Merge pull request 'Use /var/tmp for media cache path' (#776) from norm/akkoma:nginx-var-tmp into develop
Reviewed-on: #776 Reviewed-by: floatingghost <hannah@coffee-and-dreams.uk>
This commit is contained in:
commit
8afc3bee7a
7 changed files with 32 additions and 118 deletions
|
@ -6,37 +6,17 @@ With the `mediaproxy` function you can use nginx to cache this content, so users
|
|||
|
||||
## Activate it
|
||||
|
||||
* Edit your nginx config and add the following location to your main server block:
|
||||
```
|
||||
location /proxy {
|
||||
return 404;
|
||||
}
|
||||
```
|
||||
|
||||
* Set up a subdomain for the proxy with its nginx config on the same machine
|
||||
*(the latter is not strictly required, but for simplicity we’ll assume so)*
|
||||
* In this subdomain’s server block add
|
||||
```
|
||||
location /proxy {
|
||||
proxy_cache akkoma_media_cache;
|
||||
proxy_cache_lock on;
|
||||
proxy_pass http://localhost:4000;
|
||||
}
|
||||
```
|
||||
Also add the following on top of the configuration, outside of the `server` block:
|
||||
```
|
||||
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
|
||||
```
|
||||
If you came here from one of the installation guides, take a look at the example configuration `/installation/nginx/akkoma.nginx`, where this part is already included.
|
||||
|
||||
* Edit the nginx config for the upload/MediaProxy subdomain to point to the subdomain that has been set up
|
||||
* Append the following to your `prod.secret.exs` or `dev.secret.exs` (depends on which mode your instance is running):
|
||||
```
|
||||
```elixir
|
||||
# Replace media.example.td with the subdomain you set up earlier
|
||||
config :pleroma, :media_proxy,
|
||||
enabled: true,
|
||||
proxy_opts: [
|
||||
redirect_on_failure: true
|
||||
],
|
||||
base_url: "https://cache.akkoma.social"
|
||||
base_url: "https://media.example.tld"
|
||||
```
|
||||
You **really** should use a subdomain to serve proxied files; while we will fix bugs resulting from this, serving arbitrary remote content on your main domain namespace is a significant attack surface.
|
||||
|
||||
|
|
|
@ -130,59 +130,26 @@ config :pleroma, :http_security,
|
|||
enabled: false
|
||||
```
|
||||
|
||||
Use this as the Nginx config:
|
||||
```
|
||||
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
|
||||
# The above already exists in a clearnet instance's config.
|
||||
# If not, add it.
|
||||
|
||||
server {
|
||||
listen 127.0.0.1:14447;
|
||||
server_name youri2paddress;
|
||||
|
||||
# Comment to enable logs
|
||||
access_log /dev/null;
|
||||
error_log /dev/null;
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
|
||||
|
||||
client_max_body_size 16m;
|
||||
|
||||
location / {
|
||||
|
||||
In the Nginx config, add the following into the `location /` block:
|
||||
```nginx
|
||||
add_header X-XSS-Protection "0";
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header Referrer-Policy same-origin;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
|
||||
proxy_pass http://localhost:4000;
|
||||
|
||||
client_max_body_size 16m;
|
||||
}
|
||||
|
||||
location /proxy {
|
||||
proxy_cache akkoma_media_cache;
|
||||
proxy_cache_lock on;
|
||||
proxy_ignore_client_abort on;
|
||||
proxy_pass http://localhost:4000;
|
||||
}
|
||||
}
|
||||
```
|
||||
reload Nginx:
|
||||
|
||||
Change the `listen` directive to the following:
|
||||
```nginx
|
||||
listen 127.0.0.1:14447;
|
||||
```
|
||||
systemctl stop i2pd.service --no-block
|
||||
systemctl start i2pd.service
|
||||
|
||||
Set `server_name` to your i2p address.
|
||||
|
||||
Reload Nginx:
|
||||
```
|
||||
systemctl restart i2pd.service --no-block
|
||||
systemctl reload nginx.service
|
||||
```
|
||||
*Notice:* The stop command initiates a graceful shutdown process, i2pd stops after finishing to route transit tunnels (maximum 10 minutes).
|
||||
|
||||
|
|
|
@ -74,56 +74,23 @@ config :pleroma, :http_security,
|
|||
enabled: false
|
||||
```
|
||||
|
||||
Use this as the Nginx config:
|
||||
```
|
||||
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
|
||||
# The above already exists in a clearnet instance's config.
|
||||
# If not, add it.
|
||||
|
||||
server {
|
||||
listen 127.0.0.1:8099;
|
||||
server_name youronionaddress;
|
||||
|
||||
# Comment to enable logs
|
||||
access_log /dev/null;
|
||||
error_log /dev/null;
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
|
||||
|
||||
client_max_body_size 16m;
|
||||
|
||||
location / {
|
||||
|
||||
In the Nginx config, add the following into the `location /` block:
|
||||
```nginx
|
||||
add_header X-XSS-Protection "0";
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header Referrer-Policy same-origin;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
|
||||
proxy_pass http://localhost:4000;
|
||||
|
||||
client_max_body_size 16m;
|
||||
}
|
||||
|
||||
location /proxy {
|
||||
proxy_cache akkoma_media_cache;
|
||||
proxy_cache_lock on;
|
||||
proxy_ignore_client_abort on;
|
||||
proxy_pass http://localhost:4000;
|
||||
}
|
||||
}
|
||||
```
|
||||
reload Nginx:
|
||||
|
||||
Change the `listen` directive to the following:
|
||||
```nginx
|
||||
listen 127.0.0.1:8099;
|
||||
```
|
||||
|
||||
Set the `server_name` to your onion address.
|
||||
|
||||
Reload Nginx:
|
||||
```
|
||||
systemctl reload nginx
|
||||
```
|
||||
|
|
|
@ -60,7 +60,7 @@ ServerTokens Prod
|
|||
Include /etc/letsencrypt/options-ssl-apache.conf
|
||||
|
||||
# Uncomment the following to enable MediaProxy caching on disk
|
||||
#CacheRoot /tmp/akkoma-media-cache/
|
||||
#CacheRoot /var/tmp/akkoma-media-cache/
|
||||
#CacheDirLevels 1
|
||||
#CacheDirLength 2
|
||||
#CacheEnable disk /proxy
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
SCRIPTNAME=${0##*/}
|
||||
|
||||
# mod_disk_cache directory
|
||||
CACHE_DIRECTORY="/tmp/akkoma-media-cache"
|
||||
CACHE_DIRECTORY="/var/tmp/akkoma-media-cache"
|
||||
|
||||
## Removes an item via the htcacheclean utility
|
||||
## $1 - the filename, can be a pattern .
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# See the documentation at docs.akkoma.dev for your particular distro/OS for
|
||||
# installation instructions.
|
||||
|
||||
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=1g
|
||||
proxy_cache_path /var/tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=1g
|
||||
inactive=720m use_temp_path=off;
|
||||
|
||||
# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
SCRIPTNAME=${0##*/}
|
||||
|
||||
# NGINX cache directory
|
||||
CACHE_DIRECTORY="/tmp/akkoma-media-cache"
|
||||
CACHE_DIRECTORY="/var/tmp/akkoma-media-cache"
|
||||
|
||||
## Return the files where the items are cached.
|
||||
## $1 - the filename, can be a pattern .
|
||||
|
|
Loading…
Reference in a new issue