infra-vintage/mastodon/nginx/nginx-files.conf

server {
  listen 443 ssl http2;

  server_name files.pub.solar;

  ssl_certificate /data/dehydrated/certs/files.pub.solar/fullchain.pem;
  ssl_certificate_key /data/dehydrated/certs/files.pub.solar/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  ssl_session_tickets off;

  # modern configuration
  ssl_protocols TLSv1.3;
  ssl_prefer_server_ciphers off;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds)
  add_header Strict-Transport-Security "max-age=63072000" always;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;

  # verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /data/dehydrated/certs/files.pub.solar/fullchain.pem;

  root /var/www/files;

  keepalive_timeout 30;

  location = / {
    index index.html;
  }

  location / {
    try_files $uri @s3;
  }

  set $s3_backend 'https://link.tardigradeshare.io/s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon';

  location @s3 {
    limit_except GET {
      deny all;
    }

    resolver 85.88.23.13 85.88.23.14 85.88.1.92;


    proxy_set_header Host link.tardigradeshare.io;
    proxy_set_header Connection '';
    proxy_set_header Authorization '';
    proxy_hide_header content-disposition;
    proxy_hide_header Set-Cookie;
    proxy_hide_header 'Access-Control-Allow-Origin';
    proxy_hide_header 'Access-Control-Allow-Methods';
    proxy_hide_header 'Access-Control-Allow-Headers';
    proxy_hide_header x-amz-id-2;
    proxy_hide_header x-amz-request-id;
    proxy_hide_header x-amz-meta-server-side-encryption;
    proxy_hide_header x-amz-server-side-encryption;
    proxy_hide_header x-amz-bucket-region;
    proxy_hide_header x-amzn-requestid;
    proxy_ignore_headers Set-Cookie;
    proxy_pass $s3_backend$uri?download;
    proxy_intercept_errors off;

    proxy_cache CACHE;
    proxy_cache_valid 200 48h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    proxy_cache_lock on;

    expires 1y;
    add_header Cache-Control public;
    add_header 'Access-Control-Allow-Origin' '*';
    add_header X-Cache-Status $upstream_cache_status;
    add_header Content-Disposition 'inline';
  }
}
Init mastodon.pub.solar 2022-06-04 18:46:19 +00:00			`server {`
			`listen 443 ssl http2;`

			`server_name files.pub.solar;`

			`ssl_certificate /data/dehydrated/certs/files.pub.solar/fullchain.pem;`
			`ssl_certificate_key /data/dehydrated/certs/files.pub.solar/privkey.pem;`
			`ssl_session_timeout 1d;`
			`ssl_session_cache shared:MozSSL:10m; # about 40000 sessions`
			`ssl_session_tickets off;`

			`# modern configuration`
			`ssl_protocols TLSv1.3;`
			`ssl_prefer_server_ciphers off;`

			`# HSTS (ngx_http_headers_module is required) (63072000 seconds)`
			`add_header Strict-Transport-Security "max-age=63072000" always;`

			`# OCSP stapling`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`

			`# verify chain of trust of OCSP response using Root CA and Intermediate certs`
			`ssl_trusted_certificate /data/dehydrated/certs/files.pub.solar/fullchain.pem;`

			`root /var/www/files;`

			`keepalive_timeout 30;`

			`location = / {`
			`index index.html;`
			`}`

			`location / {`
			`try_files $uri @s3;`
			`}`

			`set $s3_backend 'https://link.tardigradeshare.io/s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon';`

			`location @s3 {`
			`limit_except GET {`
			`deny all;`
			`}`

			`resolver 85.88.23.13 85.88.23.14 85.88.1.92;`


			`proxy_set_header Host link.tardigradeshare.io;`
			`proxy_set_header Connection '';`
			`proxy_set_header Authorization '';`
			`proxy_hide_header content-disposition;`
			`proxy_hide_header Set-Cookie;`
			`proxy_hide_header 'Access-Control-Allow-Origin';`
			`proxy_hide_header 'Access-Control-Allow-Methods';`
			`proxy_hide_header 'Access-Control-Allow-Headers';`
			`proxy_hide_header x-amz-id-2;`
			`proxy_hide_header x-amz-request-id;`
			`proxy_hide_header x-amz-meta-server-side-encryption;`
			`proxy_hide_header x-amz-server-side-encryption;`
			`proxy_hide_header x-amz-bucket-region;`
			`proxy_hide_header x-amzn-requestid;`
			`proxy_ignore_headers Set-Cookie;`
			`proxy_pass $s3_backend$uri?download;`
			`proxy_intercept_errors off;`

			`proxy_cache CACHE;`
			`proxy_cache_valid 200 48h;`
			`proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;`
			`proxy_cache_lock on;`

			`expires 1y;`
			`add_header Cache-Control public;`
			`add_header 'Access-Control-Allow-Origin' '*';`
			`add_header X-Cache-Status $upstream_cache_status;`
			`add_header Content-Disposition 'inline';`
			`}`
			`}`