Pleroma/installation/pleroma.nginx

# default nginx site config for Pleroma
#
# Simple installation instructions:
# 1. Install your TLS certificate, possibly using Let's Encrypt.
# 2. Replace 'example.tld' with your instance's domain wherever it appears.
# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
#    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.

proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
                 inactive=720m use_temp_path=off;

server {
    server_name    example.tld;

    listen         80;
    listen         [::]:80;

    # Uncomment this if you need to use the 'webroot' method with certbot. Make sure
    # that the directory exists and that it is accessible by the webserver. If you followed
    # the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder.
    # You may need to load this file with the ssl server block commented out, run certbot
    # to get the certificate, and then uncomment it.
    #
    # location ~ /\.well-known/acme-challenge {
    #     root /var/lib/letsencrypt/;
    # }
    location / {
      return         301 https://$server_name$request_uri;
    }
}

# Enable SSL session caching for improved performance
ssl_session_cache shared:ssl_session_cache:10m;

server {
    server_name example.tld;

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_trusted_certificate   /etc/letsencrypt/live/example.tld/chain.pem;
    ssl_certificate           /etc/letsencrypt/live/example.tld/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/example.tld/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers off;
    # In case of an old server with an OpenSSL version of 1.0.2 or below,
    # leave only prime256v1 or comment out the following line.
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
    ssl_stapling on;
    ssl_stapling_verify on;

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;

    # the nginx default is 1m, not enough for large media uploads
    client_max_body_size 16m;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
        # and `localhost.` resolves to [::0] on some systems: see issue #930
        proxy_pass http://127.0.0.1:4000;

        client_max_body_size 16m;
    }

    location ~ ^/(media|proxy) {
        proxy_cache        pleroma_media_cache;
        slice              1m;
        proxy_cache_key    $host$uri$is_args$args$slice_range;
        proxy_set_header   Range $slice_range;
        proxy_http_version 1.1;
        proxy_cache_valid  200 206 301 304 1h;
        proxy_cache_lock   on;
        proxy_ignore_client_abort on;
        proxy_buffering    on;
        chunked_transfer_encoding on;
        proxy_pass         http://127.0.0.1:4000;
    }
}
Fix max upload size in nginx config. The built-in nginx default does not allow users to upload images larger than 1 MB. This increases the maximum request size to match the default Pleroma config upload_limit parameter. Some helpful comments were also added. 2018-04-08 17:15:04 +02:00			`# default nginx site config for Pleroma`
			`#`
			`# Simple installation instructions:`
			`# 1. Install your TLS certificate, possibly using Let's Encrypt.`
Use example.tld so a single search and replace works 2018-11-04 14:06:18 +01:00			`# 2. Replace 'example.tld' with your instance's domain wherever it appears.`
Fix max upload size in nginx config. The built-in nginx default does not allow users to upload images larger than 1 MB. This increases the maximum request size to match the default Pleroma config upload_limit parameter. Some helpful comments were also added. 2018-04-08 17:15:04 +02:00			`# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it`
Add info about certbot with the webroot plugin to pleroma.nginx 2018-04-21 00:43:49 +02:00			`# in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.`
Fix max upload size in nginx config. The built-in nginx default does not allow users to upload images larger than 1 MB. This increases the maximum request size to match the default Pleroma config upload_limit parameter. Some helpful comments were also added. 2018-04-08 17:15:04 +02:00
nginx sample config, quickly tested 2017-12-11 02:40:19 +01:00			`proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g`
			`inactive=720m use_temp_path=off;`

