Nginx

From neuromatch

Up to: Wiki

Mastodon

Object Storage

proxy_cache_path /var/cache/nginx-object-storage keys_zone=CACHEOBJECT:10m inactive=7d max_size=10g;

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name media.neuromatch.social;
  root /var/www/html;
    ssl_certificate /etc/letsencrypt/live/media.neuromatch.social/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/media.neuromatch.social/privkey.pem; # managed by Certbot

  keepalive_timeout 30;

  location = / {
    index index.html;
  }

  location / {
    try_files $uri @s3;
  }

  set $s3_backend 'https://neuromatchstodon.us-east-1.linodeobjects.com';

  location @s3 {
    limit_except GET {
      deny all;
    }

    resolver 8.8.8.8;
    proxy_set_header Host neuromatchstodon.us-east-1.linodeobjects.com;
    proxy_set_header Connection '';
    proxy_set_header Authorization '';
    proxy_hide_header Set-Cookie;
    proxy_hide_header 'Access-Control-Allow-Origin';
    proxy_hide_header 'Access-Control-Allow-Methods';
    proxy_hide_header 'Access-Control-Allow-Headers';
    proxy_hide_header x-amz-id-2;
    proxy_hide_header x-amz-request-id;
    proxy_hide_header x-amz-meta-server-side-encryption;
    proxy_hide_header x-amz-server-side-encryption;
    proxy_hide_header x-amz-bucket-region;
    proxy_hide_header x-amzn-requestid;
    proxy_ignore_headers Set-Cookie;
    proxy_pass $s3_backend$uri;
    proxy_intercept_errors off;

    proxy_cache CACHEOBJECT;
    proxy_cache_valid 200 48h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    proxy_cache_lock on;

    expires 1y;
    add_header Cache-Control public;
    add_header 'Access-Control-Allow-Origin' '*';
    add_header X-Cache-Status $upstream_cache_status;
    add_header X-Content-Type-Options nosniff;
    add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
  }

}

Wiki

Process

Switching Domains

from neuromatch.io to neuromatch social:

  • swap domains in config
  • comment out the http redirect server block and the cert part of the https block
  • temporarily switch the `listen[::]:443` and `listen 443` for `listen[::]:80` and `listen 80`
  • run certbot `sudo certbot --nginx -d wiki.neuromatch.social` which should switch the `80`'s back to `443` and create a new http block
  • copy paste the redirect block and old cert info to redirect http and https from old domain to new domain

that's probably a pretty janky way to do it, but basically the only thing that's different from just ctrl+f'ing the domain name is the need to issue a new cert, and to issue the cert you need to have just a server block listening on `80` and certbot can take it from there. then redirecting is just "hey did you try to go here actually go over there." There are other auth mechanisms certbot can do but that's the easiest way do use the default one that i know of

Config

server {
    server_name wiki.neuromatch.social;

    root /var/www/html/mediawiki;
    index index.php;

    error_log /var/log/nginx/mediawiki.error;
    access_log /var/log/nginx/mediawiki.access;

    location / {
        try_files $uri $uri/ /index.php;
    }

    location @rewrite {
        rewrite ^/(.*)$ /index.php;
    }

    location ^~ /maintenance/ {
        return 403;
    }


    location ~ /\.ht {
        deny all;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        include snippets/fastcgi-php.conf;
    }

    location /rest.php {
        try_files $uri $uri/ /rest.php?$args;
    }


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/wiki.neuromatch.social/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/wiki.neuromatch.social/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


# ---------------------------------
# redirect http -> https
# ---------------------------------

server {
    if ($host = wiki.neuromatch.social) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name wiki.neuromatch.social;

    listen 80;
    listen [::]:80;
    return 404; # managed by Certbot

}

# ---------------------------------
# ---------------------------------
# ---------------------------------
# redirects from olde wiki domain
# ---------------------------------
# ---------------------------------
# ---------------------------------

server {
    if ($host = wiki.neuromatch.io) {
        return 301 https://wiki.neuromatch.social$request_uri;
    }

    server_name wiki.neuromatch.io;

    listen 80;
    return 404;

}

server {
    if ($host = wiki.neuromatch.io) {
        return https://wiki.neuromatch.social$request_uri;
    }

    server_name wiki.neuromatch.io;
    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/wiki.neuromatch.io/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/wiki.neuromatch.io/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

Log Rotation

See Logging and Storage

in /etc/logrotate.d/nginx

/var/log/nginx/mediawiki* {
  rotate 50
  size 100M
  dateext
  dateformat -%Y-%m-%d
  missingok
  compress
  sharedscripts
  postrotate
        [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
  endscript
}