pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2
author Luke Hoersten <luke@hoersten.org>
Sat, 02 May 2020 18:37:45 -0500
changeset 95 35b63b150a51
parent 94 7082ab4828c5
child 96 290c18c27521
permissions -rw-r--r--
Added pleroma web root.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     1
# default nginx site config for Pleroma
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     2
#
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     3
# Simple installation instructions:
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     4
# 1. Install your TLS certificate, possibly using Let's Encrypt.
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     5
# 2. Replace 'example.tld' with your instance's domain wherever it appears.
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     6
# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     7
#    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     8
84
d0c40727e6ff Added WIP pleroma OTP role.
Luke Hoersten <luke@hoersten.org>
parents: 82
diff changeset
     9
proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    10
                 inactive=720m use_temp_path=off;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    11
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    12
server {
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    13
    listen {{nginx_port}};
69
be979818d483 Lots of updates.
Luke Hoersten <luke@hoersten.org>
parents: 67
diff changeset
    14
    # listen [::]:{{nginx_port}};
87
4f87097dd651 Got pleroma otp multi-instance working.
Luke Hoersten <luke@hoersten.org>
parents: 84
diff changeset
    15
    server_name {{nginx_server_name}};
82
a3e1a9b18f6d Added certbot and cloudflare support.
Luke Hoersten <luke@hoersten.org>
parents: 69
diff changeset
    16
    return 301 https://$host$request_uri;
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    17
}
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    18
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    19
# Enable SSL session caching for improved performance
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    20
ssl_session_cache shared:ssl_session_cache:10m;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    21
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    22
server {
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    23
    listen {{nginx_ssl_port}} ssl http2;
69
be979818d483 Lots of updates.
Luke Hoersten <luke@hoersten.org>
parents: 67
diff changeset
    24
    # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on;
87
4f87097dd651 Got pleroma otp multi-instance working.
Luke Hoersten <luke@hoersten.org>
parents: 84
diff changeset
    25
    server_name {{nginx_server_name}};
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    26
82
a3e1a9b18f6d Added certbot and cloudflare support.
Luke Hoersten <luke@hoersten.org>
parents: 69
diff changeset
    27
    ssl_certificate {{nginx_ssl_cert}};
a3e1a9b18f6d Added certbot and cloudflare support.
Luke Hoersten <luke@hoersten.org>
parents: 69
diff changeset
    28
    ssl_certificate_key {{nginx_ssl_privkey}};
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    29
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    30
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    31
    add_header Strict-Transport-Security "max-age=31536000" always;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    32
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    33
    gzip_vary on;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    34
    gzip_proxied any;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    35
    gzip_comp_level 6;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    36
    gzip_buffers 16 8k;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    37
    gzip_http_version 1.1;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    38
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    39
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    40
    # the nginx default is 1m, not enough for large media uploads
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    41
    client_max_body_size 16m;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    42
95
35b63b150a51 Added pleroma web root.
Luke Hoersten <luke@hoersten.org>
parents: 94
diff changeset
    43
    root {{nginx_html_root}};
35b63b150a51 Added pleroma web root.
Luke Hoersten <luke@hoersten.org>
parents: 94
diff changeset
    44
35b63b150a51 Added pleroma web root.
Luke Hoersten <luke@hoersten.org>
parents: 94
diff changeset
    45
    location = / {
35b63b150a51 Added pleroma web root.
Luke Hoersten <luke@hoersten.org>
parents: 94
diff changeset
    46
        index index.html;
35b63b150a51 Added pleroma web root.
Luke Hoersten <luke@hoersten.org>
parents: 94
diff changeset
    47
    }
35b63b150a51 Added pleroma web root.
Luke Hoersten <luke@hoersten.org>
parents: 94
diff changeset
    48
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    49
    location / {
95
35b63b150a51 Added pleroma web root.
Luke Hoersten <luke@hoersten.org>
parents: 94
diff changeset
    50
        try_files $uri @pleroma;
35b63b150a51 Added pleroma web root.
Luke Hoersten <luke@hoersten.org>
parents: 94
diff changeset
    51
    }
35b63b150a51 Added pleroma web root.
Luke Hoersten <luke@hoersten.org>
parents: 94
diff changeset
    52
35b63b150a51 Added pleroma web root.
Luke Hoersten <luke@hoersten.org>
parents: 94
diff changeset
    53
    location @pleroma {
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    54
        add_header X-XSS-Protection "1; mode=block";
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    55
        add_header X-Permitted-Cross-Domain-Policies none;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    56
        add_header X-Frame-Options DENY;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    57
        add_header X-Content-Type-Options nosniff;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    58
        add_header Referrer-Policy same-origin;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    59
        add_header X-Download-Options noopen;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    60
82
a3e1a9b18f6d Added certbot and cloudflare support.
Luke Hoersten <luke@hoersten.org>
parents: 69
diff changeset
    61
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    62
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    63
        proxy_http_version 1.1;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    64
        proxy_set_header Upgrade $http_upgrade;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    65
        proxy_set_header Connection "upgrade";
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    66
        proxy_set_header Host $http_host;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    67
69
be979818d483 Lots of updates.
Luke Hoersten <luke@hoersten.org>
parents: 67
diff changeset
    68
        proxy_pass {{pleroma_proxy_pass}};
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    69
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    70
        client_max_body_size 16m;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    71
    }
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    72
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    73
    location /proxy {
84
d0c40727e6ff Added WIP pleroma OTP role.
Luke Hoersten <luke@hoersten.org>
parents: 82
diff changeset
    74
        proxy_cache {{pleroma_instance}}-pleroma_media_cache;
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    75
        proxy_cache_lock on;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    76
        proxy_ignore_client_abort on;
69
be979818d483 Lots of updates.
Luke Hoersten <luke@hoersten.org>
parents: 67
diff changeset
    77
        proxy_pass {{pleroma_proxy_pass}};
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    78
    }
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    79
}