diff --git a/etc/nginx/sites-available/mastodon.conf b/etc/nginx/sites-available/mastodon.conf index 8ba8226..29dd94e 100644 --- a/etc/nginx/sites-available/mastodon.conf +++ b/etc/nginx/sites-available/mastodon.conf @@ -87,55 +87,55 @@ server { # then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`. location = /sw.js { add_header Cache-Control "public, max-age=604800, must-revalidate"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; try_files $uri =404; } location ~ ^/assets/ { add_header Cache-Control "public, max-age=2419200, must-revalidate"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; try_files $uri =404; } location ~ ^/avatars/ { add_header Cache-Control "public, max-age=2419200, must-revalidate"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; try_files $uri =404; } location ~ ^/emoji/ { add_header Cache-Control "public, max-age=2419200, must-revalidate"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; try_files $uri =404; } location ~ ^/headers/ { add_header Cache-Control "public, max-age=2419200, must-revalidate"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; try_files $uri =404; } location ~ ^/packs/ { add_header Cache-Control "public, max-age=2419200, must-revalidate"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; try_files $uri =404; } location ~ ^/shortcuts/ { add_header Cache-Control "public, max-age=2419200, must-revalidate"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; try_files $uri =404; } location ~ ^/sounds/ { add_header Cache-Control "public, max-age=2419200, must-revalidate"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; try_files $uri =404; } location ~ ^/system/ { add_header Cache-Control "public, max-age=2419200, immutable"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; try_files $uri =404; } @@ -153,11 +153,10 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; # jake: added (debugging) - add_header Via $proxy_host; - add_header X-Got-Milk "2%"; + add_header Via "1.1 $proxy_host" always; tcp_nodelay on; } @@ -183,10 +182,14 @@ server { proxy_cache_valid 410 24h; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + # jake: added (security) + proxy_hide_header Referrer-Policy; + add_header Referrer-Policy "strict-origin" always; + # jake: added (debugging) - add_header Via $proxy_host; - add_header X-Cache-Status $upstream_cache_status; - add_header X-Got-Milk "2%"; + add_header Via "1.1 $proxy_host" always; + add_header X-Cache-Status $upstream_cache_status always; + add_header X-Got-Milk "2%" always; tcp_nodelay on; }