From 84f032c4e2a645eceeccc21c7f7d58c6b9e9fae3 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Tue, 10 May 2022 12:30:47 -0500 Subject: [PATCH 1/7] Check in default mastodon.conf --- installation/mastodon.conf | 116 +++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 installation/mastodon.conf diff --git a/installation/mastodon.conf b/installation/mastodon.conf new file mode 100644 index 000000000..7e0334368 --- /dev/null +++ b/installation/mastodon.conf @@ -0,0 +1,116 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream backend { + server 127.0.0.1:3000 fail_timeout=0; +} + +upstream streaming { + server 127.0.0.1:4000 fail_timeout=0; +} + +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; + +server { + listen 80; + listen [::]:80; + server_name example.com; + root /home/mastodon/live/public; + location /.well-known/acme-challenge/ { allow all; } + location / { return 301 https://$host$request_uri; } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name example.com; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + # Uncomment these lines once you acquire a certificate: + # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + + keepalive_timeout 70; + sendfile on; + client_max_body_size 80m; + + root /home/mastodon/live/public; + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon; + + add_header Strict-Transport-Security "max-age=31536000" always; + + location / { + try_files $uri @proxy; + } + + location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { + add_header Cache-Control "public, max-age=31536000, immutable"; + add_header Strict-Transport-Security "max-age=31536000" always; + try_files $uri @proxy; + } + + location /sw.js { + add_header Cache-Control "public, max-age=0"; + add_header Strict-Transport-Security "max-age=31536000" always; + try_files $uri @proxy; + } + + location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_pass http://backend; + proxy_buffering on; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_cache CACHE; + proxy_cache_valid 200 7d; + proxy_cache_valid 410 24h; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + add_header X-Cached $upstream_cache_status; + add_header Strict-Transport-Security "max-age=31536000" always; + + tcp_nodelay on; + } + + location /api/v1/streaming { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + + proxy_pass http://streaming; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } + + error_page 500 501 502 503 504 /500.html; +} From 5f38e10981ac4978f854b6909bde5763af955784 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Tue, 10 May 2022 14:48:30 -0500 Subject: [PATCH 2/7] Mastodon nginx: make it mostly work --- installation/mastodon.conf | 57 ++++++++++++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 9 deletions(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index 7e0334368..8b5324184 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -1,14 +1,19 @@ +# Nginx configuration for Soapbox on Mastodon. +# Adapted from: https://github.com/mastodon/mastodon/blob/b4d373a3df2752d9f8bdc0d7f02350528f3789b2/dist/nginx.conf +# +# Edit this file to change occurences of "example.com" to your own domain. + map $http_upgrade $connection_upgrade { default upgrade; '' close; } upstream backend { - server 127.0.0.1:3000 fail_timeout=0; + server 127.0.0.1:3000 fail_timeout=0; } upstream streaming { - server 127.0.0.1:4000 fail_timeout=0; + server 127.0.0.1:4000 fail_timeout=0; } proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; @@ -17,7 +22,7 @@ server { listen 80; listen [::]:80; server_name example.com; - root /home/mastodon/live/public; + root /opt/soapbox/static; location /.well-known/acme-challenge/ { allow all; } location / { return 301 https://$host$request_uri; } } @@ -41,7 +46,7 @@ server { sendfile on; client_max_body_size 80m; - root /home/mastodon/live/public; + root /opt/soapbox/static; gzip on; gzip_disable "msie6"; @@ -54,22 +59,55 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; + # Fallback route. + # Everything not routed should fall back to the SPA. location / { - try_files $uri @proxy; + try_files /index.html /dev/null; } - location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { + # Mastodon backend routes. + # These are routes to Mastodon's API and important rendered pages. + location ~ ^/(api|oauth|auth|admin|.well-known/webfinger) { + try_files /dev/null @proxy; + } + + # # Mastodon ActivityPub routes. + # # Conditionally send to Mastodon by Accept header. + # if ($http_accept = "application/activity+json" || $http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") { + # location ~ ^/(inbox|outbox|users|@) { + # try_files /dev/null @proxy; + # } + # } + + # Mastodon public files. + # https://github.com/mastodon/mastodon/tree/main/public + # Take only what we need for Soapbox. + location ~ ^/(favicon.ico|browserconfig.xml|embed.js|android-chrome-192x192.png|apple-touch-icon.png|avatars/original/missing.png|headers/original/missing.png) { + root /home/mastodon/live/public; add_header Cache-Control "public, max-age=31536000, immutable"; add_header Strict-Transport-Security "max-age=31536000" always; - try_files $uri @proxy; } - location /sw.js { + # Soapbox build files. + # New builds produce hashed filenames, so these should be cached heavily. + location ~ ^/(packs|emoji) { + add_header Cache-Control "public, max-age=31536000, immutable"; + add_header Strict-Transport-Security "max-age=31536000" always; + } + + # Soapbox configuration files. + # Enable CORS so we can fetch them. + location /instance { + add_header Access-Control-Allow-Origin "*"; + } + + # Soapbox ServiceWorker. + location = /sw.js { add_header Cache-Control "public, max-age=0"; add_header Strict-Transport-Security "max-age=31536000" always; - try_files $uri @proxy; } + # Proxy to Mastodon's Ruby on Rails backend. location @proxy { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -95,6 +133,7 @@ server { tcp_nodelay on; } + # Mastodon's Node.js streaming server. location /api/v1/streaming { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; From 1d3a9282939d0b6cb7e773108339b6830de3545d Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Tue, 10 May 2022 15:05:45 -0500 Subject: [PATCH 3/7] Mastodon nginx: tweak backend locations --- installation/mastodon.