# default nginx site config for Pleroma # # Simple installation instructions: # 1. Install your TLS certificate, possibly using Let's Encrypt. # 2. Replace 'example.tld' with your instance's domain wherever it appears. # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it # in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. # Note: The cache directory must exist and be writable by nginx. # If nginx runs in a chroot, create it inside the chroot. proxy_cache_path /var/tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g inactive=720m use_temp_path=off; # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only # and `localhost.` resolves to [::0] on some systems: see issue #930 upstream phoenix { server 127.0.0.1:4000 max_fails=5 fail_timeout=60s; } server { server_name example.tld; listen 80; listen [::]:80; # Uncomment this if you need to use the 'webroot' method with certbot. Make sure # that the directory exists and that it is accessible by the webserver. If you followed # the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder. # You may need to load this file with the ssl server block commented out, run certbot # to get the certificate, and then uncomment it. # # location ~ /\.well-known/acme-challenge { # root /var/lib/letsencrypt/; # } location / { return 301 https://$server_name$request_uri; } } # Enable SSL session caching for improved performance ssl_session_cache shared:ssl_session_cache:10m; server { server_name example.tld; listen 443 ssl; listen [::]:443 ssl; http2 on; # Optional HTTP/3 support # Note: requires you open UDP port 443 # # listen 443 quic reuseport; # listen [::]:443 quic reuseport; # http3 on; # quic_retry on; # ssl_early_data on; # quic_gso on; # add_header Alt-Svc 'h3=":443"; ma=86400'; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; ssl_trusted_certificate /etc/letsencrypt/live/example.tld/chain.pem; ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers off; # In case of an old server with an OpenSSL version of 1.0.2 or below, # leave only prime256v1 or comment out the following line. ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; ssl_stapling on; ssl_stapling_verify on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; # Nginx media upload limitation # Ensure that this value matches or exceeds your Pleroma upload limit: # # config :pleroma, :instance, # upload_limit: 16_000_000 # client_max_body_size 16m; ignore_invalid_headers off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { proxy_pass http://phoenix; } # Uncomment this if you want notice compatibility routes for frontends like Soapbox. # location ~ ^/@[^/]+/([^/]+)$ { # proxy_pass http://phoenix/notice/$1; # } # # location ~ ^/@[^/]+/posts/([^/]+)$ { # proxy_pass http://phoenix/notice/$1; # } # # location ~ ^/[^/]+/status/([^/]+)$ { # proxy_pass http://phoenix/notice/$1; # } # Remove this location if you choose to use a dedicated subdomain # for mediaproxy location /proxy { proxy_cache pleroma_media_cache; slice 1m; proxy_cache_key $host$uri$is_args$args$slice_range; proxy_set_header Range $slice_range; proxy_cache_valid 200 206 301 304 1h; proxy_cache_lock on; proxy_ignore_client_abort on; proxy_buffering on; chunked_transfer_encoding on; proxy_pass http://phoenix; } # Nginx can serve the local file uploads directly reducing work for # the backend. Make sure to change this to a "deny all" if you use # a dedicated subdomain. It will break access to uploads that have already # federated if you are converting an existing installation, so weigh the risks # carefully. # # location /media/ { # alias /var/lib/pleroma/uploads/; # <-- make sure this is correct for your deployment # allow all; # add_header X-Content-Type-Options "nosniff"; # add_header Content-Security-Policy "sandbox"; # } } # It is strongly recommended that you host your media and the mediaproxy on a dedicated subdomain for security reasons. # The following Pleroma settings will be required to enable this capability: # # config :pleroma, :media_proxy, # base_url: "https://media.example.tld/" # # # Assuming default media upload deployment (e.g., not S3 which will require a different domain anyway) -- # config :pleroma, Pleroma.Upload, # base_url: "https://media.example.tld/media/", # # config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" # # And then uncomment and configure the following server. # Make sure your certificate was issued to support both domains or use a dedicated certificate: # # server { # server_name media.example.tld; # # listen 443 ssl; # listen [::]:443 ssl; # http2 on; # # # Optional HTTP/3 support # # Note: requires you open UDP port 443 # # # # listen 443 quic reuseport; # # listen [::]:443 quic reuseport; # # http3 on; # # quic_retry on; # # ssl_early_data on; # # quic_gso on; # # add_header Alt-Svc 'h3=":443"; ma=86400'; # # ssl_session_timeout 1d; # ssl_session_cache shared:MozSSL:10m; # about 40000 sessions # ssl_session_tickets off; # # ssl_trusted_certificate /etc/letsencrypt/live/example.tld/chain.pem; # ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; # ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; # # ssl_protocols TLSv1.2 TLSv1.3; # ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; # ssl_prefer_server_ciphers off; # # In case of an old server with an OpenSSL version of 1.0.2 or below, # # leave only prime256v1 or comment out the following line. # ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; # ssl_stapling on; # ssl_stapling_verify on; # # proxy_http_version 1.1; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection "upgrade"; # proxy_set_header Host $http_host; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # # location /media/ { # <-- make sure this path matches your Pleroma.Upload :base_url # alias /var/lib/pleroma/uploads/; # <-- make sure this is correct for your deployment # allow all; # add_header X-Content-Type-Options "nosniff"; # add_header Content-Security-Policy "sandbox"; # } # # location /proxy { # proxy_cache pleroma_media_cache; # slice 1m; # proxy_cache_key $host$uri$is_args$args$slice_range; # proxy_set_header Range $slice_range; # proxy_cache_valid 200 206 301 304 1h; # proxy_cache_lock on; # proxy_ignore_client_abort on; # proxy_buffering on; # chunked_transfer_encoding on; # proxy_pass http://phoenix; # } # }