Nginx: Difference between revisions
No edit summary |
No edit summary |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Up to: [[Part Of::Wiki]] | Up to: [[Part Of::Wiki]] | ||
== | == Mastodon == | ||
=== Switching Domains === | === Object Storage === | ||
{{:Nginx/Object Storage}} | |||
== Wiki == | |||
=== Process === | |||
==== Switching Domains ==== | |||
from neuromatch.io to neuromatch social: | from neuromatch.io to neuromatch social: | ||
| Line 15: | Line 23: | ||
that's probably a pretty janky way to do it, but basically the only thing that's different from just ctrl+f'ing the domain name is the need to issue a new cert, and to issue the cert you need to have just a server block listening on `80` and certbot can take it from there. then redirecting is just "hey did you try to go here actually go over there." There are other auth mechanisms certbot can do but that's the easiest way do use the default one that i know of | that's probably a pretty janky way to do it, but basically the only thing that's different from just ctrl+f'ing the domain name is the need to issue a new cert, and to issue the cert you need to have just a server block listening on `80` and certbot can take it from there. then redirecting is just "hey did you try to go here actually go over there." There are other auth mechanisms certbot can do but that's the easiest way do use the default one that i know of | ||
== Config == | === Config === | ||
<syntaxhighlight lang="nginx"> | <syntaxhighlight lang="nginx"> | ||
| Line 122: | Line 130: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Log Rotation == | === Log Rotation === | ||
See [[Logging]] and [[Storage]] | See [[Logging]] and [[Storage]] | ||
Latest revision as of 03:36, 29 August 2024
Up to: Wiki
Mastodon
Object Storage
proxy_cache_path /var/cache/nginx-object-storage keys_zone=CACHEOBJECT:10m inactive=7d max_size=10g;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name media.neuromatch.social;
root /var/www/html;
ssl_certificate /etc/letsencrypt/live/media.neuromatch.social/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/media.neuromatch.social/privkey.pem; # managed by Certbot
keepalive_timeout 30;
location = / {
index index.html;
}
location / {
try_files $uri @s3;
}
set $s3_backend 'https://neuromatchstodon.us-east-1.linodeobjects.com';
location @s3 {
limit_except GET {
deny all;
}
resolver 8.8.8.8;
proxy_set_header Host neuromatchstodon.us-east-1.linodeobjects.com;
proxy_set_header Connection '';
proxy_set_header Authorization '';
proxy_hide_header Set-Cookie;
proxy_hide_header 'Access-Control-Allow-Origin';
proxy_hide_header 'Access-Control-Allow-Methods';
proxy_hide_header 'Access-Control-Allow-Headers';
proxy_hide_header x-amz-id-2;
proxy_hide_header x-amz-request-id;
proxy_hide_header x-amz-meta-server-side-encryption;
proxy_hide_header x-amz-server-side-encryption;
proxy_hide_header x-amz-bucket-region;
proxy_hide_header x-amzn-requestid;
proxy_ignore_headers Set-Cookie;
proxy_pass $s3_backend$uri;
proxy_intercept_errors off;
proxy_cache CACHEOBJECT;
proxy_cache_valid 200 48h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
expires 1y;
add_header Cache-Control public;
add_header 'Access-Control-Allow-Origin' '*';
add_header X-Cache-Status $upstream_cache_status;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
}
}
Wiki
Process
Switching Domains
from neuromatch.io to neuromatch social:
- swap domains in config
- comment out the http redirect server block and the cert part of the https block
- temporarily switch the `listen[::]:443` and `listen 443` for `listen[::]:80` and `listen 80`
- run certbot `sudo certbot --nginx -d wiki.neuromatch.social` which should switch the `80`'s back to `443` and create a new http block
- copy paste the redirect block and old cert info to redirect http and https from old domain to new domain
that's probably a pretty janky way to do it, but basically the only thing that's different from just ctrl+f'ing the domain name is the need to issue a new cert, and to issue the cert you need to have just a server block listening on `80` and certbot can take it from there. then redirecting is just "hey did you try to go here actually go over there." There are other auth mechanisms certbot can do but that's the easiest way do use the default one that i know of
Config
server {
server_name wiki.neuromatch.social;
root /var/www/html/mediawiki;
index index.php;
error_log /var/log/nginx/mediawiki.error;
access_log /var/log/nginx/mediawiki.access;
location / {
try_files $uri $uri/ /index.php;
}
location @rewrite {
rewrite ^/(.*)$ /index.php;
}
location ^~ /maintenance/ {
return 403;
}
location ~ /\.ht {
deny all;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include snippets/fastcgi-php.conf;
}
location /rest.php {
try_files $uri $uri/ /rest.php?$args;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/wiki.neuromatch.social/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/wiki.neuromatch.social/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# ---------------------------------
# redirect http -> https
# ---------------------------------
server {
if ($host = wiki.neuromatch.social) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name wiki.neuromatch.social;
listen 80;
listen [::]:80;
return 404; # managed by Certbot
}
# ---------------------------------
# ---------------------------------
# ---------------------------------
# redirects from olde wiki domain
# ---------------------------------
# ---------------------------------
# ---------------------------------
server {
if ($host = wiki.neuromatch.io) {
return 301 https://wiki.neuromatch.social$request_uri;
}
server_name wiki.neuromatch.io;
listen 80;
return 404;
}
server {
if ($host = wiki.neuromatch.io) {
return https://wiki.neuromatch.social$request_uri;
}
server_name wiki.neuromatch.io;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/wiki.neuromatch.io/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/wiki.neuromatch.io/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Log Rotation
in /etc/logrotate.d/nginx
/var/log/nginx/mediawiki* {
rotate 50
size 100M
dateext
dateformat -%Y-%m-%d
missingok
compress
sharedscripts
postrotate
[ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
endscript
}