commit: 2b9cd25cf4b27b0ce3437a621f36f7f740cb542a
parent 02629169782b61f201a210169d13890ce05d889d
Author: Haelwenn <contact+git.pleroma.social@hacktivis.me>
Date: Sun, 2 Jul 2023 21:30:16 +0000
Merge branch 'tusooa/media-altdomain' into 'develop'
Add instructions to serve media on another domain
See merge request pleroma/pleroma!3892
Diffstat:
13 files changed, 149 insertions(+), 0 deletions(-)
diff --git a/changelog.d/media-altdomain.skip b/changelog.d/media-altdomain.skip
diff --git a/docs/configuration/hardening.md b/docs/configuration/hardening.md
@@ -62,6 +62,20 @@ An additional “Expect-CT” header will be sent with the configured `ct_max_ag
If you click on a link, your browser’s request to the other site will include from where it is coming from. The “Referrer policy” header tells the browser how and if it should send this information. (see [Referrer policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy))
+### Uploaded media and media proxy
+
+It is STRONGLY RECOMMENDED to serve both the locally-uploaded media and the media proxy from another domain than the domain that Pleroma runs on, if applicable.
+
+```elixir
+config :pleroma, :media_proxy,
+ base_url: "https://some.other.domain"
+
+config :pleroma, Pleroma.Upload,
+ base_url: "https://some.other.domain/media"
+```
+
+See `installation/pleroma-mediaproxy.nginx` for examples on how to configure your media proxy.
+
## systemd
A systemd unit example is provided at `installation/pleroma.service`.
diff --git a/docs/installation/alpine_linux_en.md b/docs/installation/alpine_linux_en.md
@@ -183,6 +183,9 @@ server {
...
}
```
+* (Strongly recommended) serve media on another domain
+
+Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
* Enable and start nginx:
diff --git a/docs/installation/arch_linux_en.md b/docs/installation/arch_linux_en.md
@@ -173,6 +173,11 @@ sudo ln -s /etc/nginx/sites-available/pleroma.nginx /etc/nginx/sites-enabled/ple
```
* Before starting nginx edit the configuration and change it to your needs (e.g. change servername, change cert paths)
+
+* (Strongly recommended) serve media on another domain
+
+Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
+
* Enable and start nginx:
```shell
diff --git a/docs/installation/debian_based_en.md b/docs/installation/debian_based_en.md
@@ -136,6 +136,11 @@ sudo ln -s /etc/nginx/sites-available/pleroma.nginx /etc/nginx/sites-enabled/ple
```
* Before starting nginx edit the configuration and change it to your needs (e.g. change servername, change cert paths)
+
+* (Strongly recommended) serve media on another domain
+
+Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
+
* Enable and start nginx:
```shell
diff --git a/docs/installation/debian_based_jp.md b/docs/installation/debian_based_jp.md
@@ -1,4 +1,7 @@
# Pleromaの入れ方
+
+Note: This article is potentially outdated because at this time we may not have people who can speak this language well enough to update it. To see the up-to-date version, which may have significant differences or important caveats of the installation process, look up the English version.
+
## 日本語訳について
この記事は [Installing on Debian based distributions](Installing on Debian based distributions) の日本語訳です。何かがおかしいと思ったら、原文を見てください。
diff --git a/docs/installation/freebsd_en.md b/docs/installation/freebsd_en.md
@@ -173,6 +173,10 @@ Edit the defaults of `/usr/local/etc/nginx/sites-available/pleroma.nginx`:
* Change `ssl_certificate_key` to `/var/db/acme/certs/example.tld/example.tld.key`.
* Change all references of `example.tld` to your instance's domain name.
+#### (Strongly recommended) serve media on another domain
+
+Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
+
## Creating a startup script for Pleroma
Pleroma will need to compile when it initially starts, which typically takes a longer
diff --git a/docs/installation/gentoo_en.md b/docs/installation/gentoo_en.md
@@ -227,6 +227,10 @@ Replace all instances of `example.tld` with your instance's public URL. If for w
Pay special attention to the line that begins with `ssl_ecdh_curve`. It is stongly advised to comment that line out so that OpenSSL will use its full capabilities, and it is also possible you are running OpenSSL 1.0.2 necessitating that you do this.
