From 7e709768c33785a8cddee7f5ff515357a8971f96 Mon Sep 17 00:00:00 2001 From: Norm Date: Wed, 15 May 2024 16:58:58 -0400 Subject: [PATCH 1/3] Use /var/tmp for media cache path in apache/nginx configs The /var/tmp directory is not mounted as tmpfs unlike /tmp which is mounted as such on some distros like Fedora or Arch. Since there isn't really a benefit to having the cache on tmpfs, this change should allow for a larger cache if needed without worrying about running out of RAM. --- installation/apache/akkoma-apache.conf | 2 +- installation/apache/apache-cache-purge.sh.example | 2 +- installation/nginx/akkoma.nginx | 2 +- installation/nginx/nginx-cache-purge.sh.example | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/installation/apache/akkoma-apache.conf b/installation/apache/akkoma-apache.conf index 65bbf15e1..76357789e 100644 --- a/installation/apache/akkoma-apache.conf +++ b/installation/apache/akkoma-apache.conf @@ -60,7 +60,7 @@ ServerTokens Prod Include /etc/letsencrypt/options-ssl-apache.conf # Uncomment the following to enable MediaProxy caching on disk - #CacheRoot /tmp/akkoma-media-cache/ + #CacheRoot /var/tmp/akkoma-media-cache/ #CacheDirLevels 1 #CacheDirLength 2 #CacheEnable disk /proxy diff --git a/installation/apache/apache-cache-purge.sh.example b/installation/apache/apache-cache-purge.sh.example index 65df9cc11..59c2a5ed0 100755 --- a/installation/apache/apache-cache-purge.sh.example +++ b/installation/apache/apache-cache-purge.sh.example @@ -16,7 +16,7 @@ SCRIPTNAME=${0##*/} # mod_disk_cache directory -CACHE_DIRECTORY="/tmp/akkoma-media-cache" +CACHE_DIRECTORY="/var/tmp/akkoma-media-cache" ## Removes an item via the htcacheclean utility ## $1 - the filename, can be a pattern . diff --git a/installation/nginx/akkoma.nginx b/installation/nginx/akkoma.nginx index bfb1fffb3..bdd5d0f8b 100644 --- a/installation/nginx/akkoma.nginx +++ b/installation/nginx/akkoma.nginx @@ -3,7 +3,7 @@ # See the documentation at docs.akkoma.dev for your particular distro/OS for # installation instructions. -proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=1g +proxy_cache_path /var/tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=1g inactive=720m use_temp_path=off; # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only diff --git a/installation/nginx/nginx-cache-purge.sh.example b/installation/nginx/nginx-cache-purge.sh.example index 6cd01d1e7..be5f186e4 100755 --- a/installation/nginx/nginx-cache-purge.sh.example +++ b/installation/nginx/nginx-cache-purge.sh.example @@ -5,7 +5,7 @@ SCRIPTNAME=${0##*/} # NGINX cache directory -CACHE_DIRECTORY="/tmp/akkoma-media-cache" +CACHE_DIRECTORY="/var/tmp/akkoma-media-cache" ## Return the files where the items are cached. ## $1 - the filename, can be a pattern . -- 2.43.0 From bc46f3da4ce2a389dd9f968930072cb50e9445ce Mon Sep 17 00:00:00 2001 From: Norm Date: Thu, 16 May 2024 19:05:06 -0400 Subject: [PATCH 2/3] Update mediaproxy howto Since the configuration options on the nginx side already exist in the sample config, there's no need to tell users to copy-paste those settings in again. --- docs/docs/configuration/howto_mediaproxy.md | 28 +++------------------ 1 file changed, 4 insertions(+), 24 deletions(-) diff --git a/docs/docs/configuration/howto_mediaproxy.md b/docs/docs/configuration/howto_mediaproxy.md index 223ad7eed..1544a563e 100644 --- a/docs/docs/configuration/howto_mediaproxy.md +++ b/docs/docs/configuration/howto_mediaproxy.md @@ -6,37 +6,17 @@ With the `mediaproxy` function you can use nginx to cache this content, so users ## Activate it -* Edit your nginx config and add the following location to your main server block: -``` -location /proxy { - return 404; -} -``` - * Set up a subdomain for the proxy with its nginx config on the same machine - *(the latter is not strictly required, but for simplicity we’ll assume so)* -* In this subdomain’s server block add -``` -location /proxy { - proxy_cache akkoma_media_cache; - proxy_cache_lock on; - proxy_pass http://localhost:4000; -} -``` -Also add the following on top of the configuration, outside of the `server` block: -``` -proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off; -``` -If you came here from one of the installation guides, take a look at the example configuration `/installation/nginx/akkoma.nginx`, where