Nginx configuration: Difference between revisions

From diaspora* project wiki
(Add my gist)
(Inline the nginx config as the Gist plugin is no longer maintained.)
 
(8 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Nginx is a lightweight webserver that is a easy front end for Diaspora. This is a basic configuration for a standard pod install, you will need to scale it up if you grow. If you are running Diaspora* in production mode, you may want to comment out the "daemon off" line.
Nginx is a lightweight webserver that is a easy front end for Diaspora. This is a basic configuration for a standard pod install, you will need to scale it up if you grow. If you are running Diaspora* in production mode, you may want to comment out the "daemon off" line.


'''Note''': [https://gist.github.com/MrZYX/1355430 This gist] provides a cleaner version sticking to best practices.
{{#tag:syntaxhighlight|
'''Note''': If you're using a StartSSL Cert and got Problems with your chain cert, [https://gist.github.com/1825744 check out this]
# This is not a complete Nginx configuration! It only shows the relevant parts for integrating Diaspora.
# [...]


<pre>worker_processes 1;
http {
daemon off;
 
events {
  # Your standard server configuration goes here
   worker_connections  1024;
 
}
  # [...]
 
   gzip_static on;
 
  # [...]


#
  # This vhost just redirects to HTTPS
# FIXME: You may wish to modify the value of the `log_format` directive
#        below if you are not using Splunk
#
http {


   include      mime.types;
   server {
  default_type  application/octet-stream;
    # If your host is not IPv6 ready use listen 80; here.
  sendfile on;
    # Add ipv6only=off to your listen directive that has default_server.
  keepalive_timeout  65;
    # Or this one if this is your only vhost. Do not add it to both!
  gzip              on;
    listen [::]:80;
  gzip_http_version 1.0;
    server_name diaspora.example.org www.diaspora.example.org;
  gzip_comp_level  2;
   
  gzip_proxied      any;
    location / {
  gzip_buffers      16 8k;
      return 301 https://$server_name$request_uri;
  gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    }
   gzip_disable      &quot;MSIE [1-6]\.(?!.*SV1)&quot;;
   }


#
  # Redirect https://www.diaspora.example.org to https://diaspora.example.org
# FIXME: If using thin app server, specify correct number of thin servers
  server {
#        below, otherwise comment out and replace with your own solution
    listen [::]:443 ssl http2; # Same rules as for listen [::]:80 apply.
#
upstream thin_cluster {
  server          localhost:3000;
}


    server_name www.diaspora.example.org;
   
    location / {
      return 301 https://diaspora.example.org$request_uri;
    }


#
    # SSL setup
# FIXME: specify correct value(s) for `server_name` directive and
#        correct domain name in the `rewrite` directive below
#
server {
  listen      80;
  server_name  example.com  www.example.com;
  rewrite      ^(.*) https://example.com$1 permanent;
}


#
    # This file should also include any necessary intermediate certificates.
# FIXME: specify correct value(s) for `server_name` directive and
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
#       `ssl_certificate` + `ssl_certificate_key` directives below
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
#
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
server {
    ssl_certificate /path/to/certificate.crt;
  listen      443;
    ssl_certificate_key /path/to/private_key.key;
  server_name  example.com  www.example.com;
  ## make sure you change location if you did clone into /usr/local/app
  root        /usr/local/app/diaspora/public;


  ssl on;
    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
  ssl_certificate      /path/to/cert_location;
    # You might want to make these global
  ssl_certificate_key  /path/to/key_location;
  # enable better ssl security if you like to mitigate BEAST and other exploits
  #ssl_session_cache      shared:SSL:10m;
  #ssl_session_timeout    5m;
  #ssl_protocols          TLSv1;
  #ssl_ciphers            ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
  #ssl_prefer_server_ciphers on;
  #add_header              Strict-Transport-Security max-age=500;
  #ssl_ecdh_curve          secp521r1;


  location /uploads/images {
    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
  expires 1d;
    ssl_dhparam /path/to/dhparam.pem;
  add_header Cache-Control public;
   
  }
    ssl_protocols TLSv1.2 TLSv1.3;
  location /assets {
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  expires 1d;
    ssl_prefer_server_ciphers off;
  add_header Cache-Control public;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_session_cache shared:SSL:50m;
   }
   }


#
  # Actual proxy
# FIXME: modify the `rewrite` directive below to point to proper S3 bucket
 
#       and path or comment out if you will store images on local file system
  server {
#
    listen [::]:443 ssl http2; # Same rules as for listen [::]:80 apply.
location / {
    server_name diaspora.example.org;
  proxy_set_header X-Real-IP $remote_addr;
    root /path/to/diaspora/public;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
  proxy_set_header Host $http_host;
    # Configure maximum picture size
  proxy_set_header X-Forwarded-Proto https;
    # Note that Diaspora has a client side check set at 4M
  proxy_redirect off;
    client_max_body_size 5M;
  client_max_body_size 4M;
    client_body_buffer_size 256K;
  client_body_buffer_size 128K;
 
