roles/pleroma-otp/templates/pleroma.nginx.conf.j2
changeset 84 d0c40727e6ff
parent 82 a3e1a9b18f6d
equal deleted inserted replaced
83:ccd5604f5b69 84:d0c40727e6ff
       
     1 # default nginx site config for Pleroma
       
     2 #
       
     3 # Simple installation instructions:
       
     4 # 1. Install your TLS certificate, possibly using Let's Encrypt.
       
     5 # 2. Replace 'example.tld' with your instance's domain wherever it appears.
       
     6 # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
       
     7 #    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
       
     8 
       
     9 proxy_cache_path /tmp/{{pleroma_instance}}-pleroma-media-cache levels=1:2 keys_zone={{pleroma_instance}}-pleroma_media_cache:10m max_size=10g
       
    10                  inactive=720m use_temp_path=off;
       
    11 
       
    12 server {
       
    13     listen {{nginx_port}};
       
    14     # listen [::]:{{nginx_port}};
       
    15     server_name {{nginx_server_name}};
       
    16     return 301 https://$server_name$request_uri;
       
    17 
       
    18     # Uncomment this if you need to use the 'webroot' method with certbot. Make sure
       
    19     # that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and
       
    20     # that is is accessible by the webserver. You may need to load this file with the ssl
       
    21     # server block commented out, run certbot to get the certificate, and then uncomment it.
       
    22     #
       
    23     # location ~ /\.well-known/acme-challenge {
       
    24     #     root <path to install>/pleroma/priv/static/;
       
    25     # }
       
    26 }
       
    27 
       
    28 # Enable SSL session caching for improved performance
       
    29 ssl_session_cache shared:ssl_session_cache:10m;
       
    30 
       
    31 server {
       
    32     listen {{nginx_ssl_port}} ssl http2;
       
    33     # listen [::]:{{nginx_ssl_port}} ssl ipv6only=on;
       
    34     server_name {{nginx_server_name}};
       
    35 
       
    36     ssl_certificate {{nginx_ssl_cert}};
       
    37     ssl_certificate_key {{nginx_ssl_privkey}};
       
    38     include /etc/letsencrypt/options-ssl-nginx.conf;
       
    39     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
       
    40 
       
    41     ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
       
    42     ssl_stapling on;
       
    43     ssl_stapling_verify on;
       
    44 
       
    45     add_header Strict-Transport-Security "max-age=31536000" always;
       
    46 
       
    47     gzip_vary on;
       
    48     gzip_proxied any;
       
    49     gzip_comp_level 6;
       
    50     gzip_buffers 16 8k;
       
    51     gzip_http_version 1.1;
       
    52     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
       
    53 
       
    54     # the nginx default is 1m, not enough for large media uploads
       
    55     client_max_body_size 16m;
       
    56 
       
    57     location / {
       
    58         # if you do not want remote frontends to be able to access your Pleroma backend
       
    59         # server, remove these lines.
       
    60         # add_header 'Access-Control-Allow-Origin' '*' always;
       
    61         # add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
       
    62         # add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
       
    63         # add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
       
    64         # if ($request_method = OPTIONS) {
       
    65         #     return 204;
       
    66         # }
       
    67         # stop removing lines here.
       
    68 
       
    69         add_header X-XSS-Protection "1; mode=block";
       
    70         add_header X-Permitted-Cross-Domain-Policies none;
       
    71         add_header X-Frame-Options DENY;
       
    72         add_header X-Content-Type-Options nosniff;
       
    73         add_header Referrer-Policy same-origin;
       
    74         add_header X-Download-Options noopen;
       
    75 
       
    76         # Uncomment this only after you get HTTPS working.
       
    77         # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
       
    78 
       
    79         proxy_http_version 1.1;
       
    80         proxy_set_header Upgrade $http_upgrade;
       
    81         proxy_set_header Connection "upgrade";
       
    82         proxy_set_header Host $http_host;
       
    83 
       
    84         proxy_pass {{pleroma_proxy_pass}};
       
    85 
       
    86         client_max_body_size 16m;
       
    87     }
       
    88 
       
    89     location /proxy {
       
    90         proxy_cache {{pleroma_instance}}-pleroma_media_cache;
       
    91         proxy_cache_lock on;
       
    92         proxy_ignore_client_abort on;
       
    93         proxy_pass {{pleroma_proxy_pass}};
       
    94     }
       
    95 }