Advertisement
Guest User

diaspora nginx.conf

a guest
Apr 11th, 2020
33
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. user www-data;
  2. worker_processes auto;
  3. pid /run/nginx.pid;
  4. include /etc/nginx/modules-enabled/*.conf;
  5.  
  6. events {
  7. worker_connections 768;
  8. # multi_accept on;
  9. }
  10.  
  11. http {
  12.  
  13. ##
  14. # Basic Settings
  15. ##
  16.  
  17. sendfile on;
  18. tcp_nopush on;
  19. tcp_nodelay on;
  20. keepalive_timeout 65;
  21. types_hash_max_size 2048;
  22. # server_tokens off;
  23.  
  24. # server_names_hash_bucket_size 64;
  25. # server_name_in_redirect off;
  26.  
  27. include /etc/nginx/mime.types;
  28. default_type application/octet-stream;
  29.  
  30. ##
  31. # SSL Settings
  32. ##
  33.  
  34. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  35. ssl_prefer_server_ciphers on;
  36.  
  37. ##
  38. # Logging Settings
  39. ##
  40.  
  41. access_log /var/log/nginx/access.log;
  42. error_log /var/log/nginx/error.log;
  43.  
  44. ##
  45. # Gzip Settings
  46. ##
  47.  
  48. gzip on;
  49.  
  50. # gzip_vary on;
  51. # gzip_proxied any;
  52. # gzip_comp_level 6;
  53. # gzip_buffers 16 8k;
  54. # gzip_http_version 1.1;
  55. # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
  56.  
  57. ##
  58. # Virtual Host Configs
  59. ##
  60.  
  61. include /etc/nginx/conf.d/*.conf;
  62. include /etc/nginx/sites-enabled/*;
  63.  
  64. server {
  65. # If your host is not IPv6 ready use listen 80; here.
  66. # Add ipv6only=off to your listen directive that has default_server.
  67. # Or this one if this is your only vhost. Do not add it to both!
  68. listen [::]:80;
  69. server_name diaspora.domain.tld www.diaspora.domain.tld;
  70.  
  71. location / {
  72. return 301 https://$server_name$request_uri;
  73. }
  74. }
  75.  
  76. # Redirect https://www.diaspora.example.org to https://diaspora.example.org
  77. server {
  78. # the below line will ONLY do ipv6
  79. #listen [::]:443 ssl; # Same rules as for listen [::]:80 apply.
  80.  
  81. # the below line will ONLY do ipv4
  82. listen *:443 ssl; # Same rules as for listen [::]:80 apply.
  83.  
  84. server_name www.diaspora.domain.tld;
  85.  
  86. location / {
  87. return 301 https://diaspora.domain.tld$request_uri;
  88. }
  89.  
  90. # SSL setup
  91.  
  92. # This file should also include any necessary intermediate certificates.
  93. # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
  94. # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
  95. # and /etc/letsencrypt/diaspora.example.org/privkey.pem
  96. ssl_certificate /home/diaspora/certs/diaspora.domain.tld.certchain.crt;
  97. ssl_certificate_key /home/diaspora/certs/diaspora.domain.tld.key;
  98.  
  99. # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
  100. # You might want to make these global
  101.  
  102. # generate with openssl dhparam 2048 > /path/to/dhparam.pem
  103. #ssl_dhparam /path/to/dhparam.pem;
  104. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  105. ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
  106. ssl_session_timeout 5m;
  107. ssl_prefer_server_ciphers on;
  108. ssl_session_cache shared:SSL:50m;
  109. }
  110.  
  111. # Actual proxy
  112.  
  113. server {
  114. # the below line will ONLY do ipv6
  115. #listen [::]:443 ssl; # Same rules as for listen [::]:80 apply.
  116.  
  117. # the below line will ONLY do ipv4
  118. listen *:443 ssl; # Same rules as for listen [::]:80 apply.
  119.  
  120. server_name diaspora.domain.tld;
  121. root /home/diaspora/diaspora/public;
  122.  
  123. # Configure maximum picture size
  124. # Note that Diaspora has a client side check set at 4M
  125. client_max_body_size 5M;
  126. client_body_buffer_size 256K;
  127.  
  128. # SSL setup
  129.  
  130. # This file should also include any necessary intermediate certificates.
  131. # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
  132. # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
  133. # and /etc/letsencrypt/diaspora.example.org/privkey.pem
  134. ssl_certificate /home/diaspora/certs/diaspora.domain.tld.certchain.crt;
  135. ssl_certificate_key /home/diaspora/certs/diaspora.domain.tld.key;
  136.  
  137. # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
  138. # You might want to make these global
  139.  
  140. # generate with openssl dhparam 2048 > /path/to/dhparam.pem
  141. #ssl_dhparam /path/to/dhparam.pem;
  142.  
  143. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  144. ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
  145. ssl_session_timeout 5m;
  146. ssl_prefer_server_ciphers on;
  147. ssl_session_cache shared:SSL:50m;
  148.  
  149. # Proxy if requested file not found
  150. try_files $uri @diaspora;
  151.  
  152. location /assets/ {
  153. expires max;
  154. add_header Cache-Control public;
  155. }
  156.  
  157. # Camo support
  158. #location /camo/ {
  159. # proxy_redirect off;
  160. # proxy_pass http://camo/;
  161. # break;
  162. #}
  163.  
  164. location @diaspora {
  165. proxy_set_header X-Real-IP $remote_addr;
  166. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  167. proxy_set_header X-Forwarded-Proto https;
  168. proxy_set_header Host $http_host;
  169. proxy_redirect off;
  170.  
  171. proxy_pass http://diaspora_server;
  172. }
  173. }
  174.  
  175. # Proxy destination
  176. # Add as many server directives as you want
  177. # Also takes a socket, like unix:/path/to/some/socket.sock
  178. upstream diaspora_server {
  179. server unix:/home/diaspora/diaspora/tmp/diaspora.sock;
  180. }
  181.  
  182. # Camo support
  183. #upstream camo {
  184. # server 127.0.0.1:8081;
  185. #}
  186.  
  187. }
  188.  
  189.  
  190. #mail {
  191. # # See sample authentication script at:
  192. # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
  193. #
  194. # # auth_http localhost/auth.php;
  195. # # pop3_capabilities "TOP" "USER";
  196. # # imap_capabilities "IMAP4rev1" "UIDPLUS";
  197. #
  198. # server {
  199. # listen localhost:110;
  200. # protocol pop3;
  201. # proxy on;
  202. # }
  203. #
  204. # server {
  205. # listen localhost:143;
  206. # protocol imap;
  207. # proxy on;
  208. # }
  209. #}
Advertisement
RAW Paste Data Copied
Advertisement