From Phobos D'thorga, 5 Months ago, written in Bash.
This paste will explode in 5 Months.
Embed
  1. map $http_upgrade $connection_upgrade {
  2.   default upgrade;
  3.   ''      close;
  4. }
  5.  
  6. upstream backend {
  7.     server 127.0.0.1:3000 fail_timeout=0;
  8. }
  9.  
  10. upstream streaming {
  11.     server 127.0.0.1:4000 fail_timeout=0;
  12. }
  13.  
  14. proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=gk_barker_ceph_s3_cache:10m inactive=10d max_size=4g;
  15.  
  16. log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  17.                 '$status $body_bytes_sent "$http_referer" '
  18.                 '"$http_user_agent" "$http_x_forwarded_for"';
  19.  
  20. #
  21. # https://stackoverflow.com/questions/44639182/nginx-proxy-amazon-s3-resources
  22. # https://www.linode.com/docs/applications/messaging/install-mastodon-on-ubuntu-1604/
  23. #
  24. server {
  25.     listen 443 ssl http2;
  26.     listen [::]:443 ssl http2;
  27.     server_name files.drake.network;
  28.  
  29.     ssl_certificate <redacted>; # managed by Certbot
  30.     ssl_certificate_key <redacted>; # managed by Certbot
  31.  
  32.     error_log /var/log/nginx/files.drake.network.error.log;
  33.     access_log /var/log/nginx/files.drake.network.access.log main;
  34.    
  35.     set $cephbackend "https://barker.gekkofyre.net:443";
  36.  
  37.     location / {
  38.     resolver 1.1.1.1;
  39.         proxy_cache gk_barker_ceph_s3_cache;
  40.         proxy_cache_revalidate on;
  41.         proxy_buffering on;
  42.         proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
  43.         proxy_cache_background_update on;
  44.         proxy_cache_lock on;
  45.         proxy_cache_valid 1d;
  46.         proxy_cache_valid 404 1h;
  47.         proxy_ignore_headers Cache-Control;
  48.         proxy_set_header Host 'barker.gekkofyre.net';
  49.         add_header X-Cached $upstream_cache_status;
  50.         proxy_pass $cephbackend/gk-drake-network-media$uri;
  51.     }
  52. }
  53.  
  54. server {
  55.   listen 80;
  56.   listen [::]:80;
  57.   server_name drake.network;
  58.   root /home/mastodon/live/public;
  59.   location /.well-known/acme-challenge/ { allow all; }
  60.   location / { return 301 https://$host$request_uri; }
  61. }
  62.  
  63. server {
  64.   listen 443 ssl http2;
  65.   listen [::]:443 ssl http2;
  66.   server_name drake.network;
  67.  
  68.   error_log /var/log/nginx/drake.network.error.log;
  69.   access_log /var/log/nginx/drake.network.access.log main;
  70.  
  71.   ssl on;
  72.   ssl_protocols TLSv1.2 TLSv1.3;
  73.   ssl_prefer_server_ciphers on;
  74.   ssl_dhparam /etc/nginx/ssl_certs/dhparam.pem;
  75.   ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  76.   ssl_ecdh_curve secp384r1;
  77.   ssl_session_timeout 10m;
  78.   ssl_session_cache shared:SSL:10m;
  79.   ssl_session_tickets off;
  80.   ssl_stapling on;
  81.   ssl_stapling_verify on;
  82.   resolver 1.1.1.1 1.0.0.1 valid=300s;
  83.   resolver_timeout 5s;
  84.   add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  85.   add_header X-Frame-Options DENY;
  86.   add_header X-Content-Type-Options nosniff;
  87.   add_header X-XSS-Protection "1; mode=block";
  88.  
  89.   ssl_certificate /etc/letsencrypt/live/drake.network/fullchain.pem; # managed by Certbot
  90.   ssl_certificate_key /etc/letsencrypt/live/drake.network/privkey.pem; # managed by Certbot
  91.  
  92.   keepalive_timeout    70;
  93.   sendfile             on;
  94.   client_max_body_size 80m;
  95.  
  96.   root /home/mastodon/live/public;
  97.  
  98.   gzip on;
  99.   gzip_disable "msie6";
  100.   gzip_vary on;
  101.   gzip_proxied any;
  102.   gzip_comp_level 6;
  103.   gzip_buffers 16 8k;
  104.   gzip_http_version 1.1;
  105.   gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
  106.  
  107.   add_header Strict-Transport-Security "max-age=31536000";
  108.  
  109.   location / {
  110.     try_files $uri @proxy;
  111.   }
  112.  
  113.   location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
  114.     add_header Cache-Control "public, max-age=31536000, immutable";
  115.     add_header Strict-Transport-Security "max-age=31536000";
  116.     try_files $uri @proxy;
  117.   }
  118.  
  119.   location /sw.js {
  120.     add_header Cache-Control "public, max-age=0";
  121.     add_header Strict-Transport-Security "max-age=31536000";
  122.     try_files $uri @proxy;
  123.   }
  124.  
  125.   location @proxy {
  126.     proxy_set_header Host $host;
  127.     proxy_set_header X-Real-IP $remote_addr;
  128.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  129.     proxy_set_header X-Forwarded-Proto https;
  130.     proxy_set_header Proxy "";
  131.     proxy_pass_header Server;
  132.  
  133.     proxy_pass http://backend;
  134.     proxy_buffering on;
  135.     proxy_redirect off;
  136.     proxy_http_version 1.1;
  137.     proxy_set_header Upgrade $http_upgrade;
  138.     proxy_set_header Connection $connection_upgrade;
  139.  
  140.     proxy_cache gk_barker_ceph_s3_cache;
  141.     proxy_cache_valid 200 7d;
  142.     proxy_cache_valid 410 24h;
  143.     proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
  144.     add_header X-Cached $upstream_cache_status;
  145.     add_header Strict-Transport-Security "max-age=31536000";
  146.  
  147.     tcp_nodelay on;
  148.   }
  149.  
  150.   location /api/v1/streaming {
  151.     proxy_set_header Host $host;
  152.     proxy_set_header X-Real-IP $remote_addr;
  153.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  154.     proxy_set_header X-Forwarded-Proto https;
  155.     proxy_set_header Proxy "";
  156.  
  157.     proxy_pass http://streaming;
  158.     proxy_buffering off;
  159.     proxy_redirect off;
  160.     proxy_http_version 1.1;
  161.     proxy_set_header Upgrade $http_upgrade;
  162.     proxy_set_header Connection $connection_upgrade;
  163.  
  164.     tcp_nodelay on;
  165.   }
  166.  
  167.   error_page 500 501 502 503 504 /500.html;
  168. }