cc3a83a730
Nginx is currently not caching data because proxy_buffering needs to be enabled for caching to work at all, and we are receiving a Cache-Control header from Pleroma that states "max-age=0, private, must-revalidate" Even disregarding the Cache-Control header that should actually be set to "public, max-age=1209600" as defined in the reverse_proxy code, we don't want to obey this header at all as it overrides our Nginx caching rules.
88 lines
3.5 KiB
Nginx Configuration File
88 lines
3.5 KiB
Nginx Configuration File
# default nginx site config for Pleroma
|
|
#
|
|
# Simple installation instructions:
|
|
# 1. Install your TLS certificate, possibly using Let's Encrypt.
|
|
# 2. Replace 'example.tld' with your instance's domain wherever it appears.
|
|
# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
|
|
# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
|
|
|
|
proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
|
|
inactive=720m use_temp_path=off;
|
|
|
|
server {
|
|
server_name example.tld;
|
|
listen 80;
|
|
return 301 https://$server_name$request_uri;
|
|
|
|
# Uncomment this if you need to use the 'webroot' method with certbot. Make sure
|
|
# that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and
|
|
# that is is accessible by the webserver. You may need to load this file with the ssl
|
|
# server block commented out, run certbot to get the certificate, and then uncomment it.
|
|
#
|
|
# location ~ /\.well-known/acme-challenge {
|
|
# root <path to install>/pleroma/priv/static/;
|
|
# }
|
|
}
|
|
|
|
# Enable SSL session caching for improved performance
|
|
ssl_session_cache shared:ssl_session_cache:10m;
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
|
|
ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
|
|
|
|
# Add TLSv1.0 to support older devices
|
|
ssl_protocols TLSv1.2;
|
|
# Uncomment line below if you want to support older devices (Before Android 4.4.2, IE 8, etc.)
|
|
# ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
|
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
|
ssl_prefer_server_ciphers on;
|
|
# In case of an old server with an OpenSSL version of 1.0.2 or below,
|
|
# leave only prime256v1 or comment out the following line.
|
|
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
server_name example.tld;
|
|
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_buffers 16 8k;
|
|
gzip_http_version 1.1;
|
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
|
|
|
|
# the nginx default is 1m, not enough for large media uploads
|
|
client_max_body_size 16m;
|
|
|
|
location / {
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $http_host;
|
|
|
|
proxy_pass http://localhost:4000;
|
|
|
|
client_max_body_size 16m;
|
|
}
|
|
|
|
location ~ ^/(media|proxy) {
|
|
proxy_cache pleroma_media_cache;
|
|
slice 1m;
|
|
proxy_cache_key $host$uri$is_args$args$slice_range;
|
|
proxy_set_header Range $slice_range;
|
|
proxy_http_version 1.1;
|
|
proxy_cache_valid 200 206 301 304 1h;
|
|
proxy_cache_lock on;
|
|
proxy_ignore_client_abort on;
|
|
proxy_buffering on;
|
|
chunked_transfer_encoding on;
|
|
proxy_ignore_headers Cache-Control;
|
|
proxy_hide_header Cache-Control;
|
|
proxy_pass http://localhost:4000;
|
|
}
|
|
}
|