Configure Mastodon to use its Tor hidden service
This commit is contained in:
parent
3b1c7a0817
commit
10b6f6370e
|
@ -30,19 +30,34 @@ server_name = node["kosmos-mastodon"]["server_name"]
|
|||
include_recipe "kosmos-nginx"
|
||||
include_recipe "tor-full"
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
source 'nginx_conf_mastodon.erb'
|
||||
directory "#{node['nginx']['dir']}/snippets" do
|
||||
action :create
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/snippets/mastodon.conf" do
|
||||
source 'nginx_conf_shared.erb'
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables streaming_port: node["kosmos-mastodon"]["streaming_port"],
|
||||
puma_port: node["kosmos-mastodon"]["puma_port"],
|
||||
server_name: server_name,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
|
||||
mastodon_path: mastodon_path
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
source 'nginx_conf_mastodon.erb'
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables server_name: server_name,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
|
||||
shared_config_path: "#{node['nginx']['dir']}/snippets/mastodon.conf",
|
||||
onion_address: File.read("/var/lib/tor/mastodon/hostname").strip
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
# Legacy vhost
|
||||
nginx_site "mastodon" do
|
||||
action :disable
|
||||
|
|
|
@ -54,3 +54,5 @@ S3_REGION=<%= @s3_region %>
|
|||
# Web Push API
|
||||
VAPID_PRIVATE_KEY=<%= @vapid_private_key %>
|
||||
VAPID_PUBLIC_KEY=<%= @vapid_public_key %>
|
||||
|
||||
ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
|
||||
|
|
|
@ -1,3 +1,15 @@
|
|||
server {
|
||||
listen 80;
|
||||
server_name mastodon.<%= @onion_address %>;
|
||||
include <%= @shared_config_path %>;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name <%= @server_name %>;
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
|
@ -7,9 +19,7 @@ server {
|
|||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
access_log "/var/log/nginx/mastodon.access.log";
|
||||
error_log "/var/log/nginx/mastodon.error.log";
|
||||
include <%= @shared_config_path %>;
|
||||
|
||||
<% if File.exist?(@ssl_cert) &&
|
||||
File.exist?(@ssl_key) -%>
|
||||
|
@ -17,82 +27,5 @@ server {
|
|||
ssl_certificate_key <%= @ssl_key %>;
|
||||
<% end -%>
|
||||
|
||||
keepalive_timeout 70;
|
||||
sendfile on;
|
||||
client_max_body_size 0;
|
||||
|
||||
root <%= @mastodon_path %>/public;
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
|
||||
location / {
|
||||
# If the maintenance file is present, show maintenance page
|
||||
if (-f <%= @mastodon_path %>/public/maintenance.html) {
|
||||
return 503;
|
||||
}
|
||||
|
||||
try_files $uri @proxy;
|
||||
}
|
||||
|
||||
location /sw.js {
|
||||
add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
|
||||
add_header Pragma "no-cache";
|
||||
}
|
||||
|
||||
location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
|
||||
add_header Cache-Control "public, max-age=31536000, immutable";
|
||||
try_files $uri @proxy;
|
||||
}
|
||||
|
||||
location @proxy {
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Proxy "";
|
||||
proxy_pass_header Server;
|
||||
|
||||
proxy_pass http://localhost:<%= @puma_port %>;
|
||||
proxy_buffering off;
|
||||
proxy_redirect off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
tcp_nodelay on;
|
||||
}
|
||||
|
||||
location /api/v1/streaming {
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Proxy "";
|
||||
|
||||
proxy_pass http://localhost:<%= @streaming_port %>;
|
||||
proxy_buffering off;
|
||||
proxy_redirect off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
tcp_nodelay on;
|
||||
}
|
||||
|
||||
error_page 500 501 502 504 /500.html;
|
||||
error_page 503 /maintenance.html;
|
||||
|
||||
location = /maintenance.html {
|
||||
root <%= @mastodon_path %>/public;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,79 @@
|
|||
access_log "/var/log/nginx/mastodon.access.log";
|
||||
error_log "/var/log/nginx/mastodon.error.log";
|
||||
|
||||
keepalive_timeout 70;
|
||||
|
||||
sendfile on;
|
||||
client_max_body_size 0;
|
||||
|
||||
root <%= @mastodon_path %>/public;
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
location / {
|
||||
# If the maintenance file is present, show maintenance page
|
||||
if (-f <%= @mastodon_path %>/public/maintenance.html) {
|
||||
return 503;
|
||||
}
|
||||
|
||||
try_files $uri @proxy;
|
||||
}
|
||||
|
||||
location /sw.js {
|
||||
add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
|
||||
add_header Pragma "no-cache";
|
||||
}
|
||||
|
||||
location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
|
||||
add_header Cache-Control "public, max-age=31536000, immutable";
|
||||
try_files $uri @proxy;
|
||||
}
|
||||
|
||||
location @proxy {
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Proxy "";
|
||||
proxy_pass_header Server;
|
||||
|
||||
proxy_pass http://localhost:<%= @puma_port %>;
|
||||
proxy_buffering off;
|
||||
proxy_redirect off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
tcp_nodelay on;
|
||||
}
|
||||
|
||||
location /api/v1/streaming {
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Proxy "";
|
||||
|
||||
proxy_pass http://localhost:<%= @streaming_port %>;
|
||||
proxy_buffering off;
|
||||
proxy_redirect off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
tcp_nodelay on;
|
||||
}
|
||||
|
||||
error_page 500 501 502 504 /500.html;
|
||||
error_page 503 /maintenance.html;
|
||||
|
||||
location = /maintenance.html {
|
||||
root <%= @mastodon_path %>/public;
|
||||
}
|
Loading…
Reference in New Issue