Dominik V. Salonen
a6fd9c4b00
proxy_ignore_client_abort will continue to fetch from upstream even if a client aborts the connection. This is highly recommended when cache is being used. If a client leaves/refreshes the page while a user's avatar or some other media is halfway loaded, the cached copy might in some cases be broken. Leaving future requests to the same URL broken until cache expires.
89 lines
3.4 KiB
Nginx Configuration File
89 lines
3.4 KiB
Nginx Configuration File
# default nginx site config for Pleroma
|
|
#
|
|
# Simple installation instructions:
|
|
# 1. Install your TLS certificate, possibly using Let's Encrypt.
|
|
# 2. Replace 'example.tld' with your instance's domain wherever it appears.
|
|
# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
|
|
# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
|
|
|
|
proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
|
|
inactive=720m use_temp_path=off;
|
|
|
|
server {
|
|
listen 80;
|
|
server_name example.tld;
|
|
return 301 https://$server_name$request_uri;
|
|
|
|
# Uncomment this if you need to use the 'webroot' method with certbot. Make sure
|
|
# that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and
|
|
# that is is accessible by the webserver. You may need to load this file with the ssl
|
|
# server block commented out, run certbot to get the certificate, and then uncomment it.
|
|
#
|
|
# location ~ /\.well-known/acme-challenge {
|
|
# root <path to install>/pleroma/priv/static/;
|
|
# }
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
ssl on;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
server_name example.tld;
|
|
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_buffers 16 8k;
|
|
gzip_http_version 1.1;
|
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
|
|
|
|
# the nginx default is 1m, not enough for large media uploads
|
|
client_max_body_size 16m;
|
|
|
|
location / {
|
|
# if you do not want remote frontends to be able to access your Pleroma backend
|
|
# server, remove these lines.
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
|
|
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
|
|
add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
|
|
if ($request_method = OPTIONS) {
|
|
return 204;
|
|
}
|
|
# stop removing lines here.
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Permitted-Cross-Domain-Policies none;
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header Referrer-Policy same-origin;
|
|
add_header X-Download-Options noopen;
|
|
|
|
# Uncomment this only after you get HTTPS working.
|
|
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $http_host;
|
|
|
|
proxy_pass http://localhost:4000;
|
|
|
|
client_max_body_size 16m;
|
|
}
|
|
|
|
location /proxy {
|
|
proxy_cache pleroma_media_cache;
|
|
proxy_cache_lock on;
|
|
proxy_ignore_client_abort on;
|
|
proxy_pass http://localhost:4000;
|
|
}
|
|
}
|