diff options
| author | Starfall <us@starfall.systems> | 2023-01-17 13:59:40 -0600 |
|---|---|---|
| committer | Starfall <us@starfall.systems> | 2023-01-17 14:26:55 -0600 |
| commit | 7515716e7f3950a3a6de04aac1b88215aa40795e (patch) | |
| tree | 9a67642bfde79cfef092de8b87a3c80bd2ccad43 /deploy/conf/nginx.conf | |
| parent | 0d0c26b589a0fedb4cf336683da4c0272a4391d1 (diff) | |
update almost everything except the setup script
Diffstat (limited to 'deploy/conf/nginx.conf')
| -rw-r--r-- | deploy/conf/nginx.conf | 146 |
1 files changed, 36 insertions, 110 deletions
diff --git a/deploy/conf/nginx.conf b/deploy/conf/nginx.conf index 7804345..d8ccfce 100644 --- a/deploy/conf/nginx.conf +++ b/deploy/conf/nginx.conf @@ -3,21 +3,14 @@ map $http_upgrade $connection_upgrade { '' close; } -upstream dockernetdata { - server netdata:19999; - keepalive 64; -} - server { listen 80; listen [::]:80; - server_name $NGINX_HOST; - root /var/www/html; + server_name plural.cafe *.plural.cafe; + server_tokens off; - location /.well-known/acme-challenge/ { - allow all; - } + root /srv/plural.cafe/html; location / { return 301 https://$host$request_uri; @@ -29,34 +22,8 @@ server { listen [::]:443 ssl http2; server_name ~^(?<subdomain>\w+)\.plural\.cafe$; - server_tokens off; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES'; - ssl_ecdh_curve X25519:secp384r1; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:TLS:2m; - ssl_session_timeout 10m; - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - - keepalive_timeout 70; - sendfile on; - client_max_body_size 0; - - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Referrer-Policy "same-origin"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - - ssl_certificate /home/mastodon/.acme.sh/certs/fullchain.pem; - ssl_certificate_key /home/mastodon/.acme.sh/certs/privkey.pem; - ssl_trusted_certificate /home/mastodon/.acme.sh/certs/cert.pem; - - resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; - resolver_timeout 5s; + + include /etc/nginx/snippets/common-ssl.conf; return 301 "https://plural.cafe/@${subdomain}"; } @@ -65,44 +32,25 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name $NGINX_HOST; - server_tokens off; + server_name plural.cafe; + + include /etc/nginx/snippets/common-ssl.conf; + root /srv/plural.cafe/html; + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES'; - ssl_ecdh_curve X25519:secp384r1; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:TLS:2m; - ssl_session_timeout 10m; - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - - keepalive_timeout 70; - sendfile on; - client_max_body_size 0; - - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Referrer-Policy "same-origin"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - - ssl_certificate /etc/ssl/fullchain.pem; - ssl_certificate_key /etc/ssl/privkey.pem; - ssl_trusted_certificate /etc/ssl/cert.pem; - - resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; - resolver_timeout 5s; - - root /var/www/html; - - #add_header Content-Security-Policy "Content-Security-Policy: frame-ancestors 'none'; object-src 'none'; script-src 'self'; base-uri 'none';"; - add_header Access-Control-Allow-Origin "https://$host"; add_header X-Cache-Status $upstream_cache_status; - location / { - try_files $uri @proxy; + # hang up on scrubs + if ($http_user_agent ~* (fedsearch|gabsocial|fedichive|seekport|dotbot|semrush|fasthttp|^\d+$|wdestiny|megaindex|webmeup|fedi-block)) { + return 444; } location /sw.js { @@ -110,45 +58,13 @@ server { try_files $uri @proxy; } - location = /sysinfo { - return 301 /sysinfo/; - } - - location ~ /sysinfo/(?<ndpath>.*) { - proxy_redirect off; - proxy_set_header Host $host; - - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_http_version 1.1; - proxy_pass_request_headers on; - proxy_set_header Connection "keep-alive"; - proxy_store off; - proxy_pass http://dockernetdata/$ndpath$is_args$args; - - gzip on; - gzip_proxied any; - gzip_types *; - } - location ~ ^/(emoji|packs|sounds) { - add_header Cache-Control "public, max-age=31536000, immutable"; - - gzip on; - gzip_disable "msie6"; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - + expires max; try_files $uri @proxy; } - location ~ ^/system/(?<req>(media_attachments|accounts|preview_cards)/.+) { - return 301 "https://d2rm2wyqhf92ej.cloudfront.net/$req"; + location / { + try_files $uri @proxy; } location @proxy { @@ -157,9 +73,14 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header Proxy ""; + proxy_hide_header X-Frame-Options; + proxy_hide_header X-Content-Type-Options; + proxy_hide_header X-XSS-Protection; + proxy_hide_header Referrer-Policy; + proxy_hide_header Strict-Transport-Security; proxy_pass_header Server; - proxy_pass http://mstweb:3000; + proxy_pass http://127.0.0.1:3010; proxy_buffering on; proxy_redirect off; proxy_http_version 1.1; @@ -182,7 +103,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header Proxy ""; - proxy_pass http://mststreaming:4000; + proxy_pass http://127.0.0.1:3011; proxy_buffering off; proxy_redirect off; proxy_http_version 1.1; @@ -192,6 +113,11 @@ server { tcp_nodelay on; } + location /api/v2/search { + access_log off; + try_files $uri @proxy; + } + error_page 403 /assets/403.html; error_page 404 /assets/404.html; error_page 410 /assets/410.html; |