From 216b1b54e61f87d5f311e569abf39b845b28fe69 Mon Sep 17 00:00:00 2001 From: Anthony Wang Date: Sat, 11 May 2024 17:46:42 +0000 Subject: [PATCH] Remove Nextcloud and Peertube confs --- mastodon.conf | 4 +- nextcloud.conf | 189 ----------------------------------------- peertube.conf | 222 ------------------------------------------------- 3 files changed, 2 insertions(+), 413 deletions(-) delete mode 100644 nextcloud.conf delete mode 100644 peertube.conf diff --git a/mastodon.conf b/mastodon.conf index 02385d5..e8f14ef 100644 --- a/mastodon.conf +++ b/mastodon.conf @@ -3,7 +3,7 @@ map $http_upgrade $connection_upgrade { '' close; } -upstream web { +upstream backend { server unix:/run/mastodon-web/mastodon-web.sock fail_timeout=0; } @@ -130,7 +130,7 @@ server { proxy_set_header Proxy ""; proxy_pass_header Server; - proxy_pass http://web; + proxy_pass http://backend; proxy_buffering on; proxy_redirect off; proxy_http_version 1.1; diff --git a/nextcloud.conf b/nextcloud.conf deleted file mode 100644 index bdd4003..0000000 --- a/nextcloud.conf +++ /dev/null @@ -1,189 +0,0 @@ -upstream php-handler { - server unix:/run/nextcloud/nextcloud.sock; -} - -# Set the `immutable` cache control options only for assets with a cache busting `v` argument -map $arg_v $asset_immutable { - "" ""; - default "immutable"; -} - - -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name cloud.exozy.me; - - # Enable symlinks - disable_symlinks off; - - # Path to the root of your installation - root /usr/share/webapps/nextcloud; - - # Prevent nginx HTTP Server Detection - server_tokens off; - - # HSTS settings - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; - - # set max upload size and increase upload timeout: - client_max_body_size 16G; - client_body_timeout 300s; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Pagespeed is not supported by Nextcloud, so if your server is built - # with the `ngx_pagespeed` module, uncomment this line to disable it. - #pagespeed off; - - # The settings allows you to optimize the HTTP2 bandwidth. - # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ - # for tuning hints - client_body_buffer_size 512k; - - # HTTP response headers borrowed from Nextcloud `.htaccess` - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "noindex, nofollow" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Add .mjs as a file extension for javascript - # Either include it in the default mime.types list - # or include you can include that list explicitly and add the file extension - # only for Nextcloud like below: - include mime.types; - types { - text/javascript js mjs; - } - - # Specify how to handle directories -- specifying `/index.php$request_uri` - # here as the fallback means that Nginx always exhibits the desired behaviour - # when a client requests a path that corresponds to a directory that exists - # on the server. In particular, if that directory contains an index.php file, - # that file is correctly served; if it doesn't, then the request is passed to - # the front-end controller. This consistent behaviour means that we don't need - # to specify custom rules for certain paths (e.g. images and other assets, - # `/updater`, `/ocs-provider`), and thus - # `try_files $uri $uri/ /index.php$request_uri` - # always provides the desired behaviour. - index index.php index.html /index.php$request_uri; - - # Rule borrowed from `.htaccess` to handle Microsoft DAV clients - location = / { - if ( $http_user_agent ~ ^DavClnt ) { - return 302 /remote.php/webdav/$is_args$args; - } - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # Make a regex exception for `/.well-known` so that clients can still - # access it despite the existence of the regex rule - # `location ~ /(\.|autotest|...)` which would otherwise handle requests - # for `/.well-known`. - location ^~ /.well-known { - # The rules in this block are an adaptation of the rules - # in `.htaccess` that concern `/.well-known`. - - location = /.well-known/carddav { - return 301 /remote.php/dav/; - } - location = /.well-known/caldav { - return 301 /remote.php/dav/; - } - - location /.well-known/acme-challenge { - try_files $uri $uri/ =404; - } - location /.well-known/pki-validation { - try_files $uri $uri/ =404; - } - - # Let Nextcloud's API for `/.well-known` URIs handle all other - # requests by passing them to the front-end controller. - return 301 /index.php$request_uri; - } - - # Rules borrowed from `.htaccess` to hide certain paths from clients - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { - return 404; - } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { - return 404; - } - - # Ensure this block, which passes PHP files to the PHP process, is above the blocks - # which handle static assets (as seen below). If this block is not declared first, - # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` - # to the URI, resulting in a HTTP 500 error response. - location ~ \.php(?:$|/) { - # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; - - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - set $path_info $fastcgi_path_info; - - try_files $fastcgi_script_name =404; - - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - - fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice - fastcgi_param front_controller_active true; # Enable pretty urls - fastcgi_pass php-handler; - - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - - fastcgi_max_temp_file_size 0; - } - - # Serve static files - location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463, $asset_immutable"; - access_log off; # Optional: Don't log access to assets - - location ~ \.wasm$ { - default_type application/wasm; - } - } - - location ~ \.woff2?