    # SSL setup
 
    # This file should also include any necessary intermediate certificates.
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private_key.key;
 
    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global
 
    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /path/to/dhparam.pem;
 
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_session_cache shared:SSL:50m;
 
    # Proxy if requested file not found
    try_files $uri @diaspora;
 
    location /assets/ {
      expires max;
      add_header Cache-Control public;
    }
 
    # Camo support
    #location /camo/ {
    #  proxy_redirect off;
    #  proxy_pass http://camo/;
    #  break;
    #}
 
    location @diaspora {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $http_host;
      proxy_redirect off;


  if (-f $request_filename/index.html) {
      proxy_pass http://diaspora_server;
     rewrite (.*) $1/index.html break;
     }
   }
   }
   if (-f $request_filename.html) {
 
    rewrite (.*) $1.html break;
   # Proxy destination
   }
  # Add as many server directives as you want
   if (!-f $request_filename) {
   # Also takes a socket, like unix:/path/to/some/socket.sock
     proxy_pass http://thin_cluster;
   upstream diaspora_server {
    break;
     server unix:/path/to/diaspora/tmp/diaspora.sock;
   }
   }
  #if you switch to a s3 bucket you can redirect old links to the s3
  #rewrite ^/uploads/images/(.*)$ https://example.com/s3bucket/s3path/$1 permanent;
}


   error_page 500 502 503 504 /50x.html;
   # Camo support
   location = /50x.html {
   #upstream camo {
   root html;
   #  server 127.0.0.1:8081;
   }
   #}
}
}


}</pre>
# [...]
 
|lang="nginx"}}
 


[[Category:Podmin]]
[[Category:Podmin]]

Latest revision as of 16:41, 12 June 2024

Nginx is a lightweight webserver that is a easy front end for Diaspora. This is a basic configuration for a standard pod install, you will need to scale it up if you grow. If you are running Diaspora* in production mode, you may want to comment out the "daemon off" line.

# This is not a complete Nginx configuration! It only shows the relevant parts for integrating Diaspora.
# [...]

http {

  # Your standard server configuration goes here

  # [...]

  gzip_static on;

  # [...]

  # This vhost just redirects to HTTPS

  server {
    # If your host is not IPv6 ready use listen 80; here.
    # Add ipv6only=off to your listen directive that has default_server.
    # Or this one if this is your only vhost. Do not add it to both!
    listen [::]:80;
    server_name diaspora.example.org www.diaspora.example.org;
    
    location / {
      return 301 https://$server_name$request_uri;
    }
  }

  # Redirect https://www.diaspora.example.org to https://diaspora.example.org
  server {
    listen [::]:443 ssl http2;  # Same rules as for listen [::]:80 apply.

    server_name www.diaspora.example.org;
    
    location / {
      return 301 https://diaspora.example.org$request_uri;
    }

    # SSL setup

    # This file should also include any necessary intermediate certificates.
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private_key.key;

    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global

    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /path/to/dhparam.pem;
    
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_session_cache shared:SSL:50m;
  }

  # Actual proxy

  server {
    listen [::]:443 ssl http2; # Same rules as for listen [::]:80 apply.
    server_name diaspora.example.org;
    root /path/to/diaspora/public;

    # Configure maximum picture size
    # Note that Diaspora has a client side check set at 4M
    client_max_body_size 5M;
    client_body_buffer_size 256K;

    # SSL setup

    # This file should also include any necessary intermediate certificates.
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private_key.key;

    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global

    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /path/to/dhparam.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_session_cache shared:SSL:50m;

    # Proxy if requested file not found
    try_files $uri @diaspora;

    location /assets/ {
      expires max;
      add_header Cache-Control public;
    }

    # Camo support
    #location /camo/ {
    #  proxy_redirect off;
    #  proxy_pass http://camo/;
    #  break;
    #}

    location @diaspora {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $http_host;
      proxy_redirect off;

      proxy_pass http://diaspora_server;
    }
  }

  # Proxy destination
  # Add as many server directives as you want
  # Also takes a socket, like unix:/path/to/some/socket.sock
  upstream diaspora_server {
    server unix:/path/to/diaspora/tmp/diaspora.sock;
  }

  # Camo support
  #upstream camo {
  #  server 127.0.0.1:8081;
  #}
}

# [...]