Simple nginx config

Valmond@lemmy.ml · 1 year ago

Simple nginx config

Max-P@lemmy.max-p.me · 1 year ago

Can you describe your setup in more details? Are you using the Docker setup with also NGINX running on the host outside of Docker?

If so, nginx_internal.conf must be passed in as a volume to the inner NGINX via the docker-compose. On the host, you only need the bits from nginx.conf. Don’t try to use the internal ones, it doesn’t make sense.

If you post your configs it will be easier to pinpoint exactly what’s wrong. Also paste the output of docker ps.

Valmond@lemmy.ml · 1 year ago

I’m off one week on holidays, will sure post all config when I come back, thanks again!

Valmond@lemmy.ml · edit-2 1 year ago

Hello, I’m back with more questions and clarifications!

This is what I did to install Lemmy:

Install a fresh Linux Mint on an old PC.

Follow the ‘official’ docker install: https://join-lemmy.org/docs/administration/install_docker.html

I continued with nginx, lets encrypt etc.

I also installed PosgreSQL and added a user Lemmy.

I forward a TCP connection from my fix public IP to the lemmy PC and pointed lemmy.mindoki.com with an A redirection onto that public IP:PORT.

The only ‘exotic’ thing done was that I added these lines to /home/fediverse/.bashrc :

export LEMMY_CONFIG_LOCATION=“/media/fediverse/Storage/lemmy/lemmy.hjson”

EMMY_DATABASE_URL=“postgres://lemmy:redacted_password@localhost:5432/lemmy”

. “$HOME/.cargo/env”

I don’t think (but not completely sure) that the last line was added by me manually.

Now I can access Lemmy locally on localhost:1236 and everything works (inscription, creations of ‘subs’ etc).

I added the nginx.conf config file at the end of this message (some lines are commented out to make it work at all).

Almost feels like I should have a very much shorter nginx config file 🙃

Thanks again!

Cheers

.

nginx.conf :

worker_processes auto;

events { worker_connections 1024; }

http {

limit_req_zone $binary_remote_addr zone=lemmy.mindoki.com_ratelimit:10m rate=1r/s;

server {
    listen 80;
    listen [::]:80;
    server_name lemmy.mindoki.com;
    # Hide nginx version
    server_tokens off;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name lemmy.mindoki.com;

    ssl_certificate /etc/letsencrypt/live/lemmy.mindoki.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/lemmy.mindoki.com/privkey.pem;


    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets on;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Hide nginx version
    server_tokens off;

    # Enable compression for JS/CSS/HTML bundle, for improved client load times.
    # It might be nice to compress JSON, but leaving that out to protect against potential
    # compression+encryption information leak attacks like BREACH.
    gzip on;
    gzip_types text/css application/javascript image/svg+xml;
    gzip_vary on;

    # Various content security headers
    add_header Referrer-Policy "same-origin";
    add_header X-Content-Type-Options "nosniff";
    add_header X-Frame-Options "DENY";
    add_header X-XSS-Protection "1; mode=block";


    location / {
      proxy_pass http://0.0.0.0:1236;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

access_log /var/log/nginx/access.log combined;



# We construct a string consistent of the "request method" and "http accept header"
# and then apply soem ~simply regexp matches to that combination to decide on the
# HTTP upstream we should proxy the request to.
#
# Example strings:
#
#   "GET:application/activity+json"
#   "GET:text/html"
#   "POST:application/activity+json"
#
# You can see some basic match tests in this regex101 matching this configuration
# https://regex101.com/r/vwMJNc/1
#
# Learn more about nginx maps here http://nginx.org/en/docs/http/ngx_http_map_module.html
map "$request_method:$http_accept" $proxpass {
    # If no explicit matches exists below, send traffic to lemmy-ui
    default "http://lemmy-ui";

    # GET/HEAD requests that accepts ActivityPub or Linked Data JSON should go to lemmy.
    #
    # These requests are used by Mastodon and other fediverse instances to look up profile information,
    # discover site information and so on.
    "~^(?:GET|HEAD):.*?application\/(?:activity|ld)\+json" "http://lemmy";

    # All non-GET/HEAD requests should go to lemmy
    #
    # Rather than calling out POST, PUT, DELETE, PATCH, CONNECT and all the verbs manually
    # we simply negate the GET|HEAD pattern from above and accept all possibly $http_accept values
    "~^(?!(GET|HEAD)).*:" "http://lemmy";
}

#upstream lemmy {
    # this needs to map to the lemmy (server) docker service hostname
#    server "lemmy:8536";
#}

#upstream lemmy-ui {
    # this needs to map to the lemmy-ui docker service hostname
#    server "lemmy-ui:1234";
#}

server {
    # this is the port inside docker, not the public one yet
    listen 1236;
    listen 8536;

    # change if needed, this is facing the public web
    server_name localhost;
    server_tokens off;

    gzip on;
    gzip_types text/css application/javascript image/svg+xml;
    gzip_vary on;

    # Upload limit, relevant for pictrs
    client_max_body_size 20M;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    # frontend general requests
    location / {
        proxy_pass $proxpass;

        rewrite ^(.+)/+$ $1 permanent;

        # Send actual client IP upstream
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # backend
    location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
        proxy_pass "https://lemmy";

        # proxy common stuff
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Send actual client IP upstream
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

}

Valmond@lemmy.ml · edit-2 1 year ago

EDIT: The site itself works now, so I “only” need help with nginx :-)

EDIT: DISCARD THE FOLLOWING LINES (Strike-through doesn’t seem to work):

~~BTW, I get a handful of errors when I start Lemmy :

thread ‘main’ panicked at 'Error connecting to postgres://lemmy:thepassword@postgres:5432/lemmy: could not connect to server: Connection refused

lemmy_1 | Is the server running on host “postgres” (172.18.0.2) and accepting

lemmy_1 | TCP/IP connections on port 5432?

I do not know at all where that 172.18.0.2 address comes from sweating :-D~~