~jadedctrl/jam-xwx-moe
~jadedctrl/jam-xwx-moe/nginx/pleroma.conf
..
| 0 | # default nginx site config for Pleroma |
| 1 | # |
| 2 | # Simple installation instructions: |
| 3 | # 1. Install your TLS certificate, possibly using Let's Encrypt. |
| 4 | # 2. Replace 'example.tld' with your instance's domain wherever it appears. |
| 5 | # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it |
| 6 | # in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. |
| 7 | |
| 8 | proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g |
| 9 | inactive=720m use_temp_path=off; |
| 10 | |
| 11 | # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only |
| 12 | # and `localhost.` resolves to [::0] on some systems: see issue #930 |
| 13 | upstream phoenix { |
| 14 | server 127.0.0.1:4000 max_fails=5 fail_timeout=60s; |
| 15 | } |
| 16 | |
| 17 | server { |
| 18 | if ($host = jam.xwx.moe) { |
| 19 | return 301 https://$host$request_uri; |
| 20 | } # managed by Certbot |
| 21 | |
| 22 | root /srv/http/jam.xwx.moe/; |
| 23 | error_page 403 /x_x/404.html; |
| 24 | error_page 404 /x_x/404.html; |
| 25 | error_page 502 /x_x/404.html; |
| 26 | |
| 27 | |
| 28 | server_name jam.xwx.moe; |
| 29 | |
| 30 | listen 80; |
| 31 | listen [::]:80; |
| 32 | |
| 33 | # Uncomment this if you need to use the 'webroot' method with certbot. Make sure |
| 34 | # that the directory exists and that it is accessible by the webserver. If you followed |
| 35 | # the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder. |
| 36 | # You may need to load this file with the ssl server block commented out, run certbot |
| 37 | # to get the certificate, and then uncomment it. |
| 38 | # |
| 39 | # location ~ /\.well-known/acme-challenge { |
| 40 | # root /var/lib/letsencrypt/; |
| 41 | # } |
| 42 | location / { |
| 43 | return 301 https://$server_name$request_uri; |
| 44 | } |
| 45 | |
| 46 | |
| 47 | } |
| 48 | |
| 49 | # Enable SSL session caching for improved performance |
| 50 | ssl_session_cache shared:ssl_session_cache:10m; |
| 51 | |
| 52 | server { |
| 53 | server_name jam.xwx.moe; |
| 54 | |
| 55 | root /srv/http/jam.xwx.moe/; |
| 56 | error_page 404 /x_x/404.html; |
| 57 | error_page 502 /x_x/502.html; |
| 58 | |
| 59 | listen 443 ssl http2; |
| 60 | listen [::]:443 ssl http2; |
| 61 | ssl_session_timeout 1d; |
| 62 | ssl_session_cache shared:MozSSL:10m; # about 40000 sessions |
| 63 | ssl_session_tickets off; |
| 64 | |
| 65 | ssl_trusted_certificate /etc/letsencrypt/live/coinsh.red-0004/chain.pem; |
| 66 | ssl_certificate /etc/letsencrypt/live/coinsh.red-0004/fullchain.pem; # managed by Certbot |
| 67 | ssl_certificate_key /etc/letsencrypt/live/coinsh.red-0004/privkey.pem; # managed by Certbot |
| 68 | |
| 69 | ssl_protocols TLSv1.2 TLSv1.3; |
| 70 | ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; |
| 71 | ssl_prefer_server_ciphers off; |
| 72 | # In case of an old server with an OpenSSL version of 1.0.2 or below, |
| 73 | # leave only prime256v1 or comment out the following line. |
| 74 | ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; |
| 75 | ssl_stapling on; |
| 76 | ssl_stapling_verify on; |
| 77 | |
| 78 | gzip_vary on; |
| 79 | gzip_proxied any; |
| 80 | gzip_comp_level 6; |
| 81 | gzip_buffers 16 8k; |
| 82 | gzip_http_version 1.1; |
| 83 | gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; |
| 84 | |
| 85 | # the nginx default is 1m, not enough for large media uploads |
| 86 | client_max_body_size 16m; |
| 87 | ignore_invalid_headers off; |
| 88 | |
| 89 | proxy_http_version 1.1; |
| 90 | proxy_set_header Upgrade $http_upgrade; |
| 91 | proxy_set_header Connection "upgrade"; |
