add ElasticSearch notes

etc/nginx/nginx.conf

@@ -1,4 +1,4 @@
-user mastodon; # jake: changed from nginx
+user mastodon; # changed from 'nginx'
 worker_processes auto;
 pid /run/nginx.pid;
 
@@ -7,7 +7,7 @@ load_module modules/ngx_http_brotli_filter_module.so;
 load_module modules/ngx_http_brotli_static_module.so;
 
 events {
-	worker_connections 768;
+	worker_connections 1024;
 }
 
 http {
@@ -24,7 +24,14 @@ http {
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
 
-	# jake: added (prometheus target)
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	# stats for prometheus nginx exporter
 	server {
 		listen 9181;
 		location /metrics {
@@ -34,13 +41,6 @@ http {
 		}
 	}
 
-	##
-	# Logging Settings
-	##
-
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
 	##
 	# Virtual Host Configs
 	##

etc/nginx/sites-available/default.conf

@@ -1,4 +1,6 @@
-# don't respond to direct IP address requests
+# don't respond to direct IP address requests:
+# https://www.codedodle.com/disable-direct-ip-access-nginx.html
+
 server {
   listen 80 default_server;
   listen [::]:80 default_server;

etc/nginx/sites-available/mastodon.conf

@@ -1,3 +1,5 @@
+# modified from https://github.com/mastodon/mastodon/blob/v4.0.2/dist/nginx.conf
+
 map $http_upgrade $connection_upgrade {
   default upgrade;
   ''      close;
@@ -23,7 +25,7 @@ server {
     return 301 https://$host$request_uri;
   } # managed by Certbot
 
-  return 404; # managed by Certbot
+  return 403;
 }
 
 server {
@@ -62,8 +64,8 @@ server {
              image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
   gzip_min_length 256;
 
-  # jake: added
   # https://github.com/google/ngx_brotli#sample-configuration
+  # https://github.com/jakejarvis/mastodon-scripts/wiki/Brotli-compression-for-nginx
   brotli on;
   brotli_comp_level 4;
   brotli_static on;
@@ -74,60 +76,22 @@ server {
                image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
   brotli_min_length 256;
 
-  location / {
-    try_files $uri @proxy;
-  }
-
-  # jake: added
+  # add shortcut to public Grafana dashboard
   location ~ ^/dashboard/?$ {
     return 302 https://grafana.pipe.fail/public-dashboards/b5ca7a7c8e844f90b0973d2ab02bad0a;
   }
 
-  # If Docker is used for deployment and Rails serves static files,
-  # then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`.
+  location / {
+    try_files $uri @proxy;
+  }
+
   location = /sw.js {
     add_header Cache-Control "public, max-age=604800, must-revalidate";
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
   }
 
-  location ~ ^/assets/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/avatars/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/emoji/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/headers/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/packs/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/shortcuts/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/sounds/ {
+  location ~ ^/(assets|avatars|emoji|headers|packs|shortcuts|sounds)/ {
     add_header Cache-Control "public, max-age=2419200, must-revalidate";
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
@@ -155,7 +119,7 @@ server {
 
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
 
-    # jake: added (debugging)
+    # debugging
     add_header Via "1.1 $proxy_host" always;
 
     tcp_nodelay on;
@@ -167,7 +131,7 @@ server {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header Proxy "";
-    # jake: removed
+    # remove 'Server: Mastodon' response header
     # proxy_pass_header Server;
 
     proxy_pass http://backend;
@@ -182,11 +146,11 @@ server {
     proxy_cache_valid 410 24h;
     proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
 
-    # jake: added (security)
+    # security
     proxy_hide_header Referrer-Policy;
     add_header Referrer-Policy "strict-origin" always;
 
-    # jake: added (debugging)
+    # debugging
     add_header Via "1.1 $proxy_host" always;
     add_header X-Cache-Status $upstream_cache_status always;
     add_header X-Got-Milk "2%" always;