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index 8b5324184..149a9733a 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -67,7 +67,7 @@ server { # Mastodon backend routes. # These are routes to Mastodon's API and important rendered pages. - location ~ ^/(api|oauth|auth|admin|.well-known/webfinger) { + location ~ ^/(api|oauth|auth|admin|manifest.json|.well-known/webfinger|@(.+)/embed$) { try_files /dev/null @proxy; } From 8ba2db78d7c2fa0dd82d75bcabb4032c183c86d1 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Tue, 10 May 2022 15:40:25 -0500 Subject: [PATCH 4/7] Mastodon nginx: ActivityPub routing --- installation/mastodon.conf | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index 149a9733a..2316e6021 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -8,6 +8,14 @@ map $http_upgrade $connection_upgrade { '' close; } +# ActivityPub routing. +map $http_accept $activitypub_location { + default /index.html; + "application/activity+json" @proxy; + # Increase `map_hash_bucket_size` to enable this route: + # 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' @proxy; +} + upstream backend { server 127.0.0.1:3000 fail_timeout=0; } @@ -71,13 +79,11 @@ server { try_files /dev/null @proxy; } - # # Mastodon ActivityPub routes. - # # Conditionally send to Mastodon by Accept header. - # if ($http_accept = "application/activity+json" || $http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") { - # location ~ ^/(inbox|outbox|users|@) { - # try_files /dev/null @proxy; - # } - # } + # Mastodon ActivityPub routes. + # Conditionally send to Mastodon by Accept header. + location ~ ^/(inbox|outbox|users|@(.+)) { + try_files $activitypub_location $activitypub_location; + } # Mastodon public files. # https://github.com/mastodon/mastodon/tree/main/public From fb17e59d77224bea4c30b5324b6aeac6e2210c8a Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Tue, 10 May 2022 15:55:26 -0500 Subject: [PATCH 5/7] Add Mastodon installation docs --- docs/administration/mastodon.md | 35 +++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 docs/administration/mastodon.md diff --git a/docs/administration/mastodon.md b/docs/administration/mastodon.md new file mode 100644 index 000000000..d8261d9de --- /dev/null +++ b/docs/administration/mastodon.md @@ -0,0 +1,35 @@ +# Installing Soapbox over Mastodon + +It is possible to run Soapbox as your main frontend on top of Mastodon. +This will replace the homepage and all static pages with Soapbox, using Mastodon only as the API. + +To do so, shell into your server and unpack Soapbox: + +```sh +mkdir -p /opt/soapbox + +curl -L https://gitlab.com/soapbox-pub/soapbox-fe/-/jobs/artifacts/develop/download?job=build-production -o soapbox-fe.zip + +busybox unzip soapbox-fe.zip -o -d /opt/soapbox +``` + +Now create an Nginx file for Soapbox with Mastodon. +If you already have one, replace it: + +```sh +curl https://gitlab.com/soapbox-pub/soapbox-fe/-/raw/develop/installation/mastodon.conf > /etc/nginx/sites-available/mastodon +``` + +Edit this file and replace all occurrences of `example.com` with your domain name. +Uncomment the SSL lines if you've enabled SSL, otherwise do that first. + +Finally, ensure the file is symlinked, then restart Nginx: + +```sh +ln -s /etc/nginx/sites-available/mastodon /etc/nginx/sites-enabled/mastodon + +systemctl restart nginx +``` + +If all is well, hopefully this worked! +If not, run `nginx -t` to see if anything is amiss, and try reviewing Mastodon's [install guide](https://docs.joinmastodon.org/admin/install/). From 3919212196482efe79ae2d3d96f9d7e2106a7a42 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Tue, 10 May 2022 16:54:19 -0500 Subject: [PATCH 6/7] Mastodon nginx: fix streaming API location --- installation/mastodon.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index 2316e6021..daa45b42c 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -140,7 +140,7 @@ server { } # Mastodon's Node.js streaming server. - location /api/v1/streaming { + location ^~ /api/v1/streaming { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From 3bbad5b5fc576d641f2940989404640d6606b59a Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Tue, 10 May 2022 17:20:20 -0500 Subject: [PATCH 7/7] Mastodon nginx: route pghero and sidekiq to Mastodon --- installation/mastodon.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index daa45b42c..1c3de0961 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -75,7 +75,7 @@ server { # Mastodon backend routes. # These are routes to Mastodon's API and important rendered pages. - location ~ ^/(api|oauth|auth|admin|manifest.json|.well-known/webfinger|@(.+)/embed$) { + location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|.well-known/webfinger|@(.+)/embed$) { try_files /dev/null @proxy; } @@ -88,7 +88,7 @@ server { # Mastodon public files. # https://github.com/mastodon/mastodon/tree/main/public # Take only what we need for Soapbox. - location ~ ^/(favicon.ico|browserconfig.xml|embed.js|android-chrome-192x192.png|apple-touch-icon.png|avatars/original/missing.png|headers/original/missing.png) { + location ~ ^/(assets|favicon.ico|browserconfig.xml|embed.js|android-chrome-192x192.png|apple-touch-icon.png|avatars/original/missing.png|headers/original/missing.png) { root /home/mastodon/live/public; add_header Cache-Control "public, max-age=31536000, immutable"; add_header Strict-Transport-Security "max-age=31536000" always;