logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://anongit.hacktivis.me/git/pleroma.git/

pleroma.nginx (8502B)

    

  1. # default nginx site config for Pleroma
  2. #
  3. # Simple installation instructions:
  4. # 1. Install your TLS certificate, possibly using Let's Encrypt.
  5. # 2. Replace 'example.tld' with your instance's domain wherever it appears.
  6. # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
  7. #    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
  9. # Note: The cache directory must exist and be writable by nginx.
  10. # If nginx runs in a chroot, create it inside the chroot.
  11. proxy_cache_path /var/tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
  12.                  inactive=720m use_temp_path=off;
  14. # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
  15. # and `localhost.` resolves to [::0] on some systems: see issue #930
  16. upstream phoenix {
  17.     server 127.0.0.1:4000 max_fails=5 fail_timeout=60s;
  18. }
  20. server {
  21.     server_name    example.tld;
  23.     listen         80;
  24.     listen         [::]:80;
  26.     # Uncomment this if you need to use the 'webroot' method with certbot. Make sure
  27.     # that the directory exists and that it is accessible by the webserver. If you followed
  28.     # the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder.
  29.     # You may need to load this file with the ssl server block commented out, run certbot
  30.     # to get the certificate, and then uncomment it.
  31.     #
  32.     # location ~ /\.well-known/acme-challenge {
  33.     #     root /var/lib/letsencrypt/;
  34.     # }
  35.     location / {
  36.       return         301 https://$server_name$request_uri;
  37.     }
  38. }
  40. # Enable SSL session caching for improved performance
  41. ssl_session_cache shared:ssl_session_cache:10m;
  43. server {
  44.     server_name example.tld;
  46.     listen 443 ssl;
  47.     listen [::]:443 ssl;
  48.     http2 on;
  50.     # Optional HTTP/3 support
  51.     # Note: requires you open UDP port 443
  52.     #
  53.     # listen 443 quic reuseport;
  54.     # listen [::]:443 quic reuseport;
  55.     # http3 on;
  56.     # quic_retry on;
  57.     # ssl_early_data on;
  58.     # quic_gso on;
  59.     # add_header Alt-Svc 'h3=":443"; ma=86400';
  61.     ssl_session_timeout 1d;
  62.     ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  63.     ssl_session_tickets off;
  65.     ssl_trusted_certificate   /etc/letsencrypt/live/example.tld/chain.pem;
  66.     ssl_certificate           /etc/letsencrypt/live/example.tld/fullchain.pem;
  67.     ssl_certificate_key       /etc/letsencrypt/live/example.tld/privkey.pem;
  69.     ssl_protocols TLSv1.2 TLSv1.3;
  70.     ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  71.     ssl_prefer_server_ciphers off;
  72.     # In case of an old server with an OpenSSL version of 1.0.2 or below,
  73.     # leave only prime256v1 or comment out the following line.
  74.     ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
  75.     ssl_stapling on;
  76.     ssl_stapling_verify on;
  78.     gzip_vary on;
  79.     gzip_proxied any;
  80.     gzip_comp_level 6;
  81.     gzip_buffers 16 8k;
  82.     gzip_http_version 1.1;
  83.     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
  85.     # Nginx media upload limitation
  86.     # Ensure that this value matches or exceeds your Pleroma upload limit:
  87.     #
  88.     # config :pleroma, :instance,
  89.     #  upload_limit: 16_000_000
  90.     #
  91.     client_max_body_size 16m;
  93.     ignore_invalid_headers off;
  95.     proxy_http_version 1.1;
  96.     proxy_set_header Upgrade $http_upgrade;
  97.     proxy_set_header Connection "upgrade";
  98.     proxy_set_header Host $http_host;
  99.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  101.     location / {
  102.         proxy_pass http://phoenix;
  103.     }
  105.     # Uncomment this if you want notice compatibility routes for frontends like Soapbox.
  106.     # location ~ ^/@[^/]+/([^/]+)$ {
  107.     #     proxy_pass http://phoenix/notice/$1;
  108.     # }
  109.     #
  110.     # location ~ ^/@[^/]+/posts/([^/]+)$ {
  111.     #     proxy_pass http://phoenix/notice/$1;
  112.     # }
  113.     #
  114.     # location ~ ^/[^/]+/status/([^/]+)$ {
  115.     #     proxy_pass http://phoenix/notice/$1;
  116.     # }
  118.     # Remove this location if you choose to use a dedicated subdomain
  119.     # for mediaproxy
  120.     location /proxy {
