Docker: adopt mastodon.conf

installation/docker.conf.template

@@ -2,11 +2,20 @@
 # It's intended to be used by the official nginx image, which has templating functionality.
 # Mount at: `/etc/nginx/templates/default.conf.template`
 
+map_hash_bucket_size 128;
+
 map $http_upgrade $connection_upgrade {
   default upgrade;
   ''      close;
 }
 
+# ActivityPub routing.
+map $http_accept $activitypub_location {
+  default @soapbox;
+  "application/activity+json" @backend;
+  'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' @backend;
+}
+
 proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
 
 server {
@@ -20,6 +29,7 @@ server {
 
 server {
   listen ${PORT};
+  listen [::]:${PORT};
 
   keepalive_timeout    70;
   sendfile             on;
@@ -28,6 +38,7 @@ server {
   root /usr/share/nginx/html;
 
   gzip on;
+  gzip_disable "msie6";
   gzip_vary on;
   gzip_proxied any;
   gzip_comp_level 6;
@@ -37,30 +48,46 @@ server {
 
   add_header Strict-Transport-Security "max-age=31536000" always;
 
-  # SPA.
-  # Try static files, then fall back to index.html.
+  # Content Security Policy (CSP)
+  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+  add_header Content-Security-Policy "base-uri 'none'; default-src 'none'; font-src 'self'; img-src 'self' https: data: blob:; style-src 'self' 'unsafe-inline'; media-src 'self' https: data:; frame-src 'self' https:; manifest-src 'self'; connect-src 'self' data: blob:; script-src 'self'; child-src 'self'; worker-src 'self';";
+
+  # Fallback route.
+  # Try static files, then fall back to the SPA.
   location / {
-    try_files $uri /index.html;
+    try_files $uri @soapbox;
   }
 
-  # Build files.
+  # Backend routes.
+  # These are routes to the backend's API and important rendered pages.
+  location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|media|nodeinfo|unsubscribe|.well-known/(webfinger|host-meta|nodeinfo|change-password)|@(.+)/embed$) {
+    try_files /dev/null @backend;
+  }
+
+  # Backend ActivityPub routes.
+  # Conditionally send to the backend by Accept header.
+  location ~ ^/(inbox|users|@(.+)) {
+    try_files /dev/null $activitypub_location;
+  }
+
+  # Soapbox build files.
   # New builds produce hashed filenames, so these should be cached heavily.
   location /packs {
     add_header Cache-Control "public, max-age=31536000, immutable";
     add_header Strict-Transport-Security "max-age=31536000" always;
   }
 
-  # Backend routes
-  location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|media|nodeinfo|unsubscribe|.well-known/(webfinger|host-meta|nodeinfo|change-password)|@(.+)/embed$) {
-    try_files /dev/null @backend;
-  }
-
-  # ServiceWorker: don't cache.
+  # Soapbox ServiceWorker.
   location = /sw.js {
     add_header Cache-Control "public, max-age=0";
     add_header Strict-Transport-Security "max-age=31536000" always;
   }
 
+  # Soapbox SPA (Single Page App).
+  location @soapbox {
+    try_files /index.html /dev/null;
+  }
+
   # Proxy to the backend.
   location @backend {
     proxy_set_header Host $host;