Nginx configuration: Difference between revisions

From diaspora* project wiki
(since 50x.html does not exist nginx was reporting the application 50x error codes as static 404 errors)
(Inline the nginx config as the Gist plugin is no longer maintained.)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Nginx is a lightweight webserver that is a easy front end for Diaspora. This is a basic configuration for a standard pod install, you will need to scale it up if you grow. If you are running Diaspora* in production mode, you may want to comment out the "daemon off" line.
Nginx is a lightweight webserver that is a easy front end for Diaspora. This is a basic configuration for a standard pod install, you will need to scale it up if you grow. If you are running Diaspora* in production mode, you may want to comment out the "daemon off" line.


{{Note|[https://gist.github.com/jhass/1355430 This gist] provides a cleaner version sticking to best practices.}}
{{#tag:syntaxhighlight|
{{Note|If you're using a StartSSL Cert and got Problems with your chain cert, [https://gist.github.com/1825744 check out this]}}
# This is not a complete Nginx configuration! It only shows the relevant parts for integrating Diaspora.
# [...]


<pre>worker_processes 1;
http {
daemon off;
 
events {
  # Your standard server configuration goes here
   worker_connections  1024;
 
}
  # [...]
 
   gzip_static on;
 
  # [...]


#
  # This vhost just redirects to HTTPS
# FIXME: You may wish to modify the value of the `log_format` directive
#        below if you are not using Splunk
#
http {


   include      mime.types;
   server {
  default_type  application/octet-stream;
    # If your host is not IPv6 ready use listen 80; here.
  sendfile on;
    # Add ipv6only=off to your listen directive that has default_server.
  keepalive_timeout  65;
    # Or this one if this is your only vhost. Do not add it to both!
  gzip              on;
    listen [::]:80;
  gzip_http_version 1.0;
    server_name diaspora.example.org www.diaspora.example.org;
  gzip_comp_level  2;
   
  gzip_proxied      any;
    location / {
  gzip_buffers      16 8k;
      return 301 https://$server_name$request_uri;
  gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    }
   gzip_disable      &quot;MSIE [1-6]\.(?!.*SV1)&quot;;
   }


#
  # Redirect https://www.diaspora.example.org to https://diaspora.example.org
# FIXME: If using thin app server, specify correct number of thin servers
  server {
#        below, otherwise comment out and replace with your own solution
    listen [::]:443 ssl http2; # Same rules as for listen [::]:80 apply.
#
upstream thin_cluster {
  server          localhost:3000;
}


    server_name www.diaspora.example.org;
   
    location / {
      return 301 https://diaspora.example.org$request_uri;
    }


#
    # SSL setup
# FIXME: specify correct value(s) for `server_name` directive and
#        correct domain name in the `rewrite` directive below
#
server {
  listen      80;
  server_name  example.com  www.example.com;
  rewrite      ^(.*) https://example.com$1 permanent;
}


#
    # This file should also include any necessary intermediate certificates.
# FIXME: specify correct value(s) for `server_name` directive and
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
#       `ssl_certificate` + `ssl_certificate_key` directives below
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
#
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
server {
    ssl_certificate /path/to/certificate.crt;
  listen      443;
    ssl_certificate_key /path/to/private_key.key;
  server_name  example.com  www.example.com;
  ## make sure you change location if you did clone into /usr/local/app
  root        /usr/local/app/diaspora/public;


  ssl on;
    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
  ssl_certificate      /path/to/cert_location;
    # You might want to make these global
  ssl_certificate_key  /path/to/key_location;
  # enable better ssl security if you like to mitigate BEAST and other exploits
  #ssl_session_cache      shared:SSL:10m;
  #ssl_session_timeout    5m;
  #ssl_protocols          TLSv1;
  #ssl_ciphers            ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
  #ssl_prefer_server_ciphers on;
  #add_header              Strict-Transport-Security max-age=500;
  #ssl_ecdh_curve          secp521r1;


  location /uploads/images {
    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
  expires 1d;
    ssl_dhparam /path/to/dhparam.pem;
  add_header Cache-Control public;
   
  }
    ssl_protocols TLSv1.2 TLSv1.3;
  location /assets {
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  expires 1d;
    ssl_prefer_server_ciphers off;
  add_header Cache-Control public;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_session_cache shared:SSL:50m;
   }
   }


#
  # Actual proxy
# FIXME: modify the `rewrite` directive below to point to proper S3 bucket
 
#       and path or comment out if you will store images on local file system
  server {
#
    listen [::]:443 ssl http2; # Same rules as for listen [::]:80 apply.
location / {
    server_name diaspora.example.org;
  proxy_set_header X-Real-IP $remote_addr;
    root /path/to/diaspora/public;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
  proxy_set_header Host $http_host;
    # Configure maximum picture size
  proxy_set_header X-Forwarded-Proto https;
    # Note that Diaspora has a client side check set at 4M
  proxy_redirect off;
    client_max_body_size 5M;
  client_max_body_size 4M;
    client_body_buffer_size 256K;
  client_body_buffer_size 128K;
 
    # SSL setup
 
    # This file should also include any necessary intermediate certificates.
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private_key.key;
 
    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global
 
    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /path/to/dhparam.pem;
 
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_session_cache shared:SSL:50m;
 
    # Proxy if requested file not found
    try_files $uri @diaspora;


  if (-f $request_filename/index.html) {
    location /assets/ {
    rewrite (.*) $1/index.html break;
      expires max;
  }
      add_header Cache-Control public;
  if (-f $request_filename.html) {
     }
    rewrite (.*) $1.html break;
  }
  if (!-f $request_filename) {
    proxy_pass http://thin_cluster;
     break;
  }
  #if you switch to a s3 bucket you can redirect old links to the s3
  #rewrite ^/uploads/images/(.*)$ https://example.com/s3bucket/s3path/$1 permanent;
}


  # you may create the file public/50x.html to render custom pages as you like
    # Camo support
  # otherwise leave these next four lines commented out
    #location /camo/ {
    #  proxy_redirect off;
    #  proxy_pass http://camo/;
    #  break;
    #}


  # error_page 500 502 503 504 /50x.html;
    location @diaspora {
  # location = /50x.html {
      proxy_set_header X-Real-IP $remote_addr;
  # root html;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  # }
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $http_host;
      proxy_redirect off;


}
      proxy_pass http://diaspora_server;
    }
  }


}</pre>
  # Proxy destination
  # Add as many server directives as you want
  # Also takes a socket, like unix:/path/to/some/socket.sock
  upstream diaspora_server {
    server unix:/path/to/diaspora/tmp/diaspora.sock;
  }


  # Camo support
  #upstream camo {
  #  server 127.0.0.1:8081;
  #}
}


# [...]
|lang="nginx"}}


[[Category:Podmin]]
[[Category:Podmin]]
[[Category:Github transfer done]]

Latest revision as of 16:41, 12 June 2024

Nginx is a lightweight webserver that is a easy front end for Diaspora. This is a basic configuration for a standard pod install, you will need to scale it up if you grow. If you are running Diaspora* in production mode, you may want to comment out the "daemon off" line. 

# This is not a complete Nginx configuration! It only shows the relevant parts for integrating Diaspora.
# [...]

http {

  # Your standard server configuration goes here

  # [...]

  gzip_static on;

  # [...]

  # This vhost just redirects to HTTPS

  server {
    # If your host is not IPv6 ready use listen 80; here.
    # Add ipv6only=off to your listen directive that has default_server.
    # Or this one if this is your only vhost. Do not add it to both!
    listen [::]:80;
    server_name diaspora.example.org www.diaspora.example.org;
    
    location / {
      return 301 https://$server_name$request_uri;
    }
  }

  # Redirect https://www.diaspora.example.org to https://diaspora.example.org
  server {
    listen [::]:443 ssl http2;  # Same rules as for listen [::]:80 apply.

    server_name www.diaspora.example.org;
    
    location / {
      return 301 https://diaspora.example.org$request_uri;
    }

    # SSL setup

    # This file should also include any necessary intermediate certificates.
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private_key.key;

    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global

    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /path/to/dhparam.pem;
    
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_session_cache shared:SSL:50m;
  }

  # Actual proxy

  server {
    listen [::]:443 ssl http2; # Same rules as for listen [::]:80 apply.
    server_name diaspora.example.org;
    root /path/to/diaspora/public;

    # Configure maximum picture size
    # Note that Diaspora has a client side check set at 4M
    client_max_body_size 5M;
    client_body_buffer_size 256K;

    # SSL setup

    # This file should also include any necessary intermediate certificates.
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private_key.key;

    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global

    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /path/to/dhparam.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_session_cache shared:SSL:50m;

    # Proxy if requested file not found
    try_files $uri @diaspora;

    location /assets/ {
      expires max;
      add_header Cache-Control public;
    }

    # Camo support
    #location /camo/ {
    #  proxy_redirect off;
    #  proxy_pass http://camo/;
    #  break;
    #}

    location @diaspora {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $http_host;
      proxy_redirect off;

      proxy_pass http://diaspora_server;
    }
  }

  # Proxy destination
  # Add as many server directives as you want
  # Also takes a socket, like unix:/path/to/some/socket.sock
  upstream diaspora_server {
    server unix:/path/to/diaspora/tmp/diaspora.sock;
  }

  # Camo support
  #upstream camo {
  #  server 127.0.0.1:8081;
  #}
}

# [...]
Retrieved from "https://wiki.diasporafoundation.org/wiki/index.php?title=Nginx_configuration&oldid=10527"