certbot
|
||||||
ssl_certificate_key /etc/letsencrypt/live/fediverse.jarv.is/privkey.pem; # managed by Certbot
|
ssl_certificate_key /etc/letsencrypt/live/fediverse.jarv.is/privkey.pem; # managed by Certbot
|
||||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||||
@ -44,11 +33,9 @@ server {
|
|||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/fediverse.jarv.is/chain.pem;
|
ssl_trusted_certificate /etc/letsencrypt/live/fediverse.jarv.is/chain.pem;
|
||||||
|
|
||||||
keepalive_timeout 70;
|
keepalive_timeout 20;
|
||||||
sendfile on;
|
sendfile on;
|
||||||
client_max_body_size 80m;
|
client_max_body_size 100m;
|
||||||
|
|
||||||
root /home/mastodon/live/public;
|
|
||||||
|
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_disable "msie6";
|
gzip_disable "msie6";
|
||||||
@ -81,28 +68,34 @@ server {
|
|||||||
return 302 https://grafana.pipe.fail/public-dashboards/b5ca7a7c8e844f90b0973d2ab02bad0a;
|
return 302 https://grafana.pipe.fail/public-dashboards/b5ca7a7c8e844f90b0973d2ab02bad0a;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# sends most paths to the backend proxy and ignores the location blocks below, except if
|
||||||
|
# the file exists in /home/mastodon/live
|
||||||
location / {
|
location / {
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
try_files $uri @proxy;
|
try_files $uri @proxy;
|
||||||
}
|
}
|
||||||
|
|
||||||
location = /sw.js {
|
# condensed version of original Mastodon nginx.conf
|
||||||
add_header Cache-Control "public, max-age=604800, must-revalidate";
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
try_files $uri =404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ ^/(assets|avatars|emoji|headers|packs|shortcuts|sounds)/ {
|
location ~ ^/(assets|avatars|emoji|headers|packs|shortcuts|sounds)/ {
|
||||||
add_header Cache-Control "public, max-age=2419200, must-revalidate";
|
add_header Cache-Control "public, max-age=2419200, must-revalidate"; # 28 days
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
try_files $uri =404;
|
try_files $uri =404;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# media uploads & cache (irrelevant if offloading to S3)
|
||||||
location ~ ^/system/ {
|
location ~ ^/system/ {
|
||||||
add_header Cache-Control "public, max-age=2419200, immutable";
|
add_header Cache-Control "public, max-age=2419200, immutable"; # 28 days
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
try_files $uri =404;
|
try_files $uri =404;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# static files in root of /public (sw.js, favicon.ico, etc) that aren't covered above
|
||||||
|
location ~ ^/(.*\.(js|css|png|gif|jpg|txt|ico))$ {
|
||||||
|
add_header Cache-Control "public, max-age=604800, must-revalidate"; # 7 days
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
try_files $uri @proxy;
|
||||||
|
}
|
||||||
|
|
||||||
location ^~ /api/v1/streaming {
|
location ^~ /api/v1/streaming {
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
@ -117,9 +110,12 @@ server {
|
|||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
# security headers
|
||||||
|
proxy_hide_header Strict-Transport-Security;
|
||||||
|
proxy_hide_header X-Powered-By;
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
# debugging
|
# debugging headers
|
||||||
add_header Via "1.1 $proxy_host" always;
|
add_header Via "1.1 $proxy_host" always;
|
||||||
|
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
@ -131,7 +127,7 @@ server {
|
|||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
# remove 'Server: Mastodon' response header
|
# uncomment to allow the 'Server: Mastodon' header to override nginx's:
|
||||||
# proxy_pass_header Server;
|
# proxy_pass_header Server;
|
||||||
|
|
||||||
proxy_pass http://backend;
|
proxy_pass http://backend;
|
||||||
@ -146,11 +142,16 @@ server {
|
|||||||
proxy_cache_valid 410 24h;
|
proxy_cache_valid 410 24h;
|
||||||
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
|
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
|
||||||
|
|
||||||
# security
|
# security headers
|
||||||
proxy_hide_header Referrer-Policy;
|
proxy_hide_header Referrer-Policy;
|
||||||
|
proxy_hide_header Strict-Transport-Security;
|
||||||
|
proxy_hide_header X-Powered-By;
|
||||||
|
proxy_hide_header X-Clacks-Overhead;
|
||||||
|
proxy_hide_header X-XSS-Protection;
|
||||||
add_header Referrer-Policy "strict-origin" always;
|
add_header Referrer-Policy "strict-origin" always;
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
# debugging
|
# debugging headers
|
||||||
add_header Via "1.1 $proxy_host" always;
|
add_header Via "1.1 $proxy_host" always;
|
||||||
add_header X-Cache-Status $upstream_cache_status always;
|
add_header X-Cache-Status $upstream_cache_status always;
|
||||||
add_header X-Got-Milk "2%" always;
|
add_header X-Got-Milk "2%" always;
|
||||||
@ -160,3 +161,16 @@ server {
|
|||||||
|
|
||||||
error_page 404 500 501 502 503 504 /500.html;
|
error_page 404 500 501 502 503 504 /500.html;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen [::]:80;
|
||||||
|
listen 80;
|
||||||
|
|
||||||
|
server_name fediverse.jarv.is;
|
||||||
|
|
||||||
|
if ($host = fediverse.jarv.is) {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
} # managed by Certbot
|
||||||
|
|
||||||
|
return 403;
|
||||||
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user