From fa7b74cf51e2b5c7c60aaf3ec529ba2292450d7b Mon Sep 17 00:00:00 2001 From: Jason Snell Date: Tue, 4 Apr 2017 18:43:21 -0700 Subject: SSL best practices for nginx --- docs/Running-Mastodon/Production-guide.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'docs/Running-Mastodon') diff --git a/docs/Running-Mastodon/Production-guide.md b/docs/Running-Mastodon/Production-guide.md index b1f7bd35b..d539ddf64 100644 --- a/docs/Running-Mastodon/Production-guide.md +++ b/docs/Running-Mastodon/Production-guide.md @@ -11,10 +11,22 @@ map $http_upgrade $connection_upgrade { '' close; } +server { + listen 80; + listen [::]:80; + server_name example.com; + return 301 https://$host$request_uri; +} + server { listen 443 ssl; server_name example.com; + ssl_protocols TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; -- cgit From 5dbcd92193f45d71629e261cc264725d59f2ea6c Mon Sep 17 00:00:00 2001 From: Angristan Date: Wed, 5 Apr 2017 10:44:08 +0200 Subject: ECDH only Disable DHE ciphers. We don't loose any compatibility as we already use TLS 1.2, and ECDH is faster and safer. Also, it's better so specify the curve. This is the conf I use here : https://tls.imirhil.fr/https/mstdn.io --- docs/Running-Mastodon/Production-guide.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'docs/Running-Mastodon') diff --git a/docs/Running-Mastodon/Production-guide.md b/docs/Running-Mastodon/Production-guide.md index d539ddf64..3912fd2ba 100644 --- a/docs/Running-Mastodon/Production-guide.md +++ b/docs/Running-Mastodon/Production-guide.md @@ -23,7 +23,8 @@ server { server_name example.com; ssl_protocols TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_ciphers EECDH+AESGCM:EECDH+AES; + ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; -- cgit From 5ed2de6be2f3003be4422a659bdd7ab96803adf0 Mon Sep 17 00:00:00 2001 From: Angristan Date: Wed, 5 Apr 2017 14:11:08 +0200 Subject: Add git and curl as dependencies In some VPS templates, they are not installed by default. --- docs/Running-Mastodon/Production-guide.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'docs/Running-Mastodon') diff --git a/docs/Running-Mastodon/Production-guide.md b/docs/Running-Mastodon/Production-guide.md index 3912fd2ba..90e9c0dea 100644 --- a/docs/Running-Mastodon/Production-guide.md +++ b/docs/Running-Mastodon/Production-guide.md @@ -88,8 +88,9 @@ It is recommended to create a special user for mastodon on the server (you could ## General dependencies + sudo apt-get install imagemagick ffmpeg libpq-dev libxml2-dev libxslt1-dev nodejs file git curl curl -sL https://deb.nodesource.com/setup_4.x | sudo bash - - sudo apt-get install imagemagick ffmpeg libpq-dev libxml2-dev libxslt1-dev nodejs file + apt-get intall nodejs sudo npm install -g yarn ## Redis -- cgit From d6bab0c71cd94bff4f775b79a55493b6e02215a0 Mon Sep 17 00:00:00 2001 From: Jonathan Hurter Date: Wed, 5 Apr 2017 16:00:48 +0200 Subject: Add doc --- README.md | 2 ++ docs/Running-Mastodon/Scalingo-guide.md | 13 +++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 docs/Running-Mastodon/Scalingo-guide.md (limited to 'docs/Running-Mastodon') diff --git a/README.md b/README.md index fde4df6bb..db60b66f7 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,8 @@ Docker is great for quickly trying out software, but it has its drawbacks too. I [![Deploy on Scalingo](https://cdn.scalingo.com/deploy/button.svg)](https://my.scalingo.com/deploy?source=https://github.com/tootsuite/mastodon#master) +[You can view a guide for deployment on Scalingo here.](docs/Running-Mastodon/Scalingo-guide.md) + ## Deployment on Heroku (experimental) [![Deploy](https://www.herokucdn.com/deploy/button.svg)](https://heroku.com/deploy) diff --git a/docs/Running-Mastodon/Scalingo-guide.md b/docs/Running-Mastodon/Scalingo-guide.md new file mode 100644 index 000000000..6552056a8 --- /dev/null +++ b/docs/Running-Mastodon/Scalingo-guide.md @@ -0,0 +1,13 @@ +Scalingo guide +============== + +[![Deploy on Scalingo](https://cdn.scalingo.com/deploy/button.svg)](https://my.scalingo.com/deploy?source=https://github.com/tootsuite/mastodon#master) + +1. Click the above button. +2. Fill in the options requested. + * You can use a .scalingo.io domain, which will be simple to set up, or you can use a custom domain. + * You will want Amazon S3 for file storage. The only exception is for development purposes, where you may not care if files are not saved. Follow a guide online for creating a free Amazon S3 bucket and Access Key, then enter the details. + * If you want your Mastodon to be able to send emails, configure SMTP settings here (or later). Consider using [Mailgun](https://mailgun.com) or similar, who offer free plans that should suit your interests. +3. Deploy! The app should be set up, with a working web interface and database. You can change settings and manage versions from the Heroku dashboard. + +You may need to use the `scalingo` CLI application to run `USERNAME=yourUsername rails mastodon:make_admin` to make yourself an admin. -- cgit