$ { - try_files $uri /index.php$request_uri; - expires 7d; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - } - - # Rule borrowed from `.htaccess` - location /remote { - return 301 /remote.php$request_uri; - } - - location / { - try_files $uri $uri/ /index.php$request_uri; - } -} diff --git a/peertube.conf b/peertube.conf deleted file mode 100644 index fae5e5c..0000000 --- a/peertube.conf +++ /dev/null @@ -1,222 +0,0 @@ -# Minimum Nginx version required: 1.13.0 (released Apr 25, 2017) -# Please check your Nginx installation features the following modules via 'nginx -V': -# STANDARD HTTP MODULES: Core, Proxy, Rewrite, Access, Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream, AIO Multithreading. -# THIRD PARTY MODULES: None. - -upstream backend { - server [::1]:9000; # https://framacolibri.org/t/listen-to-unix-socket-instead-of-localhost-9000/5348 -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name tube.exozy.me; - - ## - # Application - ## - - location @api { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - - client_max_body_size 100k; # default is 1M - - proxy_connect_timeout 10m; - proxy_send_timeout 10m; - proxy_read_timeout 10m; - send_timeout 10m; - - proxy_pass http://backend; - } - - location / { - try_files /dev/null @api; - } - - location ~ ^/api/v1/videos/(upload-resumable|([^/]+/source/replace-resumable))$ { - client_max_body_size 0; - proxy_request_buffering off; - - try_files /dev/null @api; - } - - location ~ ^/api/v1/users/[^/]+/imports/import-resumable$ { - client_max_body_size 0; - proxy_request_buffering off; - - try_files /dev/null @api; - } - - location ~ ^/api/v1/videos/(upload|([^/]+/studio/edit))$ { - limit_except POST HEAD { - deny all; - } - - # This is the maximum upload size, which roughly matches the maximum size of a video file. - # Note that temporary space is needed equal to the total size of all concurrent uploads. - # This data gets stored in /var/lib/nginx by default, so you may want to put this directory - # on a dedicated filesystem. - client_max_body_size 12G; # default is 1M - add_header X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size) - - try_files /dev/null @api; - } - - location ~ ^/api/v1/runners/jobs/[^/]+/(update|success)$ { - client_max_body_size 12G; # default is 1M - add_header X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size) - - try_files /dev/null @api; - } - - location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) { - client_max_body_size 6M; # default is 1M - add_header X-File-Maximum-Size 4M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size) - - try_files /dev/null @api; - } - - ## - # Websocket - ## - - location @api_websocket { - proxy_http_version 1.1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_pass http://backend; - } - - location /socket.io { - try_files /dev/null @api_websocket; - } - - location /tracker/socket { - # Peers send a message to the tracker every 15 minutes - # Don't close the websocket before then - proxy_read_timeout 15m; # default is 60s - - try_files /dev/null @api_websocket; - } - - # Plugin websocket routes - location ~ ^/plugins/[^/]+(/[^/]+)?/ws/ { - try_files /dev/null @api_websocket; - } - - ## - # Performance optimizations - # For extra performance please refer to https://github.com/denji/nginx-tuning - ## - - root /var/lib/peertube/storage; - - # Enable compression for JS/CSS/HTML, for improved client load times. - # It might be nice to compress JSON/XML as returned by the API, but - # leaving that out to protect against potential BREACH attack. - gzip on; - gzip_vary on; - gzip_types # text/html is always compressed by HttpGzipModule - text/css - application/javascript - font/truetype - font/opentype - application/vnd.ms-fontobject - image/svg+xml; - gzip_min_length 1000; # default is 20 bytes - gzip_buffers 16 8k; - gzip_comp_level 2; # default is 1 - - client_body_timeout 30s; # default is 60 - client_header_timeout 10s; # default is 60 - send_timeout 10s; # default is 60 - keepalive_timeout 10s; # default is 75 - resolver_timeout 10s; # default is 30 - reset_timedout_connection on; - proxy_ignore_client_abort on; - - tcp_nopush on; # send headers in one piece - tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time - - # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place - # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path - #client_body_temp_path /var/www/peertube/storage/nginx/; - - # Bypass PeerTube for performance reasons. Optional. - # Should be consistent with client-overrides assets list in client.ts server controller - location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$ { - add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year - - root /var/lib/peertube; - - try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api; - } - - # Bypass PeerTube for performance reasons. Optional. - location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ { - add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year - - alias /usr/share/webapps/peertube/client/dist/$1; - } - - location ~ ^(/static/(webseed|web-videos|streaming-playlists/hls)/private/)|^/download { - # We can't rate limit a try_files directive, so we need to duplicate @api - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - - proxy_limit_rate 5M; - - proxy_pass http://backend; - } - - # Bypass PeerTube for performance reasons. Optional. - location ~ ^/static/(webseed|web-videos|redundancy|streaming-playlists)/ { - limit_rate_after 5M; - - set $peertube_limit_rate 5M; - - # Use this line with nginx >= 1.17.0 - limit_rate $peertube_limit_rate; - # Or this line with nginx < 1.17.0 - # set $limit_rate $peertube_limit_rate; - - if ($request_method = 'OPTIONS') { - add_header Access-Control-Allow-Origin '*'; - add_header Access-Control-Allow-Methods 'GET, OPTIONS'; - add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; - add_header Access-Control-Max-Age 1728000; # Preflight request can be cached 20 days - add_header Content-Type 'text/plain charset=UTF-8'; - add_header Content-Length 0; - return 204; - } - - if ($request_method = 'GET') { - add_header Access-Control-Allow-Origin '*'; - add_header Access-Control-Allow-Methods 'GET, OPTIONS'; - add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; - - # Don't spam access log file with byte range requests - access_log off; - } - - # Enabling the sendfile directive eliminates the step of copying the data into the buffer - # and enables direct copying data from one file descriptor to another. - sendfile on; - sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k. - aio threads; - - # web-videos is the name of the directory mapped to the `storage.web_videos` key in your PeerTube configuration - rewrite ^/static/webseed/(.*)$ /web-videos/$1 break; - rewrite ^/static/(.*)$ /$1 break; - - try_files $uri @api; - } -}