diaspora nginx.conf

1. user www-data;
2. worker_processes auto;
3. pid /run/nginx.pid;
4. include /etc/nginx/modules-enabled/*.conf;
5.  
6. events {
7. worker_connections 768;
8. # multi_accept on;
9. }
10.  
11. http {
12.  
13. ##
14. # Basic Settings
15. ##
16.  
17. sendfile on;
18. tcp_nopush on;
19. tcp_nodelay on;
20. keepalive_timeout 65;
21. types_hash_max_size 2048;
22. # server_tokens off;
23.  
24. # server_names_hash_bucket_size 64;
25. # server_name_in_redirect off;
26.  
27. include /etc/nginx/mime.types;
28. default_type application/octet-stream;
29.  
30. ##
31. # SSL Settings
32. ##
33.  
34. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
35. ssl_prefer_server_ciphers on;
36.  
37. ##
38. # Logging Settings
39. ##
40.  
41. access_log /var/log/nginx/access.log;
42. error_log /var/log/nginx/error.log;
43.  
44. ##
45. # Gzip Settings
46. ##
47.  
48. gzip on;
49.  
50. # gzip_vary on;
51. # gzip_proxied any;
52. # gzip_comp_level 6;
53. # gzip_buffers 16 8k;
54. # gzip_http_version 1.1;
55. # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
56.  
57. ##
58. # Virtual Host Configs
59. ##
60.  
61. include /etc/nginx/conf.d/*.conf;
62. include /etc/nginx/sites-enabled/*;
63.  
64. server {
65. # If your host is not IPv6 ready use listen 80; here.
66. # Add ipv6only=off to your listen directive that has default_server.
67. # Or this one if this is your only vhost. Do not add it to both!
68. listen [::]:80;
69. server_name diaspora.domain.tld www.diaspora.domain.tld;
70.  
71. location / {
72. return 301 https://$server_name$request_uri;
73. }
74. }
75.  
76. # Redirect https://www.diaspora.example.org to https://diaspora.example.org
77. server {
78. # the below line will ONLY do ipv6
79. #listen [::]:443 ssl; # Same rules as for listen [::]:80 apply.
80.  
81. # the below line will ONLY do ipv4
82. listen *:443 ssl; # Same rules as for listen [::]:80 apply.
83.  
84. server_name www.diaspora.domain.tld;
85.  
86. location / {
87. return 301 https://diaspora.domain.tld$request_uri;
88. }
89.  
90. # SSL setup
91.  
92. # This file should also include any necessary intermediate certificates.
93. # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
94. # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
95. # and /etc/letsencrypt/diaspora.example.org/privkey.pem
96. ssl_certificate /home/diaspora/certs/diaspora.domain.tld.certchain.crt;
97. ssl_certificate_key /home/diaspora/certs/diaspora.domain.tld.key;
98.  
99. # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
100. # You might want to make these global
101.  
102. # generate with openssl dhparam 2048 > /path/to/dhparam.pem
103. #ssl_dhparam /path/to/dhparam.pem;
104. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
105. ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
106. ssl_session_timeout 5m;
107. ssl_prefer_server_ciphers on;
108. ssl_session_cache shared:SSL:50m;
109. }
110.  
111. # Actual proxy
112.  
113. server {
114. # the below line will ONLY do ipv6
115. #listen [::]:443 ssl; # Same rules as for listen [::]:80 apply.
116.  
117. # the below line will ONLY do ipv4
118. listen *:443 ssl; # Same rules as for listen [::]:80 apply.
119.  
120. server_name diaspora.domain.tld;
121. root /home/diaspora/diaspora/public;
122.  
123. # Configure maximum picture size
124. # Note that Diaspora has a client side check set at 4M
125. client_max_body_size 5M;
126. client_body_buffer_size 256K;
127.  
128. # SSL setup
129.  
130. # This file should also include any necessary intermediate certificates.
131. # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
132. # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
133. # and /etc/letsencrypt/diaspora.example.org/privkey.pem
134. ssl_certificate /home/diaspora/certs/diaspora.domain.tld.certchain.crt;
135. ssl_certificate_key /home/diaspora/certs/diaspora.domain.tld.key;
136.  
137. # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
138. # You might want to make these global
139.  
140. # generate with openssl dhparam 2048 > /path/to/dhparam.pem
141. #ssl_dhparam /path/to/dhparam.pem;
142.  
143. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
144. ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
145. ssl_session_timeout 5m;
146. ssl_prefer_server_ciphers on;
147. ssl_session_cache shared:SSL:50m;
148.  
149. # Proxy if requested file not found
150. try_files $uri @diaspora;
151.  
152. location /assets/ {
153. expires max;
154. add_header Cache-Control public;
155. }
156.  
157. # Camo support
158. #location /camo/ {
159. # proxy_redirect off;
160. # proxy_pass http://camo/;
161. # break;
162. #}
163.  
164. location @diaspora {
165. proxy_set_header X-Real-IP $remote_addr;
166. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
167. proxy_set_header X-Forwarded-Proto https;
168. proxy_set_header Host $http_host;
169. proxy_redirect off;
170.  
171. proxy_pass http://diaspora_server;
172. }
173. }
174.  
175. # Proxy destination
176. # Add as many server directives as you want
177. # Also takes a socket, like unix:/path/to/some/socket.sock
178. upstream diaspora_server {
179. server unix:/home/diaspora/diaspora/tmp/diaspora.sock;
180. }
181.  
182. # Camo support
183. #upstream camo {
184. # server 127.0.0.1:8081;
185. #}
186.  
187. }
188.  
189.  
190. #mail {
191. # # See sample authentication script at:
192. # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
193. #
194. # # auth_http localhost/auth.php;
195. # # pop3_capabilities "TOP" "USER";
196. # # imap_capabilities "IMAP4rev1" "UIDPLUS";
197. #
198. # server {
199. # listen localhost:110;
200. # protocol pop3;
201. # proxy on;
202. # }
203. #
204. # server {
205. # listen localhost:143;
206. # protocol imap;
207. # proxy on;
208. # }
209. #}