map $http_upgrade $connection_upgrade { default upgrade; '' close;}

1. map $http_upgrade $connection_upgrade {
2. default upgrade;
3. '' close;
4. }
5.  
6. upstream backend {
7. server 127.0.0.1:3000 fail_timeout=0;
8. }
9.  
10. upstream streaming {
11. server 127.0.0.1:4000 fail_timeout=0;
12. }
13.  
14. proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
15.  
16. server {
17. listen 80;
18. listen [::]:80;
19. server_name example.com;
20. root /home/<USERNAME>/mastodon/public;
21. location /.well-known/acme-challenge/ { allow all; }
22. location / { return 301 https://$host$request_uri; }
23. }
24.  
25. server {
26. # I've initially added --redirect flag to certbot
27. # if ($host = expacahn.dedyn.io) {
28. # return 301 https://$host$request_uri;
29. # } # managed by Certbot
30.  
31. listen 443 ssl http2;
32. listen [::]:443 ssl ipv6only=on http2;
33. server_name example.com;
34.  
35. ssl_certificate /etc/letsencrypt/live/expacahn.dedyn.io/fullchain.pem; # managed by Certbot
36. ssl_certificate_key /etc/letsencrypt/live/expacahn.dedyn.io/privkey.pem; # managed by Certbot
37. include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
38. ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
39.  
40. add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
41.  
42. ssl_trusted_certificate /etc/letsencrypt/live/expacahn.dedyn.io/chain.pem; # managed by Certbot
43. ssl_stapling on; # managed by Certbot
44. ssl_stapling_verify on; # managed by Certbot
45.  
46. keepalive_timeout 70;
47. sendfile on;
48. client_max_body_size 80m;
49.  
50. root /home/<USERNAME>/mastodon/public;
51.  
52. gzip on;
53. gzip_disable "msie6";
54. gzip_vary on;
55. gzip_proxied any;
56. gzip_comp_level 6;
57. gzip_buffers 16 8k;
58. gzip_http_version 1.1;
59. gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
60.  
61. location / {
62. try_files $uri @proxy;
63. }
64.  
65. # If Docker is used for deployment and Rails serves static files,
66. # then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`.
67. location = /sw.js {
68. add_header Cache-Control "public, max-age=604800, must-revalidate";
69. add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
70. try_files $uri @proxy;
71. }
72.  
73. location ~ ^/assets/ {
74. add_header Cache-Control "public, max-age=2419200, must-revalidate";
75. add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
76. try_files $uri @proxy;
77. }
78.  
79. location ~ ^/avatars/ {
80. add_header Cache-Control "public, max-age=2419200, must-revalidate";
81. add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
82. try_files $uri @proxy;
83. }
84.  
85. location ~ ^/emoji/ {
86. add_header Cache-Control "public, max-age=2419200, must-revalidate";
87. add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
88. try_files $uri @proxy;
89. }
90.  
91. location ~ ^/headers/ {
92. add_header Cache-Control "public, max-age=2419200, must-revalidate";
93. add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
94. try_files $uri @proxy;
95. }
96.  
97. location ~ ^/packs/ {
98. add_header Cache-Control "public, max-age=2419200, must-revalidate";
99. add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
100. try_files $uri @proxy;
101. }
102.  
103. location ~ ^/shortcuts/ {
104. add_header Cache-Control "public, max-age=2419200, must-revalidate";
105. add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
106. try_files $uri @proxy;
107. }
108.  
109. location ~ ^/sounds/ {
110. add_header Cache-Control "public, max-age=2419200, must-revalidate";
111. add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
112. try_files $uri @proxy;
113. }
114.  
115. location ~ ^/system/ {
116. add_header Cache-Control "public, max-age=2419200, immutable";
117. add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
118. try_files $uri @proxy;
119. }
120.  
121. location ^~ /api/v1/streaming {
122. proxy_set_header Host $host;
123. proxy_set_header X-Real-IP $remote_addr;
124. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
125. proxy_set_header X-Forwarded-Proto $scheme;
126. proxy_set_header Proxy "";
127.  
128. proxy_pass http://streaming;
129. proxy_buffering off;
130. proxy_redirect off;
131. proxy_http_version 1.1;
132. proxy_set_header Upgrade $http_upgrade;
133. proxy_set_header Connection $connection_upgrade;
134.  
135. add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
136.  
137. tcp_nodelay on;
138. }
139.  
140. location @proxy {
141. proxy_set_header Host $host;
142. proxy_set_header X-Real-IP $remote_addr;
143. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
144. proxy_set_header X-Forwarded-Proto $scheme;
145. proxy_set_header Proxy "";
146. proxy_pass_header Server;
147.  
148. proxy_pass http://backend;
149. proxy_buffering on;
150. proxy_redirect off;
151. proxy_http_version 1.1;
152. proxy_set_header Upgrade $http_upgrade;
153. proxy_set_header Connection $connection_upgrade;
154.  
155. proxy_cache CACHE;
156. proxy_cache_valid 200 7d;
157. proxy_cache_valid 410 24h;
158. proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
159. add_header X-Cached $upstream_cache_status;
160.  
161. tcp_nodelay on;
162. }
163. error_page 404 500 501 502 503 504 /500.html;
164. }
165.