pleroma/otp/templates/pleroma.letsencrypt.nginx.conf.j2
author Luke Hoersten <luke@hoersten.org>
Fri, 21 Jul 2023 15:14:24 -0500
changeset 215 dd52907adff9
parent 202 252069788104
permissions -rw-r--r--
Split dendrite build out of install role.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     1
# default nginx site config for Pleroma
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     2
#
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     3
# Simple installation instructions:
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     4
# 1. Install your TLS certificate, possibly using Let's Encrypt.
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     5
# 2. Replace 'example.tld' with your instance's domain wherever it appears.
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     6
# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     7
#    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
     8
84
d0c40727e6ff Added WIP pleroma OTP role.
Luke Hoersten <luke@hoersten.org>
parents: 82
diff changeset
     9
proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    10
                 inactive=720m use_temp_path=off;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    11
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    12
server {
102
5afa8c28e689 Updated for better nginx usage.
Luke Hoersten <luke@hoersten.org>
parents: 95
diff changeset
    13
    listen 80;
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    14
    server_name {{nginx_server_name}};
93
976670b2ca63 Moved roles to top level dir.
Luke Hoersten <luke@hoersten.org>
parents: 84
diff changeset
    15
    return 301 https://$host$request_uri;
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    16
}
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    17
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    18
# Enable SSL session caching for improved performance
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    19
ssl_session_cache shared:ssl_session_cache:10m;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    20
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    21
server {
102
5afa8c28e689 Updated for better nginx usage.
Luke Hoersten <luke@hoersten.org>
parents: 95
diff changeset
    22
    listen 443 ssl http2;
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    23
    server_name {{nginx_server_name}};
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    24
82
a3e1a9b18f6d Added certbot and cloudflare support.
Luke Hoersten <luke@hoersten.org>
parents: 69
diff changeset
    25
    ssl_certificate {{nginx_ssl_cert}};
a3e1a9b18f6d Added certbot and cloudflare support.
Luke Hoersten <luke@hoersten.org>
parents: 69
diff changeset
    26
    ssl_certificate_key {{nginx_ssl_privkey}};
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    27
    include /etc/letsencrypt/options-ssl-nginx.conf;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    28
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    29
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    30
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    31
    ssl_stapling on;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    32
    ssl_stapling_verify on;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    33
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    34
    add_header Strict-Transport-Security "max-age=31536000" always;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    35
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    36
    gzip_vary on;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    37
    gzip_proxied any;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    38
    gzip_comp_level 6;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    39
    gzip_buffers 16 8k;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    40
    gzip_http_version 1.1;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    41
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    42
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    43
    # the nginx default is 1m, not enough for large media uploads
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    44
    client_max_body_size 16m;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    45
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    46
    location / {
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    47
        add_header X-XSS-Protection "1; mode=block";
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    48
        add_header X-Permitted-Cross-Domain-Policies none;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    49
        add_header X-Frame-Options DENY;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    50
        add_header X-Content-Type-Options nosniff;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    51
        add_header Referrer-Policy same-origin;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    52
        add_header X-Download-Options noopen;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    53
93
976670b2ca63 Moved roles to top level dir.
Luke Hoersten <luke@hoersten.org>
parents: 84
diff changeset
    54
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    55
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    56
        proxy_http_version 1.1;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    57
        proxy_set_header Upgrade $http_upgrade;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    58
        proxy_set_header Connection "upgrade";
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    59
        proxy_set_header Host $http_host;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    60
202
252069788104 Backed out changeset 10051617d075
Luke Hoersten <luke@hoersten.org>
parents: 200
diff changeset
    61
        proxy_pass {{pleroma_proxy_pass}};
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    62
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    63
        client_max_body_size 16m;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    64
    }
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    65
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    66
    location /proxy {
84
d0c40727e6ff Added WIP pleroma OTP role.
Luke Hoersten <luke@hoersten.org>
parents: 82
diff changeset
    67
        proxy_cache {{pleroma_instance}}-pleroma_media_cache;
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    68
        proxy_cache_lock on;
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    69
        proxy_ignore_client_abort on;
202
252069788104 Backed out changeset 10051617d075
Luke Hoersten <luke@hoersten.org>
parents: 200
diff changeset
    70
        proxy_pass {{pleroma_proxy_pass}};
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    71
    }
123
e8d0308b94b2 Added local pleroma prometheus scraping.
Luke Hoersten <luke@hoersten.org>
parents: 103
diff changeset
    72
e8d0308b94b2 Added local pleroma prometheus scraping.
Luke Hoersten <luke@hoersten.org>
parents: 103
diff changeset
    73
    # don't expose prometheus stats publicly
e8d0308b94b2 Added local pleroma prometheus scraping.
Luke Hoersten <luke@hoersten.org>
parents: 103
diff changeset
    74
    location /api/pleroma/app_metrics {
e8d0308b94b2 Added local pleroma prometheus scraping.
Luke Hoersten <luke@hoersten.org>
parents: 103
diff changeset
    75
        return 404;
e8d0308b94b2 Added local pleroma prometheus scraping.
Luke Hoersten <luke@hoersten.org>
parents: 103
diff changeset
    76
    }
61
2dd82d9e2103 Added nginx reverse proxy to pleroma.
Luke Hoersten <luke@hoersten.org>
parents:
diff changeset
    77
}