Nginx configuration

From diaspora* project wiki
Revision as of 16:41, 12 June 2024 by DenSchub (talk | contribs) (Inline the nginx config as the Gist plugin is no longer maintained.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Nginx is a lightweight webserver that is a easy front end for Diaspora. This is a basic configuration for a standard pod install, you will need to scale it up if you grow. If you are running Diaspora* in production mode, you may want to comment out the "daemon off" line.

# This is not a complete Nginx configuration! It only shows the relevant parts for integrating Diaspora.
# [...]

http {

  # Your standard server configuration goes here

  # [...]

  gzip_static on;

  # [...]

  # This vhost just redirects to HTTPS

  server {
    # If your host is not IPv6 ready use listen 80; here.
    # Add ipv6only=off to your listen directive that has default_server.
    # Or this one if this is your only vhost. Do not add it to both!
    listen [::]:80;
    server_name diaspora.example.org www.diaspora.example.org;
    
    location / {
      return 301 https://$server_name$request_uri;
    }
  }

  # Redirect https://www.diaspora.example.org to https://diaspora.example.org
  server {
    listen [::]:443 ssl http2;  # Same rules as for listen [::]:80 apply.

    server_name www.diaspora.example.org;
    
    location / {
      return 301 https://diaspora.example.org$request_uri;
    }

    # SSL setup

    # This file should also include any necessary intermediate certificates.
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private_key.key;

    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global

    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /path/to/dhparam.pem;
    
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_session_cache shared:SSL:50m;
  }

  # Actual proxy

  server {
    listen [::]:443 ssl http2; # Same rules as for listen [::]:80 apply.
    server_name diaspora.example.org;
    root /path/to/diaspora/public;

    # Configure maximum picture size
    # Note that Diaspora has a client side check set at 4M
    client_max_body_size 5M;
    client_body_buffer_size 256K;

    # SSL setup

    # This file should also include any necessary intermediate certificates.
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private_key.key;

    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global

    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /path/to/dhparam.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_session_cache shared:SSL:50m;

    # Proxy if requested file not found
    try_files $uri @diaspora;

    location /assets/ {
      expires max;
      add_header Cache-Control public;
    }

    # Camo support
    #location /camo/ {
    #  proxy_redirect off;
    #  proxy_pass http://camo/;
    #  break;
    #}

    location @diaspora {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $http_host;
      proxy_redirect off;

      proxy_pass http://diaspora_server;
    }
  }

  # Proxy destination
  # Add as many server directives as you want
  # Also takes a socket, like unix:/path/to/some/socket.sock
  upstream diaspora_server {
    server unix:/path/to/diaspora/tmp/diaspora.sock;
  }

  # Camo support
  #upstream camo {
  #  server 127.0.0.1:8081;
  #}
}

# [...]