this part is already included. - +* Edit the nginx config for the upload/MediaProxy subdomain to point to the subdomain that has been set up * Append the following to your `prod.secret.exs` or `dev.secret.exs` (depends on which mode your instance is running): -``` +```elixir +# Replace media.example.td with the subdomain you set up earlier config :pleroma, :media_proxy, enabled: true, proxy_opts: [ redirect_on_failure: true ], - base_url: "https://cache.akkoma.social" + base_url: "https://media.example.tld" ``` You **really** should use a subdomain to serve proxied files; while we will fix bugs resulting from this, serving arbitrary remote content on your main domain namespace is a significant attack surface. -- 2.43.0 From bb29c5bed210403807dff743f2773eb4feb0ccc9 Mon Sep 17 00:00:00 2001 From: Norm Date: Thu, 16 May 2024 19:08:02 -0400 Subject: [PATCH 3/3] Update tor/i2p guide Direct users to add in the appropriate headers and update the listening port instead of copy/pasting a config that's already outdated and probably would otherwise have to be synced with the main example nginx config. --- docs/docs/configuration/i2p.md | 59 +++++---------------- docs/docs/configuration/onion_federation.md | 55 ++++--------------- 2 files changed, 24 insertions(+), 90 deletions(-) diff --git a/docs/docs/configuration/i2p.md b/docs/docs/configuration/i2p.md index ec6266ab7..1fb18d1c0 100644 --- a/docs/docs/configuration/i2p.md +++ b/docs/docs/configuration/i2p.md @@ -130,59 +130,26 @@ config :pleroma, :http_security, enabled: false ``` -Use this as the Nginx config: -``` -proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off; -# The above already exists in a clearnet instance's config. -# If not, add it. - -server { - listen 127.0.0.1:14447; - server_name youri2paddress; - - # Comment to enable logs - access_log /dev/null; - error_log /dev/null; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; - - client_max_body_size 16m; - - location / { - +In the Nginx config, add the following into the `location /` block: +```nginx add_header X-XSS-Protection "0"; add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy same-origin; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - - proxy_pass http://localhost:4000; - - client_max_body_size 16m; - } - - location /proxy { - proxy_cache akkoma_media_cache; - proxy_cache_lock on; - proxy_ignore_client_abort on; - proxy_pass http://localhost:4000; - } -} ``` -reload Nginx: + +Change the `listen` directive to the following: +```nginx +listen 127.0.0.1:14447; ``` -systemctl stop i2pd.service --no-block -systemctl start i2pd.service + +Set `server_name` to your i2p address. + +Reload Nginx: +``` +systemctl restart i2pd.service --no-block +systemctl reload nginx.service ``` *Notice:* The stop command initiates a graceful shutdown process, i2pd stops after finishing to route transit tunnels (maximum 10 minutes). diff --git a/docs/docs/configuration/onion_federation.md b/docs/docs/configuration/onion_federation.md index e4ae15fd2..26efbae42 100644 --- a/docs/docs/configuration/onion_federation.md +++ b/docs/docs/configuration/onion_federation.md @@ -74,56 +74,23 @@ config :pleroma, :http_security, enabled: false ``` -Use this as the Nginx config: -``` -proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off; -# The above already exists in a clearnet instance's config. -# If not, add it. - -server { - listen 127.0.0.1:8099; - server_name youronionaddress; - - # Comment to enable logs - access_log /dev/null; - error_log /dev/null; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; - - client_max_body_size 16m; - - location / { - +In the Nginx config, add the following into the `location /` block: +```nginx add_header X-XSS-Protection "0"; add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy same-origin; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - - proxy_pass http://localhost:4000; - - client_max_body_size 16m; - } - - location /proxy { - proxy_cache akkoma_media_cache; - proxy_cache_lock on; - proxy_ignore_client_abort on; - proxy_pass http://localhost:4000; - } -} ``` -reload Nginx: + +Change the `listen` directive to the following: +```nginx +listen 127.0.0.1:8099; +``` + +Set the `server_name` to your onion address. + +Reload Nginx: ``` systemctl reload nginx ``` -- 2.43.0