+* (Strongly recommended) serve media on another domain
+
+Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
+
* Enable and start nginx:
```shell
diff --git a/docs/installation/netbsd_en.md b/docs/installation/netbsd_en.md
@@ -123,6 +123,10 @@ Edit the defaults:
* Change `ssl_certificate_key` to `/etc/nginx/tls/key`.
* Change `example.tld` to your instance's domain name.
+### (Strongly recommended) serve media on another domain
+
+Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
+
## Configuring acme.sh
We'll be using acme.sh in Stateless Mode for TLS certificate renewal.
diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md
@@ -195,6 +195,10 @@ rcctl enable relayd
rcctl start relayd
```
+##### (Strongly recommended) serve media on another domain
+
+Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
+
#### pf
Enabling and configuring pf is highly recommended.
In /etc/pf.conf, insert the following configuration:
diff --git a/docs/installation/openbsd_fi.md b/docs/installation/openbsd_fi.md
@@ -1,5 +1,7 @@
# Pleroman asennus OpenBSD:llä
+Note: This article is potentially outdated because at this time we may not have people who can speak this language well enough to update it. To see the up-to-date version, which may have significant differences or important caveats of the installation process, look up the English version.
+
Tarvitset:
* Oman domainin
* OpenBSD 6.3 -serverin
diff --git a/docs/installation/otp_en.md b/docs/installation/otp_en.md
@@ -198,6 +198,10 @@ $EDITOR path-to-nginx-config
# Verify that the config is valid
nginx -t
```
+#### (Strongly recommended) serve media on another domain
+
+Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.
+
#### Start nginx
=== "Alpine"
diff --git a/installation/pleroma-mediaproxy.nginx b/installation/pleroma-mediaproxy.nginx
@@ -0,0 +1,97 @@
+# This file is for those who want to serve uploaded media and media proxy over
+# another domain. This is STRONGLY RECOMMENDED.
+# This is meant to be used ALONG WITH `pleroma.nginx`.
+
+# If this is a new instance, replace the `location ~ ^/(media|proxy)` section in
+# `pleroma.nginx` with the following to completely disable access to media from the main domain:
+# location ~ ^/(media|proxy) {
+# return 404;
+# }
+#
+# If you are configuring an existing instance to use another domain
+# for media, you will want to keep redirecting all existing local media to the new domain
+# so already-uploaded media will not break.
+# Replace the `location ~ ^/(media|proxy)` section in `pleroma.nginx` with the following:
+#
+# location /media {
+# return 301 https://some.other.domain$request_uri;
+# }
+#
+# location /proxy {
+# return 404;
+# }
+
+server {
+ server_name some.other.domain;
+
+ listen 80;
+ listen [::]:80;
+
+ # Uncomment this if you need to use the 'webroot' method with certbot. Make sure
+ # that the directory exists and that it is accessible by the webserver. If you followed
+ # the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder.
+ # You may need to load this file with the ssl server block commented out, run certbot
+ # to get the certificate, and then uncomment it.
+ #
+ # location ~ /\.well-known/acme-challenge {
+ # root /var/lib/letsencrypt/;
+ # }
+ location / {
+ return 301 https://$server_name$request_uri;
+ }
+}
+
+server {
+ server_name some.other.domain;
+
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_trusted_certificate /etc/letsencrypt/live/some.other.domain/chain.pem;
+ ssl_certificate /etc/letsencrypt/live/some.other.domain/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/some.other.domain/privkey.pem;
+
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+ ssl_prefer_server_ciphers off;
+ # In case of an old server with an OpenSSL version of 1.0.2 or below,
+ # leave only prime256v1 or comment out the following line.
+ ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 6;
+ gzip_buffers 16 8k;
+ gzip_http_version 1.1;
+ gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
+
+ # the nginx default is 1m, not enough for large media uploads
+ client_max_body_size 16m;
+ ignore_invalid_headers off;
+
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ location / { return 404; }
+
+ location ~ ^/(media|proxy) {
+ proxy_cache pleroma_media_cache;
+ slice 1m;
+ proxy_cache_key $host$uri$is_args$args$slice_range;
+ proxy_set_header Range $slice_range;
+ proxy_cache_valid 200 206 301 304 1h;
+ proxy_cache_lock on;
+ proxy_ignore_client_abort on;
+ proxy_buffering on;
+ chunked_transfer_encoding on;
+ proxy_pass http://phoenix;
+ }
+}