| 92 | proxy_set_header Host $http_host; |
| 93 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 94 | |
| 95 | location / { |
| 96 | proxy_pass http://phoenix; |
| 97 | } |
| 98 | |
| 99 | location /x_x/ { |
| 100 | root /srv/http/jam.xwx.moe/; |
| 101 | } |
| 102 | |
| 103 | include /etc/nginx/conf.d/bildosignaj_alidirektigoj.conf |
| 104 | |
| 105 | location ~ '^/paĝoj(/)*$' { |
| 106 | rewrite '^/paĝoj' '/static/paĝoj-index/index.html'; |
| 107 | } |
| 108 | |
| 109 | location ~ '^/paĝoj/(.*)' { |
| 110 | rewrite '^/paĝoj/(.*)' '/static/paĝoj-index/$1.html'; |
| 111 | } |
| 112 | |
| 113 | # Uncomment this if you want notice compatibility routes for frontends like Soapbox. |
| 114 | # location ~ ^/@[^/]+/([^/]+)$ { |
| 115 | # proxy_pass http://phoenix/notice/$1; |
| 116 | # } |
| 117 | # |
| 118 | # location ~ ^/@[^/]+/posts/([^/]+)$ { |
| 119 | # proxy_pass http://phoenix/notice/$1; |
| 120 | # } |
| 121 | # |
| 122 | # location ~ ^/[^/]+/status/([^/]+)$ { |
| 123 | # proxy_pass http://phoenix/notice/$1; |
| 124 | # } |
| 125 | |
| 126 | location ~ ^/(media|proxy) { |
| 127 | proxy_cache pleroma_media_cache; |
| 128 | slice 1m; |
| 129 | proxy_cache_key $host$uri$is_args$args$slice_range; |
| 130 | proxy_set_header Range $slice_range; |
| 131 | proxy_cache_valid 200 206 301 304 1h; |
| 132 | proxy_cache_lock on; |
| 133 | proxy_ignore_client_abort on; |
| 134 | proxy_buffering on; |
| 135 | chunked_transfer_encoding on; |
| 136 | proxy_pass http://phoenix; |
| 137 | } |
| 138 | |
| 139 | } |
| 140 | |
| 141 | |
| 142 | server { |
| 143 | server_name ujo.jam.xwx.moe; |
| 144 | listen 443 ssl http2; |
| 145 | listen [::]:443 ssl http2; |
| 146 | |
| 147 | root /srv/http/jam.xwx.moe/; |
| 148 | error_page 404 /x_x/404.html; |
| 149 | error_page 502 /x_x/404.html; |
| 150 | |
| 151 | ssl_session_timeout 1d; |
| 152 | ssl_session_cache shared:MozSSL:10m; # about 40000 sessions |
| 153 | ssl_session_tickets off; |
| 154 | |
| 155 | ssl_trusted_certificate /etc/letsencrypt/live/coinsh.red-0004/chain.pem; |
| 156 | ssl_certificate /etc/letsencrypt/live/coinsh.red-0004/fullchain.pem; # managed by Certbot |
| 157 | ssl_certificate_key /etc/letsencrypt/live/coinsh.red-0004/privkey.pem; # managed by Certbot |
| 158 | |
| 159 | ssl_protocols TLSv1.2 TLSv1.3; |
| 160 | ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; |
| 161 | ssl_prefer_server_ciphers off; |
| 162 | # In case of an old server with an OpenSSL version of 1.0.2 or below, |
| 163 | # leave only prime256v1 or comment out the following line. |
| 164 | ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; |
| 165 | ssl_stapling on; |
| 166 | ssl_stapling_verify on; |
| 167 | |
| 168 | gzip_vary on; |
| 169 | gzip_proxied any; |
| 170 | gzip_comp_level 6; |
| 171 | gzip_buffers 16 8k; |
| 172 | gzip_http_version 1.1; |
| 173 | gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; |
| 174 | |
| 175 | proxy_http_version 1.1; |
| 176 | proxy_set_header Upgrade $http_upgrade; |
| 177 | proxy_set_header Connection "upgrade"; |
| 178 | proxy_set_header Host $http_host; |
| 179 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 180 | |
| 181 | location ~ ^/(media|proxy) { |
| 182 | proxy_cache pleroma_media_cache; |
| 183 | slice 1m; |
| 184 | proxy_cache_key $host$uri$is_args$args$slice_range; |
| 185 | proxy_set_header Range $slice_range; |
| 186 | proxy_cache_valid 200 206 301 304 1h; |
| 187 | proxy_cache_lock on; |
| 188 | proxy_ignore_client_abort on; |
| 189 | proxy_buffering on; |
| 190 | chunked_transfer_encoding on; |
| 191 | proxy_pass http://phoenix; |
| 192 | } |
| 193 | } |
| 194 | |