mastodon-glitch/dist/nginx.conf

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

upstream backend {
    server 127.0.0.1:3000 fail_timeout=0;
}

upstream streaming {
    # Instruct nginx to send connections to the server with the least number of connections
    # to ensure load is distributed evenly.
    least_conn;

    server 127.0.0.1:4000 fail_timeout=0;
    # Uncomment these lines for load-balancing multiple instances of streaming for scaling,
    # this assumes your running the streaming server on ports 4000, 4001, and 4002:
    # server 127.0.0.1:4001 fail_timeout=0;
    # server 127.0.0.1:4002 fail_timeout=0;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;

server {
  listen 80;
  listen [::]:80;
  server_name example.com;
  root /home/mastodon/live/public;
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name example.com;

  ssl_protocols TLSv1.2 TLSv1.3;

  # You can use https://ssl-config.mozilla.org/ to generate your cipher set.
  # We recommend their "Intermediate" level.
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;

  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  # Uncomment these lines once you acquire a certificate:
  # ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
  # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 99m;

  root /home/mastodon/live/public;

  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;

  location / {
    try_files $uri @proxy;
  }

  # If Docker is used for deployment and Rails serves static files,
  # then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`.
  location = /sw.js {
    add_header Cache-Control "public, max-age=604800, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri =404;
  }

  location ~ ^/assets/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri =404;
  }

  location ~ ^/avatars/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri =404;
  }

  location ~ ^/emoji/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri =404;
  }

  location ~ ^/headers/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri =404;
  }

  location ~ ^/packs/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri =404;
  }

  location ~ ^/shortcuts/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri =404;
  }

  location ~ ^/sounds/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri =404;
  }

  location ~ ^/system/ {
    add_header Cache-Control "public, max-age=2419200, immutable";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
    try_files $uri =404;
  }

  location ^~ /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Proxy "";

    proxy_pass http://streaming;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

    tcp_nodelay on;
  }

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://backend;
    proxy_buffering on;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_cache CACHE;
    proxy_cache_valid 200 7d;
    proxy_cache_valid 410 24h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    add_header X-Cached $upstream_cache_status;

    tcp_nodelay on;
  }

  error_page 404 500 501 502 503 504 /500.html;
}
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`map $http_upgrade $connection_upgrade {`
			`default upgrade;`
			`'' close;`
			`}`

Update nginx.conf (#13066) 2020-03-08 15:04:25 +00:00			`upstream backend {`
			`server 127.0.0.1:3000 fail_timeout=0;`
			`}`

			`upstream streaming {`
Make mastodon-streaming systemd unit templated (#24751) Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com> 2023-08-07 13:41:34 +00:00			`# Instruct nginx to send connections to the server with the least number of connections`
			`# to ensure load is distributed evenly.`
			`least_conn;`

Update nginx.conf (#13066) 2020-03-08 15:04:25 +00:00			`server 127.0.0.1:4000 fail_timeout=0;`
Make mastodon-streaming systemd unit templated (#24751) Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com> 2023-08-07 13:41:34 +00:00			`# Uncomment these lines for load-balancing multiple instances of streaming for scaling,`
			`# this assumes your running the streaming server on ports 4000, 4001, and 4002:`
			`# server 127.0.0.1:4001 fail_timeout=0;`
			`# server 127.0.0.1:4002 fail_timeout=0;`
Update nginx.conf (#13066) 2020-03-08 15:04:25 +00:00			`}`

Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;`

			`server {`
			`listen 80;`
			`listen [::]:80;`
			`server_name example.com;`
			`root /home/mastodon/live/public;`
			`location /.well-known/acme-challenge/ { allow all; }`
			`location / { return 301 https://$host$request_uri; }`
			`}`

			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
			`server_name example.com;`

Add TLS v1.3 support (#11603) Maintain TLS v1.2 compatibility (might want to drop this later) and add support for TLS v1.3 2019-08-30 05:42:50 +00:00			`ssl_protocols TLSv1.2 TLSv1.3;`
Add suggestion for secure cyphers to nginx.conf (#26349) 2023-08-31 10:17:10 +00:00
			`# You can use https://ssl-config.mozilla.org/ to generate your cipher set.`
			`# We recommend their "Intermediate" level.`
			`ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;`

Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`
Disable nginx ssl_session_tickets for better security (#16632) It's default turned on, but it's better to turn it off for security reason. Reference: - https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets - https://github.com/mozilla/server-side-tls/issues/135 2021-08-20 07:15:07 +00:00			`ssl_session_tickets off;`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00
			`# Uncomment these lines once you acquire a certificate:`
			`# ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;`
			`# ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;`

			`keepalive_timeout 70;`
			`sendfile on;`
Change media upload limits and remove client-side resizing (#23726) 2023-03-25 09:00:03 +00:00			`client_max_body_size 99m;`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00
			`root /home/mastodon/live/public;`

