Merge branch 'nginx-config-update' into 'develop' - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: bd41d15100046cbc4dcbafb9e1d8d0c87bdefd21
parent 1d366c01382b1da635cd8c828f1b3faf6b55c593
Author: lain <lain@soykaf.club>
Date:   Mon, 22 Dec 2025 12:23:42 +0000

Merge branch 'nginx-config-update' into 'develop'

Update Nginx config example

See merge request pleroma/pleroma!4277
Diffstat:
A changelog.d/nginx-config.change 1 +
M docs/configuration/howto_mediaproxy.md 4 +++-
M installation/pleroma.nginx 124 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----

3 files changed, 123 insertions(+), 6 deletions(-)
diff --git a/changelog.d/nginx-config.change b/changelog.d/nginx-config.change
@@ -0,0 +1 @@
+Updated the example Nginx configuration
diff --git a/docs/configuration/howto_mediaproxy.md b/docs/configuration/howto_mediaproxy.md
@@ -16,7 +16,9 @@ location /proxy {
 ```
 Also add the following on top of the configuration, outside of the `server` block:
 ```
-proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
+# Note: The cache directory must exist and be writable by nginx.
+# If nginx runs in a chroot, create it inside the chroot.
+proxy_cache_path /var/tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
 ```
 If you came here from one of the installation guides, take a look at the example configuration `/installation/pleroma.nginx`, where this part is already included.
 
diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx
@@ -6,7 +6,9 @@
 # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
 #    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
 
-proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
+# Note: The cache directory must exist and be writable by nginx.
+# If nginx runs in a chroot, create it inside the chroot.
+proxy_cache_path /var/tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
                  inactive=720m use_temp_path=off;
 
 # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
@@ -41,8 +43,21 @@ ssl_session_cache shared:ssl_session_cache:10m;
 server {
     server_name example.tld;
 
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    # Optional HTTP/3 support
+    # Note: requires you open UDP port 443
+    #
+    # listen 443 quic reuseport;
+    # listen [::]:443 quic reuseport;
+    # http3 on;
+    # quic_retry on;
+    # ssl_early_data on;
+    # quic_gso on;
+    # add_header Alt-Svc 'h3=":443"; ma=86400';
+
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
     ssl_session_tickets off;
@@ -67,8 +82,14 @@ server {
     gzip_http_version 1.1;
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
 
-    # the nginx default is 1m, not enough for large media uploads
+    # Nginx media upload limitation
+    # Ensure that this value matches or exceeds your Pleroma upload limit:
+    #
+    # config :pleroma, :instance,
+    #  upload_limit: 16_000_000
+    #
     client_max_body_size 16m;
+
     ignore_invalid_headers off;
 
     proxy_http_version 1.1;
@@ -94,7 +115,9 @@ server {
     #     proxy_pass http://phoenix/notice/$1;
     # }
 
-    location ~ ^/(media|proxy) {
+    # Remove this location if you choose to use a dedicated subdomain
+    # for mediaproxy
+    location /proxy {
         proxy_cache        pleroma_media_cache;
         slice              1m;
         proxy_cache_key    $host$uri$is_args$args$slice_range;
@@ -106,4 +129,95 @@ server {
         chunked_transfer_encoding on;
         proxy_pass         http://phoenix;
     }
+
+    # Nginx can serve the local file uploads directly reducing work for
+    # the backend. Make sure to change this to a "deny all" if you use
+    # a dedicated subdomain. It will break access to uploads that have already
+    # federated if you are converting an existing installation, so weigh the risks
+    # carefully.
+    #
+    # location /media/ {
+    #     alias /var/lib/pleroma/uploads/;  # <-- make sure this is correct for your deployment
+    #     allow all;
+    #     add_header X-Content-Type-Options "nosniff";
+    #     add_header Content-Security-Policy "sandbox";
+    # }
+
 }
+
+# It is strongly recommended that you host your media and the mediaproxy on a dedicated subdomain for security reasons.
+# The following Pleroma settings will be required to enable this capability:
+#
+#   config :pleroma, :media_proxy,
+#    base_url: "https://media.example.tld/"
+#
+#   # Assuming default media upload deployment (e.g., not S3 which will require a different domain anyway) --
+#   config :pleroma, Pleroma.Upload,
+#    base_url: "https://media.example.tld/media/",
+#
+#   config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
+#
+# And then uncomment and configure the following server.
+# Make sure your certificate was issued to support both domains or use a dedicated certificate:
+#
+# server {
+#     server_name media.example.tld;
+#
+#     listen 443 ssl;
+#     listen [::]:443 ssl;
+#     http2 on;
+#
+#     # Optional HTTP/3 support
+#     # Note: requires you open UDP port 443
+#     #
+#     # listen 443 quic reuseport;
+#     # listen [::]:443 quic reuseport;
+#     # http3 on;
+#     # quic_retry on;
+#     # ssl_early_data on;
+#     # quic_gso on;
+#     # add_header Alt-Svc 'h3=":443"; ma=86400';
+#
+#     ssl_session_timeout 1d;
+#     ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+#     ssl_session_tickets off;
+#
+#     ssl_trusted_certificate   /etc/letsencrypt/live/example.tld/chain.pem;
+#     ssl_certificate           /etc/letsencrypt/live/example.tld/fullchain.pem;
+#     ssl_certificate_key       /etc/letsencrypt/live/example.tld/privkey.pem;
+#
+#     ssl_protocols TLSv1.2 TLSv1.3;
+#     ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+#     ssl_prefer_server_ciphers off;
+#     # In case of an old server with an OpenSSL version of 1.0.2 or below,
+#     # leave only prime256v1 or comment out the following line.
+#     ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
+#     ssl_stapling on;
+#     ssl_stapling_verify on;
+#
+#     proxy_http_version 1.1;
+#     proxy_set_header Upgrade $http_upgrade;
+#     proxy_set_header Connection "upgrade";
+#     proxy_set_header Host $http_host;
+#     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#
+#     location /media/ {  # <-- make sure this path matches your Pleroma.Upload :base_url
+#         alias /var/lib/pleroma/uploads/;  # <-- make sure this is correct for your deployment
+#         allow all;
+#         add_header X-Content-Type-Options "nosniff";
+#         add_header Content-Security-Policy "sandbox";
+#     }
+#
+#     location /proxy {
+#         proxy_cache        pleroma_media_cache;
+#         slice              1m;
+#         proxy_cache_key    $host$uri$is_args$args$slice_range;
+#         proxy_set_header   Range $slice_range;
+#         proxy_cache_valid  200 206 301 304 1h;
+#         proxy_cache_lock   on;
+#         proxy_ignore_client_abort on;
+#         proxy_buffering    on;
+#         chunked_transfer_encoding on;
+#         proxy_pass         http://phoenix;
+#     }
+# }

A	changelog.d/nginx-config.change	1	+
M	docs/configuration/howto_mediaproxy.md	4	+++-
M	installation/pleroma.nginx	124	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----