diff options
| author | Reverite <515462+Reverite@users.noreply.github.com> | 2018-03-20 14:42:20 -0700 |
|---|---|---|
| committer | Reverite <515462+Reverite@users.noreply.github.com> | 2018-03-20 14:42:20 -0700 |
| commit | df38c10a0c999ab6616daae98eee04ccf71b9276 (patch) | |
| tree | bc70e2e9a8369dd4ac90679b42cdf94173fcd936 /nginx.conf | |
| parent | 07c6844c4b4ebbb85b5fa4c6211d85ab4f5d0fa7 (diff) | |
move utils out of mastodon repo
Diffstat (limited to 'nginx.conf')
| -rw-r--r-- | nginx.conf | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..4098153 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,152 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name plural.cafe; + root /home/mastodon/live/public; + location /.well-known/acme-challenge/ { allow all; } + location / { return 301 https://$host$request_uri; } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ~^(?<subdomain>\w+)\.plural\.cafe$; + server_tokens off; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve secp384r1; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s; + resolver_timeout 5s; + + ssl_dhparam /etc/ssl/certs/dhparam4096.pem; + + ssl_certificate /etc/letsencrypt/live/plural.cafe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/plural.cafe/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/plural.cafe/chain.pem; + + keepalive_timeout 70; + sendfile on; + client_max_body_size 0; + + gzip off; + + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Referrer-Policy "same-origin"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + + return 301 "https://plural.cafe/@${subdomain}"; +} + +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + server_name plural.cafe; + server_tokens off; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve secp384r1; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s; + resolver_timeout 5s; + + ssl_dhparam /etc/ssl/certs/dhparam4096.pem; + + ssl_certificate /etc/letsencrypt/live/plural.cafe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/plural.cafe/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/plural.cafe/chain.pem; + + keepalive_timeout 70; + sendfile on; + client_max_body_size 0; + + root /home/mastodon/live/public; + + gzip off; # anti-BREACH + + add_header X-Terms-Of-Service "https://plural.cafe/about/more"; + add_header X-Source-Code "https://github.com/pluralcafe/mastodon"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'; base-uri 'self'; form-action 'self'; default-src 'none'; script-src 'self'; object-src 'self'; style-src 'self' https://fonts.googleapis.com/ 'sha256-deDIoPlRijnpfbTDYsK+8JmDfUBmpwpnb0L/SUV8NeU=' 'sha256-dsU/1vqKDGkqSAJVJCzaxo3alnWrTU/iQqFREt5QB+g='; img-src * data: https://d2rm2wyqhf92ej.cloudfront.net/; media-src 'self' data: https://d2rm2wyqhf92ej.cloudfront.net/; worker-src 'self'; frame-src https://player.vimeo.com https://youtube.com https://www.youtube.com; font-src 'self' data: https://fonts.gstatic.com/; connect-src 'self' wss://plural.cafe"; + add_header Referrer-Policy "same-origin"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + + location / { + try_files $uri @proxy; + } + + location /sw.js { + add_header Cache-Control "public, max-age=0"; + try_files $uri @proxy; + } + + location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { + add_header Cache-Control "public, max-age=31536000, immutable"; + try_files $uri @proxy; + } + + location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_pass http://127.0.0.1:3000; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } + + location /api/v1/streaming { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + + proxy_pass http://127.0.0.1:4000; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } + + error_page 403 /assets/403.html; + error_page 404 /assets/404.html; + error_page 410 /assets/410.html; + error_page 422 /assets/422.html; + error_page 500 501 502 503 504 /assets/500.html; +} + |