nginx.conf.tmpl (3194B)
1 # https://github.com/mastodon/mastodon/blob/main/dist/nginx.conf 2 3 map $http_upgrade $connection_upgrade { 4 default upgrade; 5 '' close; 6 } 7 8 upstream backend { 9 server {{ env "NOMAD_ADDR_mastodon_web" }} fail_timeout=0; 10 } 11 12 upstream streaming { 13 server {{ env "NOMAD_ADDR_mastodon_streaming" }} fail_timeout=0; 14 } 15 16 proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; 17 18 server { 19 listen {{ env "NOMAD_PORT_https" }} ssl http2; 20 listen [::]:{{ env "NOMAD_PORT_https" }} ssl http2; 21 server_name m.in0rdr.ch; 22 23 ssl_protocols TLSv1.2 TLSv1.3; 24 ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; 25 ssl_prefer_server_ciphers on; 26 ssl_session_cache shared:SSL:10m; 27 ssl_session_tickets off; 28 29 ssl_certificate /etc/letsencrypt/live/m.in0rdr.ch/fullchain.pem; 30 ssl_certificate_key /etc/letsencrypt/live/m.in0rdr.ch/privkey.pem; 31 32 keepalive_timeout 70; 33 sendfile on; 34 client_max_body_size 80m; 35 36 root /mastodon/public; 37 38 gzip on; 39 gzip_disable "msie6"; 40 gzip_vary on; 41 gzip_proxied any; 42 gzip_comp_level 6; 43 gzip_buffers 16 8k; 44 gzip_http_version 1.1; 45 gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon; 46 47 add_header Strict-Transport-Security "max-age=31536000" always; 48 49 location / { 50 try_files $uri @proxy; 51 } 52 53 location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { 54 add_header Cache-Control "public, max-age=31536000, immutable"; 55 add_header Strict-Transport-Security "max-age=31536000" always; 56 try_files $uri @proxy; 57 } 58 59 location /sw.js { 60 add_header Cache-Control "public, max-age=0"; 61 add_header Strict-Transport-Security "max-age=31536000" always; 62 try_files $uri @proxy; 63 } 64 65 location @proxy { 66 proxy_set_header Host $host; 67 proxy_set_header X-Real-IP $remote_addr; 68 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 69 proxy_set_header X-Forwarded-Proto $scheme; 70 proxy_set_header Proxy ""; 71 proxy_pass_header Server; 72 73 proxy_pass http://backend; 74 proxy_buffering on; 75 proxy_redirect off; 76 proxy_http_version 1.1; 77 proxy_force_ranges on; # for iOS clients 78 proxy_set_header Upgrade $http_upgrade; 79 proxy_set_header Connection $connection_upgrade; 80 81 proxy_cache CACHE; 82 proxy_cache_valid 200 7d; 83 proxy_cache_valid 410 24h; 84 proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; 85 add_header X-Cached $upstream_cache_status; 86 add_header Strict-Transport-Security "max-age=31536000" always; 87 88 tcp_nodelay on; 89 } 90 91 location /api/v1/streaming { 92 proxy_set_header Host $host; 93 proxy_set_header X-Real-IP $remote_addr; 94 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 95 proxy_set_header X-Forwarded-Proto $scheme; 96 proxy_set_header Proxy ""; 97 98 proxy_pass http://streaming; 99 proxy_buffering off; 100 proxy_redirect off; 101 proxy_http_version 1.1; 102 proxy_set_header Upgrade $http_upgrade; 103 proxy_set_header Connection $connection_upgrade; 104 105 tcp_nodelay on; 106 } 107 108 error_page 500 501 502 503 504 /500.html; 109 }