First attempt at installation documentation 2017-08-08 01:41:36 +02:00			`server {`
Use example.tld so a single search and replace works 2018-11-04 14:06:18 +01:00			`server_name example.tld;`
need to put back ipv4 listen instruct 2019-02-26 17:41:37 +01:00
			`listen 80;`
Add ipv6 handling to pleroma.nginx Replaces `listen 80` with `listen [::]:80`, same with 443 2019-02-26 05:37:46 +01:00			`listen [::]:80;`
Add info about certbot with the webroot plugin to pleroma.nginx 2018-04-21 00:43:49 +02:00
			`# Uncomment this if you need to use the 'webroot' method with certbot. Make sure`
Recommend the acme-challenge path that is used in the installation guides 2019-02-09 23:08:27 +01:00			`# that the directory exists and that it is accessible by the webserver. If you followed`
Remove sudo in the nginx config command example 2019-06-23 06:39:23 +02:00			`# the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder.`
Recommend the acme-challenge path that is used in the installation guides 2019-02-09 23:08:27 +01:00			`# You may need to load this file with the ssl server block commented out, run certbot`
			`# to get the certificate, and then uncomment it.`
Add info about certbot with the webroot plugin to pleroma.nginx 2018-04-21 00:43:49 +02:00			`#`
			`# location ~ /\.well-known/acme-challenge {`
Fix the webroot method in the nginx config 2019-06-22 19:26:59 +02:00			`# root /var/lib/letsencrypt/;`
Add info about certbot with the webroot plugin to pleroma.nginx 2018-04-21 00:43:49 +02:00			`# }`
Fix nginx webroot method config 2019-06-21 04:46:21 +02:00			`location / {`
			`return 301 https://$server_name$request_uri;`
			`}`
First attempt at installation documentation 2017-08-08 01:41:36 +02:00			`}`

Security upgrades: * Removed TLSv1 and TLSv1.1 * Added OCSP Stapling * Added SSL Cache * Changed ciphers * Specified ECDH curves 2018-06-12 00:56:54 +02:00			`# Enable SSL session caching for improved performance`
			`ssl_session_cache shared:ssl_session_cache:10m;`

First attempt at installation documentation 2017-08-08 01:41:36 +02:00			`server {`
need to put back ipv4 listen instruct 2019-02-26 17:41:37 +01:00			`server_name example.tld;`

			`listen 443 ssl http2;`
Add ipv6 handling to pleroma.nginx Replaces `listen 80` with `listen [::]:80`, same with 443 2019-02-26 05:37:46 +01:00			`listen [::]:443 ssl http2;`
Update pleroma.nginx to support TLSv1.3 Based on SSL config from https://ssl-config.mozilla.org/ 2020-06-12 03:41:09 +02:00			`ssl_session_timeout 1d;`
			`ssl_session_cache shared:MozSSL:10m; # about 40000 sessions`
			`ssl_session_tickets off;`
First attempt at installation documentation 2017-08-08 01:41:36 +02:00
ssl_trusted_certificate should point to chain.pem if we're demonstrating LetsEncrypt: https://community.letsencrypt.org/t/howto-ocsp-stapling-for-nginx/13611/5 2019-03-31 18:58:28 +02:00			`ssl_trusted_certificate /etc/letsencrypt/live/example.tld/chain.pem;`
Use example.tld so a single search and replace works 2018-11-04 14:06:18 +01:00			`ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;`
First attempt at installation documentation 2017-08-08 01:41:36 +02:00
Update pleroma.nginx to support TLSv1.3 Based on SSL config from https://ssl-config.mozilla.org/ 2020-06-12 03:41:09 +02:00			`ssl_protocols TLSv1.2 TLSv1.3;`
Security upgrades: * Removed TLSv1 and TLSv1.1 * Added OCSP Stapling * Added SSL Cache * Changed ciphers * Specified ECDH curves 2018-06-12 00:56:54 +02:00			`ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";`
Update pleroma.nginx to support TLSv1.3 Based on SSL config from https://ssl-config.mozilla.org/ 2020-06-12 03:41:09 +02:00			`ssl_prefer_server_ciphers off;`
Add comment about TLS curves for older servers. 2018-06-16 20:14:05 +02:00			`# In case of an old server with an OpenSSL version of 1.0.2 or below,`
			`# leave only prime256v1 or comment out the following line.`
Security upgrades: * Removed TLSv1 and TLSv1.1 * Added OCSP Stapling * Added SSL Cache * Changed ciphers * Specified ECDH curves 2018-06-12 00:56:54 +02:00			`ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
Use the server name as variable 2018-11-03 23:41:37 +01:00
Fix max upload size in nginx config. The built-in nginx default does not allow users to upload images larger than 1 MB. This increases the maximum request size to match the default Pleroma config upload_limit parameter. Some helpful comments were also added. 2018-04-08 17:15:04 +02:00			`gzip_vary on;`
			`gzip_proxied any;`
			`gzip_comp_level 6;`
			`gzip_buffers 16 8k;`
			`gzip_http_version 1.1;`
			`gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;`

