From 9821a1f639cbd06b23b34537adce1f1e194536e5 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sun, 4 Sep 2022 13:58:13 -0500 Subject: [PATCH] Docker: adopt mastodon.conf --- installation/docker.conf.template | 47 ++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/installation/docker.conf.template b/installation/docker.conf.template index 06fdc5096..0c13a26a3 100644 --- a/installation/docker.conf.template +++ b/installation/docker.conf.template @@ -2,11 +2,20 @@ # It's intended to be used by the official nginx image, which has templating functionality. # Mount at: `/etc/nginx/templates/default.conf.template` +map_hash_bucket_size 128; + map $http_upgrade $connection_upgrade { default upgrade; '' close; } +# ActivityPub routing. +map $http_accept $activitypub_location { + default @soapbox; + "application/activity+json" @backend; + 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' @backend; +} + proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; server { @@ -20,6 +29,7 @@ server { server { listen ${PORT}; + listen [::]:${PORT}; keepalive_timeout 70; sendfile on; @@ -28,6 +38,7 @@ server { root /usr/share/nginx/html; gzip on; + gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; @@ -37,30 +48,46 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; - # SPA. - # Try static files, then fall back to index.html. + # Content Security Policy (CSP) + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + add_header Content-Security-Policy "base-uri 'none'; default-src 'none'; font-src 'self'; img-src 'self' https: data: blob:; style-src 'self' 'unsafe-inline'; media-src 'self' https: data:; frame-src 'self' https:; manifest-src 'self'; connect-src 'self' data: blob:; script-src 'self'; child-src 'self'; worker-src 'self';"; + + # Fallback route. + # Try static files, then fall back to the SPA. location / { - try_files $uri /index.html; + try_files $uri @soapbox; } - # Build files. + # Backend routes. + # These are routes to the backend's API and important rendered pages. + location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|media|nodeinfo|unsubscribe|.well-known/(webfinger|host-meta|nodeinfo|change-password)|@(.+)/embed$) { + try_files /dev/null @backend; + } + + # Backend ActivityPub routes. + # Conditionally send to the backend by Accept header. + location ~ ^/(inbox|users|@(.+)) { + try_files /dev/null $activitypub_location; + } + + # Soapbox build files. # New builds produce hashed filenames, so these should be cached heavily. location /packs { add_header Cache-Control "public, max-age=31536000, immutable"; add_header Strict-Transport-Security "max-age=31536000" always; } - # Backend routes - location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|media|nodeinfo|unsubscribe|.well-known/(webfinger|host-meta|nodeinfo|change-password)|@(.+)/embed$) { - try_files /dev/null @backend; - } - - # ServiceWorker: don't cache. + # Soapbox ServiceWorker. location = /sw.js { add_header Cache-Control "public, max-age=0"; add_header Strict-Transport-Security "max-age=31536000" always; } + # Soapbox SPA (Single Page App). + location @soapbox { + try_files /index.html /dev/null; + } + # Proxy to the backend. location @backend { proxy_set_header Host $host;