  121.         proxy_cache        pleroma_media_cache;
  122.         slice              1m;
  123.         proxy_cache_key    $host$uri$is_args$args$slice_range;
  124.         proxy_set_header   Range $slice_range;
  125.         proxy_cache_valid  200 206 301 304 1h;
  126.         proxy_cache_lock   on;
  127.         proxy_ignore_client_abort on;
  128.         proxy_buffering    on;
  129.         chunked_transfer_encoding on;
  130.         proxy_pass         http://phoenix;
  131.     }
  133.     # Nginx can serve the local file uploads directly reducing work for
  134.     # the backend. Make sure to change this to a "deny all" if you use
  135.     # a dedicated subdomain. It will break access to uploads that have already
  136.     # federated if you are converting an existing installation, so weigh the risks
  137.     # carefully.
  138.     #
  139.     # location /media/ {
  140.     #     alias /var/lib/pleroma/uploads/;  # <-- make sure this is correct for your deployment
  141.     #     allow all;
  142.     #     add_header X-Content-Type-Options "nosniff";
  143.     #     add_header Content-Security-Policy "sandbox";
  144.     # }
  146. }
  148. # It is strongly recommended that you host your media and the mediaproxy on a dedicated subdomain for security reasons.
  149. # The following Pleroma settings will be required to enable this capability:
  150. #
  151. #   config :pleroma, :media_proxy,
  152. #    base_url: "https://media.example.tld/"
  153. #
  154. #   # Assuming default media upload deployment (e.g., not S3 which will require a different domain anyway) --
  155. #   config :pleroma, Pleroma.Upload,
  156. #    base_url: "https://media.example.tld/media/",
  157. #
  158. #   config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
  159. #
  160. # And then uncomment and configure the following server.
  161. # Make sure your certificate was issued to support both domains or use a dedicated certificate:
  162. #
  163. # server {
  164. #     server_name media.example.tld;
  165. #
  166. #     listen 443 ssl;
  167. #     listen [::]:443 ssl;
  168. #     http2 on;
  169. #
  170. #     # Optional HTTP/3 support
  171. #     # Note: requires you open UDP port 443
  172. #     #
  173. #     # listen 443 quic reuseport;
  174. #     # listen [::]:443 quic reuseport;
  175. #     # http3 on;
  176. #     # quic_retry on;
  177. #     # ssl_early_data on;
  178. #     # quic_gso on;
  179. #     # add_header Alt-Svc 'h3=":443"; ma=86400';
  180. #
  181. #     ssl_session_timeout 1d;
  182. #     ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  183. #     ssl_session_tickets off;
  184. #
  185. #     ssl_trusted_certificate   /etc/letsencrypt/live/example.tld/chain.pem;
  186. #     ssl_certificate           /etc/letsencrypt/live/example.tld/fullchain.pem;
  187. #     ssl_certificate_key       /etc/letsencrypt/live/example.tld/privkey.pem;
  188. #
  189. #     ssl_protocols TLSv1.2 TLSv1.3;
  190. #     ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  191. #     ssl_prefer_server_ciphers off;
  192. #     # In case of an old server with an OpenSSL version of 1.0.2 or below,
  193. #     # leave only prime256v1 or comment out the following line.
  194. #     ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
  195. #     ssl_stapling on;
  196. #     ssl_stapling_verify on;
  197. #
  198. #     proxy_http_version 1.1;
  199. #     proxy_set_header Upgrade $http_upgrade;
  200. #     proxy_set_header Connection "upgrade";
  201. #     proxy_set_header Host $http_host;
  202. #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  203. #
  204. #     location /media/ {  # <-- make sure this path matches your Pleroma.Upload :base_url
  205. #         alias /var/lib/pleroma/uploads/;  # <-- make sure this is correct for your deployment
  206. #         allow all;
  207. #         add_header X-Content-Type-Options "nosniff";
  208. #         add_header Content-Security-Policy "sandbox";
  209. #     }
  210. #
  211. #     location /proxy {
  212. #         proxy_cache        pleroma_media_cache;
  213. #         slice              1m;
  214. #         proxy_cache_key    $host$uri$is_args$args$slice_range;
  215. #         proxy_set_header   Range $slice_range;
  216. #         proxy_cache_valid  200 206 301 304 1h;
  217. #         proxy_cache_lock   on;
  218. #         proxy_ignore_client_abort on;
  219. #         proxy_buffering    on;
  220. #         chunked_transfer_encoding on;
  221. #         proxy_pass         http://phoenix;
  222. #     }
  223. # }