infra-vintage/mastodon/nginx/nginx-files.conf

78 lines
2.2 KiB
Plaintext
Raw Permalink Normal View History

2022-06-04 18:46:19 +00:00
server {
listen 443 ssl http2;
server_name files.pub.solar;
ssl_certificate /data/dehydrated/certs/files.pub.solar/fullchain.pem;
ssl_certificate_key /data/dehydrated/certs/files.pub.solar/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /data/dehydrated/certs/files.pub.solar/fullchain.pem;
root /var/www/files;
keepalive_timeout 30;
location = / {
index index.html;
}
location / {
try_files $uri @s3;
}
set $s3_backend 'https://link.tardigradeshare.io/s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon';
location @s3 {
limit_except GET {
deny all;
}
resolver 85.88.23.13 85.88.23.14 85.88.1.92;
proxy_set_header Host link.tardigradeshare.io;
proxy_set_header Connection '';
proxy_set_header Authorization '';
proxy_hide_header content-disposition;
proxy_hide_header Set-Cookie;
proxy_hide_header 'Access-Control-Allow-Origin';
proxy_hide_header 'Access-Control-Allow-Methods';
proxy_hide_header 'Access-Control-Allow-Headers';
proxy_hide_header x-amz-id-2;
proxy_hide_header x-amz-request-id;
proxy_hide_header x-amz-meta-server-side-encryption;
proxy_hide_header x-amz-server-side-encryption;
proxy_hide_header x-amz-bucket-region;
proxy_hide_header x-amzn-requestid;
proxy_ignore_headers Set-Cookie;
proxy_pass $s3_backend$uri?download;
proxy_intercept_errors off;
proxy_cache CACHE;
proxy_cache_valid 200 48h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
expires 1y;
add_header Cache-Control public;
add_header 'Access-Control-Allow-Origin' '*';
add_header X-Cache-Status $upstream_cache_status;
add_header Content-Disposition 'inline';
}
}