			`# the nginx default is 1m, not enough for large media uploads`
			`client_max_body_size 16m;`

First attempt at installation documentation 2017-08-08 01:41:36 +02:00			`location / {`
Add websocket upgrade to example nginx config. 2017-12-07 19:07:51 +01:00			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
Update pleroma.nginx 2018-03-08 19:00:59 +01:00			`proxy_set_header Host $http_host;`
Add `remote_ip` plug 2019-09-27 23:59:23 +02:00			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
Update pleroma.nginx 2018-03-08 19:00:59 +01:00
Fix missing changes in pleroma/pleroma!1197 2019-08-30 14:00:50 +02:00			`# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only`
			# and `localhost.` resolves to [::0] on some systems: see issue #930
explicitly set reverse proxy upstream to IPv4 since Pleroma.Web.Endpoint binds on IPv4 only and `localhost.` resolves to [::0] on some systems fixes #930. 2019-05-23 23:33:27 +02:00			`proxy_pass http://127.0.0.1:4000;`
Fix max upload size in nginx config. The built-in nginx default does not allow users to upload images larger than 1 MB. This increases the maximum request size to match the default Pleroma config upload_limit parameter. Some helpful comments were also added. 2018-04-08 17:15:04 +02:00
			`client_max_body_size 16m;`
First attempt at installation documentation 2017-08-08 01:41:36 +02:00			`}`
nginx sample config, quickly tested 2017-12-11 02:40:19 +01:00
reverse_proxy: more headers 2018-11-23 23:59:24 +01:00			`location ~ ^/(media\|proxy) {`
Fix missing changes in pleroma/pleroma!1197 2019-08-30 14:00:50 +02:00			`proxy_cache pleroma_media_cache;`
Update proxy config to improve behavior and allow compatibility with Safari on MacOS and iOS 2018-12-12 18:31:47 +01:00			`slice 1m;`
			`proxy_cache_key $host$uri$is_args$args$slice_range;`
			`proxy_set_header Range $slice_range;`
			`proxy_http_version 1.1;`
			`proxy_cache_valid 200 206 301 304 1h;`
Fix missing changes in pleroma/pleroma!1197 2019-08-30 14:00:50 +02:00			`proxy_cache_lock on;`
Update pleroma.nginx proxy_ignore_client_abort will continue to fetch from upstream even if a client aborts the connection. This is highly recommended when cache is being used. If a client leaves/refreshes the page while a user's avatar or some other media is halfway loaded, the cached copy might in some cases be broken. Leaving future requests to the same URL broken until cache expires. 2018-05-28 12:36:27 +02:00			`proxy_ignore_client_abort on;`
Fix missing changes in pleroma/pleroma!1197 2019-08-30 14:00:50 +02:00			`proxy_buffering on;`
reverse_proxy: more headers 2018-11-23 23:59:24 +01:00			`chunked_transfer_encoding on;`
Fix missing changes in pleroma/pleroma!1197 2019-08-30 14:00:50 +02:00			`proxy_pass http://127.0.0.1:4000;`
nginx sample config, quickly tested 2017-12-11 02:40:19 +01:00			`}`
			`}`