server { listen 443 ssl http2; server_name files.pub.solar; ssl_certificate /data/dehydrated/certs/files.pub.solar/fullchain.pem; ssl_certificate_key /data/dehydrated/certs/files.pub.solar/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # modern configuration ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /data/dehydrated/certs/files.pub.solar/fullchain.pem; root /var/www/files; keepalive_timeout 30; location = / { index index.html; } location / { try_files $uri @s3; } set $s3_backend 'https://link.tardigradeshare.io/s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon'; location @s3 { limit_except GET { deny all; } resolver 85.88.23.13 85.88.23.14 85.88.1.92; proxy_set_header Host link.tardigradeshare.io; proxy_set_header Connection ''; proxy_set_header Authorization ''; proxy_hide_header content-disposition; proxy_hide_header Set-Cookie; proxy_hide_header 'Access-Control-Allow-Origin'; proxy_hide_header 'Access-Control-Allow-Methods'; proxy_hide_header 'Access-Control-Allow-Headers'; proxy_hide_header x-amz-id-2; proxy_hide_header x-amz-request-id; proxy_hide_header x-amz-meta-server-side-encryption; proxy_hide_header x-amz-server-side-encryption; proxy_hide_header x-amz-bucket-region; proxy_hide_header x-amzn-requestid; proxy_ignore_headers Set-Cookie; proxy_pass $s3_backend$uri?download; proxy_intercept_errors off; proxy_cache CACHE; proxy_cache_valid 200 48h; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; expires 1y; add_header Cache-Control public; add_header 'Access-Control-Allow-Origin' '*'; add_header X-Cache-Status $upstream_cache_status; add_header Content-Disposition 'inline'; } }