roles/pleroma-otp/templates/pleroma.cloudflare.nginx.conf.j2
changeset 84 d0c40727e6ff
parent 82 a3e1a9b18f6d
child 87 4f87097dd651
equal deleted inserted replaced
83:ccd5604f5b69 84:d0c40727e6ff
       
     1 # default nginx site config for Pleroma
       
     2 #
       
     3 # Simple installation instructions:
       
     4 # 1. Install your TLS certificate, possibly using Let's Encrypt.
       
     5 # 2. Replace 'example.tld' with your instance's domain wherever it appears.
       
     6 # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
       
     7 #    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
       
     8 
       
     9 proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g
       
    10                  inactive=720m use_temp_path=off;
       
    11 
       
    12 server {
       
    13     listen {{nginx_port}};
       
    14     # listen [::]:{{nginx_port}};
       
    15     server_name _;
       
    16     return 301 https://$host$request_uri;
       
    17 }
       
    18 
       
    19 # Enable SSL session caching for improved performance
       
    20 ssl_session_cache shared:ssl_session_cache:10m;
       
    21 
       
    22 server {
       
    23     listen {{nginx_ssl_port}} ssl http2;
       
    24     # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on;
       
    25     server_name _;
       
    26 
       
    27     ssl_certificate {{nginx_ssl_cert}};
       
    28     ssl_certificate_key {{nginx_ssl_privkey}};
       
    29     include /etc/letsencrypt/options-ssl-nginx.conf;
       
    30     # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
       
    31 
       
    32     ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
       
    33     ssl_stapling on;
       
    34     ssl_stapling_verify on;
       
    35 
       
    36     add_header Strict-Transport-Security "max-age=31536000" always;
       
    37 
       
    38     gzip_vary on;
       
    39     gzip_proxied any;
       
    40     gzip_comp_level 6;
       
    41     gzip_buffers 16 8k;
       
    42     gzip_http_version 1.1;
       
    43     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
       
    44 
       
    45     # the nginx default is 1m, not enough for large media uploads
       
    46     client_max_body_size 16m;
       
    47 
       
    48     location / {
       
    49         add_header X-XSS-Protection "1; mode=block";
       
    50         add_header X-Permitted-Cross-Domain-Policies none;
       
    51         add_header X-Frame-Options DENY;
       
    52         add_header X-Content-Type-Options nosniff;
       
    53         add_header Referrer-Policy same-origin;
       
    54         add_header X-Download-Options noopen;
       
    55 
       
    56         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
       
    57 
       
    58         proxy_http_version 1.1;
       
    59         proxy_set_header Upgrade $http_upgrade;
       
    60         proxy_set_header Connection "upgrade";
       
    61         proxy_set_header Host $http_host;
       
    62 
       
    63         proxy_pass {{pleroma_proxy_pass}};
       
    64 
       
    65         client_max_body_size 16m;
       
    66     }
       
    67 
       
    68     location /proxy {
       
    69         proxy_cache {{pleroma_instance}}-pleroma_media_cache;
       
    70         proxy_cache_lock on;
       
    71         proxy_ignore_client_abort on;
       
    72         proxy_pass {{pleroma_proxy_pass}};
       
    73     }
       
    74 }