Merge pull request 'Use /var/tmp for media cache path' (#776) from norm/akkoma:nginx-var-tmp into develop
Reviewed-on: #776 Reviewed-by: floatingghost <hannah@coffee-and-dreams.uk>
This commit is contained in:
commit
8afc3bee7a
7 changed files with 32 additions and 118 deletions
|
@ -6,37 +6,17 @@ With the `mediaproxy` function you can use nginx to cache this content, so users
|
||||||
|
|
||||||
## Activate it
|
## Activate it
|
||||||
|
|
||||||
* Edit your nginx config and add the following location to your main server block:
|
|
||||||
```
|
|
||||||
location /proxy {
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
* Set up a subdomain for the proxy with its nginx config on the same machine
|
* Set up a subdomain for the proxy with its nginx config on the same machine
|
||||||
*(the latter is not strictly required, but for simplicity we’ll assume so)*
|
* Edit the nginx config for the upload/MediaProxy subdomain to point to the subdomain that has been set up
|
||||||
* In this subdomain’s server block add
|
|
||||||
```
|
|
||||||
location /proxy {
|
|
||||||
proxy_cache akkoma_media_cache;
|
|
||||||
proxy_cache_lock on;
|
|
||||||
proxy_pass http://localhost:4000;
|
|
||||||
}
|
|
||||||
```
|
|
||||||
Also add the following on top of the configuration, outside of the `server` block:
|
|
||||||
```
|
|
||||||
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
|
|
||||||
```
|
|
||||||
If you came here from one of the installation guides, take a look at the example configuration `/installation/nginx/akkoma.nginx`, where this part is already included.
|
|
||||||
|
|
||||||
* Append the following to your `prod.secret.exs` or `dev.secret.exs` (depends on which mode your instance is running):
|
* Append the following to your `prod.secret.exs` or `dev.secret.exs` (depends on which mode your instance is running):
|
||||||
```
|
```elixir
|
||||||
|
# Replace media.example.td with the subdomain you set up earlier
|
||||||
config :pleroma, :media_proxy,
|
config :pleroma, :media_proxy,
|
||||||
enabled: true,
|
enabled: true,
|
||||||
proxy_opts: [
|
proxy_opts: [
|
||||||
redirect_on_failure: true
|
redirect_on_failure: true
|
||||||
],
|
],
|
||||||
base_url: "https://cache.akkoma.social"
|
base_url: "https://media.example.tld"
|
||||||
```
|
```
|
||||||
You **really** should use a subdomain to serve proxied files; while we will fix bugs resulting from this, serving arbitrary remote content on your main domain namespace is a significant attack surface.
|
You **really** should use a subdomain to serve proxied files; while we will fix bugs resulting from this, serving arbitrary remote content on your main domain namespace is a significant attack surface.
|
||||||
|
|
||||||
|
|
|
@ -130,59 +130,26 @@ config :pleroma, :http_security,
|
||||||
enabled: false
|
enabled: false
|
||||||
```
|
```
|
||||||
|
|
||||||
Use this as the Nginx config:
|
In the Nginx config, add the following into the `location /` block:
|
||||||
```
|
```nginx
|
||||||
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
|
|
||||||
# The above already exists in a clearnet instance's config.
|
|
||||||
# If not, add it.
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 127.0.0.1:14447;
|
|
||||||
server_name youri2paddress;
|
|
||||||
|
|
||||||
# Comment to enable logs
|
|
||||||
access_log /dev/null;
|
|
||||||
error_log /dev/null;
|
|
||||||
|
|
||||||
gzip_vary on;
|
|
||||||
gzip_proxied any;
|
|
||||||
gzip_comp_level 6;
|
|
||||||
gzip_buffers 16 8k;
|
|
||||||
gzip_http_version 1.1;
|
|
||||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
|
|
||||||
|
|
||||||
client_max_body_size 16m;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
|
|
||||||
add_header X-XSS-Protection "0";
|
add_header X-XSS-Protection "0";
|
||||||
add_header X-Permitted-Cross-Domain-Policies none;
|
add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
add_header X-Frame-Options DENY;
|
add_header X-Frame-Options DENY;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header Referrer-Policy same-origin;
|
add_header Referrer-Policy same-origin;
|
||||||
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
|
|
||||||
proxy_pass http://localhost:4000;
|
|
||||||
|
|
||||||
client_max_body_size 16m;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /proxy {
|
|
||||||
proxy_cache akkoma_media_cache;
|
|
||||||
proxy_cache_lock on;
|
|
||||||
proxy_ignore_client_abort on;
|
|
||||||
proxy_pass http://localhost:4000;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
```
|
||||||
reload Nginx:
|
|
||||||
|
Change the `listen` directive to the following:
|
||||||
|
```nginx
|
||||||
|
listen 127.0.0.1:14447;
|
||||||
```
|
```
|
||||||
systemctl stop i2pd.service --no-block
|
|
||||||
systemctl start i2pd.service
|
Set `server_name` to your i2p address.