			`gzip on;`
			`gzip_disable "msie6";`
			`gzip_vary on;`
			`gzip_proxied any;`
			`gzip_comp_level 6;`
			`gzip_buffers 16 8k;`
			`gzip_http_version 1.1;`
Also compress SVG and ICO images in nginx (#17651) 2022-02-26 16:27:11 +00:00			`gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00
			`location / {`
			`try_files $uri @proxy;`
			`}`

nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`# If Docker is used for deployment and Rails serves static files,`
			# then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`.
Fix nginx location matching (#20198) 2022-11-09 03:12:57 +00:00			`location = /sw.js {`
nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`add_header Cache-Control "public, max-age=604800, must-revalidate";`
Remove duplicate HSTS headers from nginx.conf (#19018) * Update nginx.conf * Update nginx.conf * Update nginx.conf 2022-10-27 14:58:49 +00:00			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`try_files $uri =404;`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`}`

nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`location ~ ^/assets/ {`
			`add_header Cache-Control "public, max-age=2419200, must-revalidate";`
Remove duplicate HSTS headers from nginx.conf (#19018) * Update nginx.conf * Update nginx.conf * Update nginx.conf 2022-10-27 14:58:49 +00:00			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`try_files $uri =404;`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`}`

nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`location ~ ^/avatars/ {`
			`add_header Cache-Control "public, max-age=2419200, must-revalidate";`
			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
			`try_files $uri =404;`
			`}`

			`location ~ ^/emoji/ {`
			`add_header Cache-Control "public, max-age=2419200, must-revalidate";`
			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
			`try_files $uri =404;`
			`}`

			`location ~ ^/headers/ {`
			`add_header Cache-Control "public, max-age=2419200, must-revalidate";`
			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
			`try_files $uri =404;`
			`}`

			`location ~ ^/packs/ {`
			`add_header Cache-Control "public, max-age=2419200, must-revalidate";`
			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
			`try_files $uri =404;`
			`}`

			`location ~ ^/shortcuts/ {`
			`add_header Cache-Control "public, max-age=2419200, must-revalidate";`
			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
			`try_files $uri =404;`
			`}`

			`location ~ ^/sounds/ {`
			`add_header Cache-Control "public, max-age=2419200, must-revalidate";`
			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
			`try_files $uri =404;`
			`}`

			`location ~ ^/system/ {`
			`add_header Cache-Control "public, max-age=2419200, immutable";`
			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
Add hardened headers to user-uploaded files (#25756) 2023-07-06 12:31:37 +00:00			`add_header X-Content-Type-Options nosniff;`
			`add_header Content-Security-Policy "default-src 'none'; form-action 'none'";`
nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`try_files $uri =404;`
			`}`

allow /api/v1/streaming to be used as per documentation (#19896) 2022-11-07 02:16:44 +00:00			`location ^~ /api/v1/streaming {`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
Set X-Forwarded-Proto to request scheme (#15310) (#15498) This fixes a bug that prevents logins to mastodon onion services. The nginx directive assumed all requests were made over https, causing a domain mismatch for onion services that have https redirects disabled. The fix more correctly sets X-Forwarded-Proto to the actual scheme used in the request. 2021-01-05 21:25:07 +00:00			`proxy_set_header X-Forwarded-Proto $scheme;`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`proxy_set_header Proxy "";`

nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`proxy_pass http://streaming;`
			`proxy_buffering off;`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`proxy_redirect off;`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $connection_upgrade;`

nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00
			`tcp_nodelay on;`
			`}`

nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`location @proxy {`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
Set X-Forwarded-Proto to request scheme (#15310) (#15498) This fixes a bug that prevents logins to mastodon onion services. The nginx directive assumed all requests were made over https, causing a domain mismatch for onion services that have https redirects disabled. The fix more correctly sets X-Forwarded-Proto to the actual scheme used in the request. 2021-01-05 21:25:07 +00:00			`proxy_set_header X-Forwarded-Proto $scheme;`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`proxy_set_header Proxy "";`
nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`proxy_pass_header Server;`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00
nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`proxy_pass http://backend;`
			`proxy_buffering on;`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`proxy_redirect off;`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $connection_upgrade;`

nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`proxy_cache CACHE;`
			`proxy_cache_valid 200 7d;`
			`proxy_cache_valid 410 24h;`
			`proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;`
			`add_header X-Cached $upstream_cache_status;`

Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`tcp_nodelay on;`
			`}`

nginx: optimize locations (#19438) * nginx: optimize locations * nginx: don't use regex in locations * nginx: optimize Cache-Control headaers * nginx: use 404 error_page for missing static files * nginx: sort locations * nginx: add missing HSTS header 2022-10-29 13:06:23 +00:00			`error_page 404 500 501 502 503 504 /500.html;`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 14:46:05 +00:00			`}`