nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests

nginx.conf.tmpl (3141B)

      1 proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
      2                  inactive=720m use_temp_path=off;
      3 
      4 # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
      5 # and `localhost.` resolves to [::0] on some systems: see issue #930
      6 upstream phoenix {
      7     server {{ env "NOMAD_ADDR_http" }} max_fails=5 fail_timeout=60s;
      8 }
      9 
     10 # Enable SSL session caching for improved performance
     11 ssl_session_cache shared:ssl_session_cache:10m;
     12 
     13 server {
     14     server_name m.in0rdr.ch;
     15 
     16     listen {{ env "NOMAD_PORT_https" }} ssl http2;
     17     listen [::]:{{ env "NOMAD_PORT_https" }} ssl http2;
     18     ssl_session_timeout 1d;
     19     ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
     20     ssl_session_tickets off;
     21 
     22     ssl_trusted_certificate   /etc/letsencrypt/live/m.in0rdr.ch/chain.pem;
     23     ssl_certificate           /etc/letsencrypt/live/m.in0rdr.ch/fullchain.pem;
     24     ssl_certificate_key       /etc/letsencrypt/live/m.in0rdr.ch/privkey.pem;
     25 
     26     ssl_protocols TLSv1.2 TLSv1.3;
     27     ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
     28     ssl_prefer_server_ciphers off;
     29     # In case of an old server with an OpenSSL version of 1.0.2 or below,
     30     # leave only prime256v1 or comment out the following line.
     31     ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
     32     ssl_stapling on;
     33     ssl_stapling_verify on;
     34 
     35     gzip_vary on;
     36     gzip_proxied any;
     37     gzip_comp_level 6;
     38     gzip_buffers 16 8k;
     39     gzip_http_version 1.1;
     40     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
     41 
     42     # the nginx default is 1m, not enough for large media uploads
     43     client_max_body_size 16m;
     44     ignore_invalid_headers off;
     45 
     46     proxy_http_version 1.1;
     47     proxy_set_header Upgrade $http_upgrade;
     48     proxy_set_header Connection "upgrade";
     49     proxy_set_header Host $http_host;
     50     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     51 
     52     location / {
     53         proxy_pass http://phoenix;
     54     }
     55 
     56     # Uncomment this if you want notice compatibility routes for frontends like Soapbox.
     57     # location ~ ^/@[^/]+/([^/]+)$ {
     58     #     proxy_pass http://phoenix/notice/$1;
     59     # }
     60     #
     61     # location ~ ^/@[^/]+/posts/([^/]+)$ {
     62     #     proxy_pass http://phoenix/notice/$1;
     63     # }
     64     #
     65     # location ~ ^/[^/]+/status/([^/]+)$ {
     66     #     proxy_pass http://phoenix/notice/$1;
     67     # }
     68 
     69     location ~ ^/(media|proxy) {
     70         proxy_cache        pleroma_media_cache;
     71         slice              1m;
     72         proxy_cache_key    $host$uri$is_args$args$slice_range;
     73         proxy_set_header   Range $slice_range;
     74         proxy_cache_valid  200 206 301 304 1h;
     75         proxy_cache_lock   on;
     76         proxy_ignore_client_abort on;
     77         proxy_buffering    on;
     78         chunked_transfer_encoding on;
     79         proxy_pass         http://phoenix;
     80     }
     81 }