about summary refs log tree commit diff
path: root/deploy/conf
diff options
context:
space:
mode:
authorthekettu <samantha.chalker@nccgroup.trust>2018-04-22 16:15:55 -0700
committerthekettu <samantha.chalker@nccgroup.trust>2018-04-22 16:15:55 -0700
commitcab33b7005e9857dfdfdc0670b96d2cd100582ae (patch)
treeb5b6b6c57c8175b2f71475658249407c29038653 /deploy/conf
parent668868deee87a3852c814c4dcbf68a67f9dd584a (diff)
Add IPv6 NAT and use Nginx in a container
Diffstat (limited to 'deploy/conf')
-rw-r--r--deploy/conf/nginx.conf42
1 files changed, 17 insertions, 25 deletions
diff --git a/deploy/conf/nginx.conf b/deploy/conf/nginx.conf
index e005f86..7804345 100644
--- a/deploy/conf/nginx.conf
+++ b/deploy/conf/nginx.conf
@@ -3,8 +3,8 @@ map $http_upgrade $connection_upgrade {
   ''      close;
 }
 
-upstream netdata {
-  server 127.0.0.1:19999;
+upstream dockernetdata {
+  server netdata:19999;
   keepalive 64;
 }
 
@@ -12,8 +12,8 @@ server {
   listen 80;
   listen [::]:80;
 
-  server_name plural.cafe;
-  root /home/mastodon/public;
+  server_name $NGINX_HOST;
+  root /var/www/html;
 
   location /.well-known/acme-challenge/ {
       allow all;
@@ -32,15 +32,14 @@ server {
   server_tokens off;
 
   ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL;
-  ssl_ecdh_curve X25519:secp521r1:secp384r1;
+  ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
+  ssl_ecdh_curve X25519:secp384r1;
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:TLS:2m;
   ssl_session_timeout 10m;
   ssl_session_tickets off;
   ssl_stapling on;
   ssl_stapling_verify on;
-  ssl_dhparam /etc/ssl/dhparam.pem;
 
   keepalive_timeout 70;
   sendfile on;
@@ -66,19 +65,18 @@ server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
 
-  server_name plural.cafe;
+  server_name $NGINX_HOST;
   server_tokens off;
 
-  ssl_protocols TLSv1.3 TLSv1.2;
-  ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL;
-  ssl_ecdh_curve X25519:secp521r1:secp384r1;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
+  ssl_ecdh_curve X25519:secp384r1;
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:TLS:2m;
   ssl_session_timeout 10m;
   ssl_session_tickets off;
   ssl_stapling on;
   ssl_stapling_verify on;
-  ssl_dhparam /etc/ssl/dhparam.pem;
 
   keepalive_timeout 70;
   sendfile on;
@@ -90,14 +88,14 @@ server {
   add_header Referrer-Policy "same-origin";
   add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 
-  ssl_certificate /home/mastodon/.acme.sh/certs/fullchain.pem;
-  ssl_certificate_key /home/mastodon/.acme.sh/certs/privkey.pem;
-  ssl_trusted_certificate /home/mastodon/.acme.sh/certs/cert.pem;
+  ssl_certificate /etc/ssl/fullchain.pem;
+  ssl_certificate_key /etc/ssl/privkey.pem;
+  ssl_trusted_certificate /etc/ssl/cert.pem;
 
   resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
   resolver_timeout 5s;
 
-  root /home/mastodon/public;
+  root /var/www/html;
 
   #add_header Content-Security-Policy "Content-Security-Policy: frame-ancestors 'none'; object-src 'none'; script-src 'self'; base-uri 'none';";
   add_header Access-Control-Allow-Origin "https://$host";
@@ -107,12 +105,6 @@ server {
     try_files $uri @proxy;
   }
 
-#  location /_matrix {
-#    proxy_pass http://127.0.0.1:8008;
-#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#    proxy_pass_request_headers on;
-#  }
-
   location /sw.js {
     add_header Cache-Control "public, max-age=0";
     try_files $uri @proxy;
@@ -133,7 +125,7 @@ server {
     proxy_pass_request_headers on;
     proxy_set_header Connection "keep-alive";
     proxy_store off;
-    proxy_pass http://netdata/$ndpath$is_args$args;
+    proxy_pass http://dockernetdata/$ndpath$is_args$args;
 
     gzip on;
     gzip_proxied any;
@@ -167,7 +159,7 @@ server {
     proxy_set_header Proxy "";
     proxy_pass_header Server;
 
-    proxy_pass http://127.0.0.1:3000;
+    proxy_pass http://mstweb:3000;
     proxy_buffering on;
     proxy_redirect off;
     proxy_http_version 1.1;
@@ -190,7 +182,7 @@ server {
     proxy_set_header X-Forwarded-Proto https;
     proxy_set_header Proxy "";
 
-    proxy_pass http://127.0.0.1:4000;
+    proxy_pass http://mststreaming:4000;
     proxy_buffering off;
     proxy_redirect off;
     proxy_http_version 1.1;