From 737e1dddc9d4deca20b715c3a1735beea5d9291d Mon Sep 17 00:00:00 2001 From: "Antonio J. Delgado" Date: Mon, 31 Jul 2023 11:54:47 +0300 Subject: [PATCH] add option to deploy nginx reverse proxy --- defaults/main.yml | 1 + tasks/docker/docker.yml | 11 +++ templates/docker-compose.yml.j2 | 13 +++ templates/nginx.conf.j2 | 144 ++++++++++++++++++++++++++++++++ 4 files changed, 169 insertions(+) create mode 100644 templates/nginx.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 4abc91e..5912fb1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -46,6 +46,7 @@ smtp_password: "{{ vault_mastodon_admin_mail_password }}" allow_hidden_services: false #Use HTTP only for Vagrant testing or for reverse proxy purposes. use_http: true +nginx_reverse_proxy: false es_enabled: 'true' es_host: localhost diff --git a/tasks/docker/docker.yml b/tasks/docker/docker.yml index e63a3c9..4033087 100644 --- a/tasks/docker/docker.yml +++ b/tasks/docker/docker.yml @@ -30,6 +30,17 @@ update: true version: "{{ mastodon_version }}" +- name: Create Mastodon etc folder + file: + path: /etc/mastodon + state: directory + +- name: Create nginx configuration + template: + src: templates/nginx.conf.j2 + dest: "/etc/mastodon/nginx.conf" + when: nginx_reverse_proxy + - name: Create docker-compose.yaml file template: src: templates/docker-compose.yml.j2 diff --git a/templates/docker-compose.yml.j2 b/templates/docker-compose.yml.j2 index f34e323..ef36f19 100644 --- a/templates/docker-compose.yml.j2 +++ b/templates/docker-compose.yml.j2 @@ -81,6 +81,19 @@ services: ports: - '127.0.0.1:{{ es_port }}:9200' +{% endif %} +{% if nginx_reverse_proxy %} + web_proxy: + image: nginx + volume: + - /etc/mastodon/nginx.conf:/etc/nginx/conf.d/default.conf + ports: + - "8080:80" + - "8443:443" + environment: + - NGINX_HOST={{ mastodon_host }} + - NGINX_PORT=80 + {% endif %} web: build: . diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2 new file mode 100644 index 0000000..9ce2637 --- /dev/null +++ b/templates/nginx.conf.j2 @@ -0,0 +1,144 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream backend { + server 127.0.0.1:3000 fail_timeout=0; +} + +upstream streaming { + server 127.0.0.1:4000 fail_timeout=0; +} + +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; + +server { + listen 80; + listen [::]:80; + server_name {{ mastodon_host }}; + root /usr/share/nginx/html; + location /.well-known/acme-challenge/ { allow all; } + location / { return 301 https://$host$request_uri; } + + keepalive_timeout 70; + sendfile on; + client_max_body_size 99m; + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon; + + location / { + try_files $uri @proxy; + } + + # If Docker is used for deployment and Rails serves static files, + # then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`. + location = /sw.js { + add_header Cache-Control "public, max-age=604800, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + # try_files $uri =404; + try_files $uri @proxy; + } + + location ~ ^/assets/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/avatars/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/emoji/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/headers/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/packs/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/shortcuts/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/sounds/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/system/ { + add_header Cache-Control "public, max-age=2419200, immutable"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "default-src 'none'; form-action 'none'"; + try_files $uri =404; + } + + location ^~ /api/v1/streaming { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + + proxy_pass http://streaming; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + + tcp_nodelay on; + } + + location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_pass http://backend; + proxy_buffering on; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_cache CACHE; + proxy_cache_valid 200 7d; + proxy_cache_valid 410 24h; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + add_header X-Cached $upstream_cache_status; + + tcp_nodelay on; + } + + error_page 404 500 501 502 503 504 /500.html; +}