Template:Installation/Reverse proxy: Difference between revisions

From diaspora* project wiki
(Rework Reverse proxy section to highly encourage nginx)
 
(4 intermediate revisions by 4 users not shown)
Line 1: Line 1:
=== Reverse proxy ===
== Reverse proxy ==


You most likely have already a webserver running on port 80 (http) and 443 (https). It also should serve Diasporas static content and forward all other requests to Diaspora. Here are some example configurations to achieve that:
To connect the internet to diaspora*, and to serve static files, you need to set up a reverse proxy. We '''highly recommend nginx''', and [[Nginx_configuration|you can find an example configuration for nginx here]].


* '''Apache''': https://gist.github.com/719014
=== Alternatives to nginx (not recommended) ===
* '''Nginx''': https://gist.github.com/1355430


The reverse Proxy is quite Tricky if you have no idea what nginx does.
Alternatively, you can check out these community-contributed options. However, please note that we will have a hard time supporting you if you run into issues with them!
ive searched the web and merged some configs, this one works for me,
cut and paste replace SERVERNAME.NET for your domain name. and ofcourse the PATH for PUBLIC and Certifactes


Problem here is not really NGinX but centos AUDIT, it took me a LONG while to figure out
* '''Apache''': https://gist.github.com/719014
that the AUDIT system was blocking requests
* '''Caddy''': https://gist.github.com/oliof/57345a6596bb3a564f68d1482fb383f9
Basically this fixed it (+ disabling all hidden firewalls and just enabling iptables)
 
cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mydiaspora
 
 
cat nginx.conf
 
worker_processes 1;
daemon on;
events {
  worker_connections  1024;
}
 
http {
 
  include      mime.types;
  default_type  application/octet-stream;
  sendfile on;
  keepalive_timeout  65;
  gzip              on;
  gzip_http_version 1.0;
  gzip_comp_level  2;
  gzip_proxied      any;
  gzip_buffers      16 8k;
  gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  gzip_disable      "MSIE [1-6]\.(?!.*SV1)";
 
server_names_hash_bucket_size      128;
 
upstream thin_cluster {
  server          0.0.0.0:3000;
}
 
 
server {
  listen      80;
  server_name  192.168.11.100 SERVERNAME.NET ;
  rewrite      ^(.*) https://SERVERNAME.NET$1 permanent;
}
 
server {
  listen      443 default_server ssl;
  server_name  192.168.11.100 SERVERNAME.NET;
  root        /home/diaspora/diaspora/public/;
 
  ssl on;
  ssl_certificate      /etc/nginx/ssl-unified.crt;
  ssl_certificate_key  /etc/nginx/ssl.key;
location /uploads/images {
  expires 1d;
  add_header Cache-Control public;
  }
  location /assets {
  expires 1d;
  add_header Cache-Control public;
  }
 
location ~ .php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    fastcgi_buffers 8 16k;
    fastcgi_buffer_size 32k;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    include fastcgi_params;
    }
 
location / {
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Proto https;
  proxy_redirect off;
  client_max_body_size 4M;
  client_body_buffer_size 128K;
 
if (-f $request_filename/index.html) {
    rewrite (.*) $1/index.html break;
  }
  if (-f $request_filename.html) {
    rewrite (.*) $1.html break;
  }
  if (!-f $request_filename) {
    proxy_pass http://thin_cluster;
    break;
  }
}


  error_page 500 502 503 504 /50x.html;
[[Category:Templates]]
  location = /50x.html {
  root html;
  proxy_pass http://localhost:3000;
  proxy_read_timeout 90;
  proxy_redirect http://localhost:3000 https://SERVERNAME.NET;
}
}
}

Latest revision as of 23:14, 15 June 2024

Reverse proxy

To connect the internet to diaspora*, and to serve static files, you need to set up a reverse proxy. We highly recommend nginx, and you can find an example configuration for nginx here.

Alternatives to nginx (not recommended)

Alternatively, you can check out these community-contributed options. However, please note that we will have a hard time supporting you if you run into issues with them!