pleroma-otp/templates/pleroma.letsencrypt.nginx.conf.j2
author Luke Hoersten <luke@hoersten.org>
Tue, 09 Jun 2020 19:21:58 -0500
changeset 100 ac5e16a08576
parent 95 35b63b150a51
child 102 5afa8c28e689
permissions -rw-r--r--
Moved postgres and nginx roles to ansible-roles.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     1
# default nginx site config for Pleroma
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     2
#
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     3
# Simple installation instructions:
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     4
# 1. Install your TLS certificate, possibly using Let's Encrypt.
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     5
# 2. Replace 'example.tld' with your instance's domain wherever it appears.
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     6
# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     7
#    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     8
84
d0c40727e6ff Added WIP pleroma OTP role.
Luke Hoersten <luke@hoersten.org>
parents: 82
diff changeset
     9
proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    10
                 inactive=720m use_temp_path=off;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    11
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    12
server {
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    13
    listen {{nginx_port}};
69
be979818d483 Lots of updates.
Luke Hoersten <luke@hoersten.org>
parents: 67
diff changeset
    14
    # listen [::]:{{nginx_port}};
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    15
    server_name {{nginx_server_name}};
93
976670b2ca63 Moved roles to top level dir.
Luke Hoersten <luke@hoersten.org>
parents: 84
diff changeset
    16
    return 301 https://$host$request_uri;
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    17
}
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    18
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    19
# Enable SSL session caching for improved performance
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    20
ssl_session_cache shared:ssl_session_cache:10m;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    21
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    22
server {
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    23
    listen {{nginx_ssl_port}} ssl http2;
69
be979818d483 Lots of updates.
Luke Hoersten <luke@hoersten.org>
parents: 67
diff changeset
    24
    # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on;
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    25
    server_name {{nginx_server_name}};
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    26
82
a3e1a9b18f6d Added certbot and cloudflare support.
Luke Hoersten <luke@hoersten.org>
parents: 69
diff changeset
    27
    ssl_certificate {{nginx_ssl_cert}};
a3e1a9b18f6d Added certbot and cloudflare support.
Luke Hoersten <luke@hoersten.org>
parents: 69
diff changeset
    28
    ssl_certificate_key {{nginx_ssl_privkey}};
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    29
    include /etc/letsencrypt/options-ssl-nginx.conf;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    30
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    31
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    32
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    33
    ssl_stapling on;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    34
    ssl_stapling_verify on;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    35
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    36
    add_header Strict-Transport-Security "max-age=31536000" always;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    37
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    38
    gzip_vary on;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    39
    gzip_proxied any;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    40
    gzip_comp_level 6;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    41
    gzip_buffers 16 8k;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    42
    gzip_http_version 1.1;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    43
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    44
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    45
    # the nginx default is 1m, not enough for large media uploads
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    46
    client_max_body_size 16m;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    47
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    48
    location / {
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    49
        add_header X-XSS-Protection "1; mode=block";
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    50
        add_header X-Permitted-Cross-Domain-Policies none;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    51
        add_header X-Frame-Options DENY;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    52
        add_header X-Content-Type-Options nosniff;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    53
        add_header Referrer-Policy same-origin;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    54
        add_header X-Download-Options noopen;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    55
93
976670b2ca63 Moved roles to top level dir.
Luke Hoersten <luke@hoersten.org>
parents: 84
diff changeset
    56
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    57
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    58
        proxy_http_version 1.1;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    59
        proxy_set_header Upgrade $http_upgrade;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    60
        proxy_set_header Connection "upgrade";
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    61
        proxy_set_header Host $http_host;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    62
69
be979818d483 Lots of updates.
Luke Hoersten <luke@hoersten.org>
parents: 67
diff changeset
    63
        proxy_pass {{pleroma_proxy_pass}};
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    64
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    65
        client_max_body_size 16m;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    66
    }
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    67
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    68
    location /proxy {
84
d0c40727e6ff Added WIP pleroma OTP role.
Luke Hoersten <luke@hoersten.org>
parents: 82
diff changeset
    69
        proxy_cache {{pleroma_instance}}-pleroma_media_cache;
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    70
        proxy_cache_lock on;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    71
        proxy_ignore_client_abort on;
69
be979818d483 Lots of updates.
Luke Hoersten <luke@hoersten.org>
parents: 67
diff changeset
    72
        proxy_pass {{pleroma_proxy_pass}};
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    73
    }
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    74
}