Merge pull request 'Use /var/tmp for media cache path' (#776) from norm/akkoma:nginx-var-tmp into develop
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
ci/woodpecker/push/build-arm64 Pipeline is pending
ci/woodpecker/push/docs Pipeline is pending
ci/woodpecker/push/lint Pipeline is pending
ci/woodpecker/push/test Pipeline is pending

Reviewed-on: #776
Reviewed-by: floatingghost <hannah@coffee-and-dreams.uk>
This commit is contained in:
floatingghost 2024-05-28 02:05:17 +00:00
commit 8afc3bee7a
7 changed files with 32 additions and 118 deletions

View file

@ -6,37 +6,17 @@ With the `mediaproxy` function you can use nginx to cache this content, so users
## Activate it ## Activate it
* Edit your nginx config and add the following location to your main server block:
```
location /proxy {
return 404;
}
```
* Set up a subdomain for the proxy with its nginx config on the same machine * Set up a subdomain for the proxy with its nginx config on the same machine
*(the latter is not strictly required, but for simplicity well assume so)* * Edit the nginx config for the upload/MediaProxy subdomain to point to the subdomain that has been set up
* In this subdomains server block add
```
location /proxy {
proxy_cache akkoma_media_cache;
proxy_cache_lock on;
proxy_pass http://localhost:4000;
}
```
Also add the following on top of the configuration, outside of the `server` block:
```
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
```
If you came here from one of the installation guides, take a look at the example configuration `/installation/nginx/akkoma.nginx`, where this part is already included.
* Append the following to your `prod.secret.exs` or `dev.secret.exs` (depends on which mode your instance is running): * Append the following to your `prod.secret.exs` or `dev.secret.exs` (depends on which mode your instance is running):
``` ```elixir
# Replace media.example.td with the subdomain you set up earlier
config :pleroma, :media_proxy, config :pleroma, :media_proxy,
enabled: true, enabled: true,
proxy_opts: [ proxy_opts: [
redirect_on_failure: true redirect_on_failure: true
], ],
base_url: "https://cache.akkoma.social" base_url: "https://media.example.tld"
``` ```
You **really** should use a subdomain to serve proxied files; while we will fix bugs resulting from this, serving arbitrary remote content on your main domain namespace is a significant attack surface. You **really** should use a subdomain to serve proxied files; while we will fix bugs resulting from this, serving arbitrary remote content on your main domain namespace is a significant attack surface.

View file

@ -130,59 +130,26 @@ config :pleroma, :http_security,
enabled: false enabled: false
``` ```
Use this as the Nginx config: In the Nginx config, add the following into the `location /` block:
``` ```nginx
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
# The above already exists in a clearnet instance's config.
# If not, add it.
server {
listen 127.0.0.1:14447;
server_name youri2paddress;
# Comment to enable logs
access_log /dev/null;
error_log /dev/null;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
client_max_body_size 16m;
location / {
add_header X-XSS-Protection "0"; add_header X-XSS-Protection "0";
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin; add_header Referrer-Policy same-origin;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_pass http://localhost:4000;
client_max_body_size 16m;
}
location /proxy {
proxy_cache akkoma_media_cache;
proxy_cache_lock on;
proxy_ignore_client_abort on;
proxy_pass http://localhost:4000;
}
}
``` ```
reload Nginx:
Change the `listen` directive to the following:
```nginx
listen 127.0.0.1:14447;
``` ```
systemctl stop i2pd.service --no-block
systemctl start i2pd.service Set `server_name` to your i2p address.
Reload Nginx:
```
systemctl restart i2pd.service --no-block
systemctl reload nginx.service
``` ```
*Notice:* The stop command initiates a graceful shutdown process, i2pd stops after finishing to route transit tunnels (maximum 10 minutes). *Notice:* The stop command initiates a graceful shutdown process, i2pd stops after finishing to route transit tunnels (maximum 10 minutes).

View file

@ -74,56 +74,23 @@ config :pleroma, :http_security,
enabled: false enabled: false
``` ```
Use this as the Nginx config: In the Nginx config, add the following into the `location /` block:
``` ```nginx
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
# The above already exists in a clearnet instance's config.
# If not, add it.
server {
listen 127.0.0.1:8099;
server_name youronionaddress;
# Comment to enable logs
access_log /dev/null;
error_log /dev/null;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
client_max_body_size 16m;
location / {
add_header X-XSS-Protection "0"; add_header X-XSS-Protection "0";
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin; add_header Referrer-Policy same-origin;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_pass http://localhost:4000;
client_max_body_size 16m;
}
location /proxy {
proxy_cache akkoma_media_cache;
proxy_cache_lock on;
proxy_ignore_client_abort on;
proxy_pass http://localhost:4000;
}
}
``` ```
reload Nginx:
Change the `listen` directive to the following:
```nginx
listen 127.0.0.1:8099;
```
Set the `server_name` to your onion address.
Reload Nginx:
``` ```
systemctl reload nginx systemctl reload nginx
``` ```

View file

@ -60,7 +60,7 @@ ServerTokens Prod
Include /etc/letsencrypt/options-ssl-apache.conf Include /etc/letsencrypt/options-ssl-apache.conf
# Uncomment the following to enable MediaProxy caching on disk # Uncomment the following to enable MediaProxy caching on disk
#CacheRoot /tmp/akkoma-media-cache/ #CacheRoot /var/tmp/akkoma-media-cache/
#CacheDirLevels 1 #CacheDirLevels 1
#CacheDirLength 2 #CacheDirLength 2
#CacheEnable disk /proxy #CacheEnable disk /proxy

View file

@ -16,7 +16,7 @@
SCRIPTNAME=${0##*/} SCRIPTNAME=${0##*/}
# mod_disk_cache directory # mod_disk_cache directory
CACHE_DIRECTORY="/tmp/akkoma-media-cache" CACHE_DIRECTORY="/var/tmp/akkoma-media-cache"
## Removes an item via the htcacheclean utility ## Removes an item via the htcacheclean utility
## $1 - the filename, can be a pattern . ## $1 - the filename, can be a pattern .

View file

@ -3,7 +3,7 @@
# See the documentation at docs.akkoma.dev for your particular distro/OS for # See the documentation at docs.akkoma.dev for your particular distro/OS for
# installation instructions. # installation instructions.
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=1g proxy_cache_path /var/tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=1g
inactive=720m use_temp_path=off; inactive=720m use_temp_path=off;
# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only

View file

@ -5,7 +5,7 @@
SCRIPTNAME=${0##*/} SCRIPTNAME=${0##*/}
# NGINX cache directory # NGINX cache directory
CACHE_DIRECTORY="/tmp/akkoma-media-cache" CACHE_DIRECTORY="/var/tmp/akkoma-media-cache"
## Return the files where the items are cached. ## Return the files where the items are cached.
## $1 - the filename, can be a pattern . ## $1 - the filename, can be a pattern .