|
||||||
|
|
||||||
|
Reload Nginx:
|
||||||
|
```
|
||||||
|
systemctl restart i2pd.service --no-block
|
||||||
|
systemctl reload nginx.service
|
||||||
```
|
```
|
||||||
*Notice:* The stop command initiates a graceful shutdown process, i2pd stops after finishing to route transit tunnels (maximum 10 minutes).
|
*Notice:* The stop command initiates a graceful shutdown process, i2pd stops after finishing to route transit tunnels (maximum 10 minutes).
|
||||||
|
|
||||||
|
|
|
@ -74,56 +74,23 @@ config :pleroma, :http_security,
|
||||||
enabled: false
|
enabled: false
|
||||||
```
|
```
|
||||||
|
|
||||||
Use this as the Nginx config:
|
In the Nginx config, add the following into the `location /` block:
|
||||||
```
|
```nginx
|
||||||
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
|
|
||||||
# The above already exists in a clearnet instance's config.
|
|
||||||
# If not, add it.
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 127.0.0.1:8099;
|
|
||||||
server_name youronionaddress;
|
|
||||||
|
|
||||||
# Comment to enable logs
|
|
||||||
access_log /dev/null;
|
|
||||||
error_log /dev/null;
|
|
||||||
|
|
||||||
gzip_vary on;
|
|
||||||
gzip_proxied any;
|
|
||||||
gzip_comp_level 6;
|
|
||||||
gzip_buffers 16 8k;
|
|
||||||
gzip_http_version 1.1;
|
|
||||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
|
|
||||||
|
|
||||||
client_max_body_size 16m;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
|
|
||||||
add_header X-XSS-Protection "0";
|
add_header X-XSS-Protection "0";
|
||||||
add_header X-Permitted-Cross-Domain-Policies none;
|
add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
add_header X-Frame-Options DENY;
|
add_header X-Frame-Options DENY;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header Referrer-Policy same-origin;
|
add_header Referrer-Policy same-origin;
|
||||||
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
|
|
||||||
proxy_pass http://localhost:4000;
|
|
||||||
|
|
||||||
client_max_body_size 16m;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /proxy {
|
|
||||||
proxy_cache akkoma_media_cache;
|
|
||||||
proxy_cache_lock on;
|
|
||||||
proxy_ignore_client_abort on;
|
|
||||||
proxy_pass http://localhost:4000;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
```
|
||||||
reload Nginx:
|
|
||||||
|
Change the `listen` directive to the following:
|
||||||
|
```nginx
|
||||||
|
listen 127.0.0.1:8099;
|
||||||
|
```
|
||||||
|
|
||||||
|
Set the `server_name` to your onion address.
|
||||||
|
|
||||||
|
Reload Nginx:
|
||||||
```
|
```
|
||||||
systemctl reload nginx
|
systemctl reload nginx
|
||||||
```
|
```
|
||||||
|
|
|
@ -60,7 +60,7 @@ ServerTokens Prod
|
||||||
Include /etc/letsencrypt/options-ssl-apache.conf
|
Include /etc/letsencrypt/options-ssl-apache.conf
|
||||||
|
|
||||||
# Uncomment the following to enable MediaProxy caching on disk
|
# Uncomment the following to enable MediaProxy caching on disk
|
||||||
#CacheRoot /tmp/akkoma-media-cache/
|
#CacheRoot /var/tmp/akkoma-media-cache/
|
||||||
#CacheDirLevels 1
|
#CacheDirLevels 1
|
||||||
#CacheDirLength 2
|
#CacheDirLength 2
|
||||||
#CacheEnable disk /proxy
|
#CacheEnable disk /proxy
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
SCRIPTNAME=${0##*/}
|
SCRIPTNAME=${0##*/}
|
||||||
|
|
||||||
# mod_disk_cache directory
|
# mod_disk_cache directory
|
||||||
CACHE_DIRECTORY="/tmp/akkoma-media-cache"
|
CACHE_DIRECTORY="/var/tmp/akkoma-media-cache"
|
||||||
|
|
||||||
## Removes an item via the htcacheclean utility
|
## Removes an item via the htcacheclean utility
|
||||||
## $1 - the filename, can be a pattern .
|
## $1 - the filename, can be a pattern .
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
# See the documentation at docs.akkoma.dev for your particular distro/OS for
|
# See the documentation at docs.akkoma.dev for your particular distro/OS for
|
||||||
# installation instructions.
|
# installation instructions.
|
||||||
|
|
||||||
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=1g
|
proxy_cache_path /var/tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=1g
|
||||||
inactive=720m use_temp_path=off;
|
inactive=720m use_temp_path=off;
|
||||||
|
|
||||||
# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
|
# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
SCRIPTNAME=${0##*/}
|
SCRIPTNAME=${0##*/}
|
||||||
|
|
||||||
# NGINX cache directory
|
# NGINX cache directory
|
||||||
CACHE_DIRECTORY="/tmp/akkoma-media-cache"
|
CACHE_DIRECTORY="/var/tmp/akkoma-media-cache"
|
||||||
|
|
||||||
## Return the files where the items are cached.
|
## Return the files where the items are cached.
|
||||||
## $1 - the filename, can be a pattern .
|
## $1 - the filename, can be a pattern .
|
||||||
|
|
Loading…
Reference in a new issue