Update nginx

2023-12-04 08:53:51 +02:00 · 2023-12-04 08:53:51 +02:00 · 77bb746980
parent 1174971f58
commit 77bb746980
3 changed files with 48 additions and 18 deletions
--- a/etc/nginx/conf.d/lemmy.conf
+++ b/etc/nginx/conf.d/lemmy.conf
@ -1,22 +1,35 @@
 limit_req_zone $binary_remote_addr zone=lemmy.altesq.net_ratelimit:10m rate=1r/s;

 server {
-    server_name lemmy.altesq.net;
+        server_name lemmy.altesq.net;
+        server_tokens off;

-    add_header Referrer-Policy "same-origin";
-    add_header X-Content-Type-Options "nosniff";
-    add_header X-Frame-Options "DENY";
-    add_header X-XSS-Protection "1; mode=block";
+        # Upload limit, relevant for pictrs
+        client_max_body_size 20M;
+
+        # Send actual client IP upstream
+        include proxy_params;
+
+        # frontend general requests
+	location / {
+            proxy_pass $proxpass;
+            rewrite ^(.+)/+$ $1 permanent;
+        }
+
+        # security.txt
+        location = /.well-known/security.txt {
+            proxy_pass "http://localhost:1234";
+        }
+
+        # backend
+        location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known|version|sitemap.xml) {
+            proxy_pass "http://localhost:8536";
+
+            # Send actual client IP upstream
+            include proxy_params;
+        }
+    

-    location / {
-      proxy_pass http://0.0.0.0:1236;
-      proxy_http_version 1.1;
-      proxy_set_header Upgrade $http_upgrade;
-      proxy_set_header Connection "upgrade";
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header Host $host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }


    listen 443 ssl; # managed by Certbot
@ -28,15 +41,16 @@ server {
 }


+
 server {
    if ($host = lemmy.altesq.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


-    server_name lemmy.altesq.net;
+        server_name lemmy.altesq.net;
    listen 80;
    return 404; # managed by Certbot


-}
+}
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@ -56,6 +56,23 @@ http {
 	gzip_http_version 1.1;
 	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

+
+	    map "$request_method:$http_accept" $proxpass {
+        # If no explicit matches exists below, send traffic to lemmy-ui
+        default "http://localhost:1234";
+
+        # GET/HEAD requests that accepts ActivityPub or Linked Data JSON should go to lemmy.
+        #
+        # These requests are used by Mastodon and other fediverse instances to look up profile information,
+        # discover site information and so on.
+        "~^(?:GET|HEAD):.*?application\/(?:activity|ld)\+json" "http://localhost:8536";
+
+        # All non-GET/HEAD requests should go to lemmy
+        #
+        # Rather than calling out POST, PUT, DELETE, PATCH, CONNECT and all the verbs manually
+        # we simply negate the GET|HEAD pattern from above and accept all possibly $http_accept values
+        "~^(?!(GET|HEAD)).*:" "http://localhost:8536";
+    }
 	##
 	# Virtual Host Configs
 	##
@ -84,4 +101,3 @@ http {
 #		protocol   imap;
 #		proxy      on;
 #	}
-#}
--- a/etc/nginx/sites-available/default
+++ b/etc/nginx/sites-available/default
@ -106,4 +106,4 @@ server {
    return 404; # managed by Certbot


-}
+}