From 46be3efbb05e8823efef8adfadcf2182ee4ba71e Mon Sep 17 00:00:00 2001 From: inference Date: Thu, 25 May 2023 11:44:44 +0100 Subject: [PATCH] Add Nginx Pleroma configuration file version 0.0.0.0. --- server/xb000-0/nginx/pleroma.conf | 101 ++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 server/xb000-0/nginx/pleroma.conf diff --git a/server/xb000-0/nginx/pleroma.conf b/server/xb000-0/nginx/pleroma.conf new file mode 100644 index 0000000..1996fe5 --- /dev/null +++ b/server/xb000-0/nginx/pleroma.conf @@ -0,0 +1,101 @@ +# Inferencium - xb000-0 +# Nginx - Configuration - Pleroma + +# Copyright 2023 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 0.0.0.0 + + +proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g + inactive=720m use_temp_path=off; + +# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only +# and `localhost.` resolves to [::0] on some systems: see issue #930 +upstream phoenix { + server 127.0.0.1:4000 max_fails=5 fail_timeout=60s; +} + +# Server (unencrypted) +server { + server_name plm.inferencium.net; + listen 80; + listen [::]:80; + + location / { + return 301 https://$server_name$request_uri; + } +} + +# Enable SSL session caching for improved performance +ssl_session_cache shared:ssl_session_cache:10m; + +# Server (TLS) +server { + server_name plm.inferencium.net; + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_trusted_certificate /etc/letsencrypt/live/plm.inferencium.net/chain.pem; + ssl_certificate /etc/letsencrypt/live/plm.inferencium.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/plm.inferencium.net/privkey.pem; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"; + ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; + ssl_conf_command Options PrioritizeChaCha; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve X25519; + ssl_stapling on; + ssl_stapling_verify on; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 64m; + ignore_invalid_headers off; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://phoenix; + } + + # Uncomment this if you want notice compatibility routes for frontends like Soapbox. + # location ~ ^/@[^/]+/([^/]+)$ { + # proxy_pass http://phoenix/notice/$1; + # } + # + # location ~ ^/@[^/]+/posts/([^/]+)$ { + # proxy_pass http://phoenix/notice/$1; + # } + # + # location ~ ^/[^/]+/status/([^/]+)$ { + # proxy_pass http://phoenix/notice/$1; + # } + + location ~ ^/(media|proxy) { + proxy_cache pleroma_media_cache; + slice 1m; + proxy_cache_key $host$uri$is_args$args$slice_range; + proxy_set_header Range $slice_range; + proxy_cache_valid 200 206 301 304 1h; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_buffering on; + chunked_transfer_encoding on; + proxy_pass http://phoenix; + } +}