mirror of
https://github.com/jakejarvis/mastodon-utils.git
synced 2025-04-26 03:25:22 -04:00
consolidate nginx headers for static files in /public
This commit is contained in:
parent
d49c1e3e99
commit
55b25d1533
GPG Key ID:
2B0C9CF251E69A39
@ -1,4 +1,4 @@
|
||||
# modified from https://github.com/mastodon/mastodon/blob/v4.0.2/dist/nginx.conf
|
||||
# heavily modified from https://github.com/mastodon/mastodon/blob/v4.0.2/dist/nginx.conf
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
@ -15,25 +15,14 @@ upstream streaming {
|
||||
|
||||
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
|
||||
|
||||
server {
|
||||
listen [::]:80;
|
||||
listen 80;
|
||||
|
||||
server_name fediverse.jarv.is;
|
||||
|
||||
if ($host = fediverse.jarv.is) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
return 403;
|
||||
}
|
||||
|
||||
server {
|
||||
listen [::]:443 http2 ssl ipv6only=on;
|
||||
listen 443 http2 ssl;
|
||||
|
||||
server_name fediverse.jarv.is;
|
||||
|
||||
root /home/mastodon/live/public;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/fediverse.jarv.is/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/fediverse.jarv.is/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
@ -44,11 +33,9 @@ server {
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/fediverse.jarv.is/chain.pem;
|
||||
|
||||
keepalive_timeout 70;
|
||||
sendfile on;
|
||||
client_max_body_size 80m;
|
||||
|
||||
root /home/mastodon/live/public;
|
||||
keepalive_timeout 20;
|
||||
sendfile on;
|
||||
client_max_body_size 100m;
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
@ -81,28 +68,34 @@ server {
|
||||
return 302 https://grafana.pipe.fail/public-dashboards/b5ca7a7c8e844f90b0973d2ab02bad0a;
|
||||
}
|
||||
|
||||
# sends most paths to the backend proxy and ignores the location blocks below, except if
|
||||
# the file exists in /home/mastodon/live
|
||||
location / {
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
try_files $uri @proxy;
|
||||
}
|
||||
|
||||
location = /sw.js {
|
||||
add_header Cache-Control "public, max-age=604800, must-revalidate";
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
try_files $uri =404;
|
||||
}
|
||||
|
||||
# condensed version of original Mastodon nginx.conf
|
||||
location ~ ^/(assets|avatars|emoji|headers|packs|shortcuts|sounds)/ {
|
||||
add_header Cache-Control "public, max-age=2419200, must-revalidate";
|
||||
add_header Cache-Control "public, max-age=2419200, must-revalidate"; # 28 days
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
try_files $uri =404;
|
||||
}
|
||||
|
||||
# media uploads & cache (irrelevant if offloading to S3)
|
||||
location ~ ^/system/ {
|
||||
add_header Cache-Control "public, max-age=2419200, immutable";
|
||||
add_header Cache-Control "public, max-age=2419200, immutable"; # 28 days
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
try_files $uri =404;
|
||||
}
|
||||
|
||||
# static files in root of /public (sw.js, favicon.ico, etc) that aren't covered above
|
||||
location ~ ^/(.*\.(js|css|png|gif|jpg|txt|ico))$ {
|
||||
add_header Cache-Control "public, max-age=604800, must-revalidate"; # 7 days
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
try_files $uri @proxy;
|
||||
}
|
||||
|
||||
location ^~ /api/v1/streaming {
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
@ -117,9 +110,12 @@ server {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
# security headers
|
||||
proxy_hide_header Strict-Transport-Security;
|
||||
proxy_hide_header X-Powered-By;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
# debugging
|
||||
# debugging headers
|
||||
add_header Via "1.1 $proxy_host" always;
|
||||
|
||||
tcp_nodelay on;
|
||||
@ -131,7 +127,7 @@ server {
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Proxy "";
|
||||
# remove 'Server: Mastodon' response header
|
||||
# uncomment to allow the 'Server: Mastodon' header to override nginx's:
|
||||
# proxy_pass_header Server;
|
||||
|
||||
proxy_pass http://backend;
|
||||
@ -146,11 +142,16 @@ server {
|
||||
proxy_cache_valid 410 24h;
|
||||
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
|
||||
|
||||
# security
|
||||
# security headers
|
||||
proxy_hide_header Referrer-Policy;
|
||||
proxy_hide_header Strict-Transport-Security;
|
||||
proxy_hide_header X-Powered-By;
|
||||
proxy_hide_header X-Clacks-Overhead;
|
||||
proxy_hide_header X-XSS-Protection;
|
||||
add_header Referrer-Policy "strict-origin" always;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
# debugging
|
||||
# debugging headers
|
||||
add_header Via "1.1 $proxy_host" always;
|
||||
add_header X-Cache-Status $upstream_cache_status always;
|
||||
add_header X-Got-Milk "2%" always;
|
||||
@ -160,3 +161,16 @@ server {
|
||||
|
||||
error_page 404 500 501 502 503 504 /500.html;
|
||||
}
|
||||
|
||||
server {
|
||||
listen [::]:80;
|
||||
listen 80;
|
||||
|
||||
server_name fediverse.jarv.is;
|
||||
|
||||
if ($host = fediverse.jarv.is) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
return 403;
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user