-
-
Save mstdn/a6a17b7006856b8ca8d02d045cf1feb7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
limit_req_zone $binary_remote_addr zone=u.fail_ratelimit:10m rate=20r/s; | |
proxy_cache_path /opt/lemmy_cache keys_zone=lemmy_cache:1024m; | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name u.fail www.u.fail; | |
location / { return 301 https://$host$request_uri; }› | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name www.u.fail; | |
rewrite ^/(.*) https://u.fail/$1 permanent; | |
ssl_certificate /etc/letsencrypt/live/u.fail/fullchain.pem; # managed by Certbot | |
ssl_certificate_key /etc/letsencrypt/live/u.fail/privkey.pem; # managed by Certbot | |
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name u.fail; | |
ssl_certificate /etc/letsencrypt/live/u.fail/fullchain.pem; # managed by Certbot | |
ssl_certificate_key /etc/letsencrypt/live/u.fail/privkey.pem; # managed by Certbot | |
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |
access_log /var/log/nginx/u.fail_access.log; | |
error_log /var/log/nginx/u.fail_error.log; | |
# Enable compression for JS/CSS/HTML bundle, for improved client load times. | |
# It might be nice to compress JSON, but leaving that out to protect against potential | |
# compression+encryption information leak attacks like BREACH. | |
gzip on; | |
gzip_types text/css application/javascript image/svg+xml; | |
gzip_vary on; | |
# Only connect to this site via HTTPS for the two years | |
add_header Strict-Transport-Security "max-age=63072000"; | |
# Various content security headers | |
add_header Referrer-Policy "same-origin"; | |
add_header X-Content-Type-Options "nosniff"; | |
add_header X-Frame-Options "DENY"; | |
add_header X-XSS-Protection "1; mode=block"; | |
# Upload limit for pictrs | |
client_max_body_size 40M; | |
# frontend | |
location / { | |
# The default ports: | |
# lemmy_ui_port: 1235 | |
# lemmy_port: 8536 | |
set $proxpass "http://0.0.0.0:1234"; | |
if ($http_accept ~ "^application/.*$") { | |
set $proxpass "http://0.0.0.0:8536"; | |
} | |
if ($request_method = POST) { | |
set $proxpass "http://0.0.0.0:8536"; | |
} | |
proxy_pass $proxpass; | |
rewrite ^(.+)/+$ $1 permanent; | |
# Send actual client IP upstream | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header Host $host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
} | |
# backend | |
location ~ ^/(api|feeds|nodeinfo|.well-known) { | |
proxy_pass http://0.0.0.0:8536; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
# Rate limit | |
limit_req zone=u.fail_ratelimit burst=90 nodelay; | |
# Add IP forwarding headers | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header Host $host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
} | |
# backend | |
location ~ ^/pictrs { | |
proxy_cache lemmy_cache; | |
proxy_pass http://0.0.0.0:8536; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
# Rate limit | |
limit_req zone=u.fail_ratelimit burst=90 nodelay; | |
# Add IP forwarding headers | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header Host $host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment