jake/mastodon-utils
1
Fork 0
mirror of https://github.com/jakejarvis/mastodon-utils.git synced 2025-11-04 10:20:11 -05:00
Code Issues Releases Wiki Activity

fix certbot via pip

Browse Source
This commit is contained in:
Jake Jarvis
2023-01-01 09:16:12 -05:00
parent e60498efd2
commit e894dcd6f8
5 changed files with 41 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
etc/nginx/sites-available/default.conf
View File

@@ -1,23 +1,23 @@
# catch-all nginx server
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 80 default_server;
server_name _;
return 444;
}
server {
listen 443 default_server;
listen [::]:443 default_server;
listen 443 default_server;
# intentionally cause an SSL error. this requires a snakeoil certificate, see:
# https://docs.j7k6.org/nginx-default-ssl-site/
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_reject_handshake on;
include /etc/letsencrypt/options-ssl-nginx.conf;
include snippets/ssl-params.conf;
server_name _;
return 444;

9
etc/nginx/sites-available/mastodon.conf
View File

@@ -16,22 +16,21 @@ upstream streaming {
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
server {
listen [::]:443 http2 ssl ipv6only=on;
listen [::]:443 http2 ssl;
listen 443 http2 ssl;
server_name mastodon.example.com;
root /home/mastodon/live/public;
# assumes certbot has been run, nginx will not start with this config enabled otherwise
ssl_certificate /etc/letsencrypt/live/mastodon.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mastodon.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_trusted_certificate /etc/letsencrypt/live/mastodon.example.com/chain.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=intermediate&openssl=1.1.1f&guideline=5.6
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/mastodon.example.com/chain.pem;
include snippets/ssl-params.conf;
keepalive_timeout 30;
sendfile on;

14
etc/nginx/snippets/ssl-params.conf Normal file
View File

@@ -0,0 +1,14 @@
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";