nixos/mastodon: sync nginx configuration with upstream's recommendation #198130
Conversation
Izorkin
force-pushed
the
update-mastodon-nginx
branch
from
5f92424
to
ac3788b
Compare
|
As always: Please explain what you did there and why it is necessary. You are adding 170LOC nginx config and your only comment is "update nginx config". I just don't have time for figuring out where you are going here, you have to tell me. |
|
Changes:
Based on this PR - mastodon/mastodon#19438 |
|
Looks good, I'd wait with review until the upstream PR is merged. |
|
|
PR merged in upstream |
Izorkin
force-pushed
the
update-mastodon-nginx
branch
from
ac3788b
to
c1f16e9
Compare
|
Small fix. |
Izorkin
force-pushed
the
update-mastodon-nginx
branch
from
c1f16e9
to
498c781
Compare
| proxy_buffering off; | ||
| proxy_redirect off; |
There was a problem hiding this comment.
Is nginx buffering websockets at all? Also upstream recommends against this unless long polling is used.
There was a problem hiding this comment.
I find it difficult to answer.
I have been using this configuration on my instance for a long time. I didn't notice any suspicious errors.
There was a problem hiding this comment.
It might be that errors only occur in very specific scenarios and not at all on lightly used instances. In question I'd rather would like to drop this.
There was a problem hiding this comment.
In upstream the proxy_redirect parameter is disabled:
location ^~ /api/v1/streaming {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Proxy "";
proxy_pass http://streaming;
proxy_buffering off;
proxy_redirect off;
...
There was a problem hiding this comment.
To me this looks fine, as in it replicates what upstream does? That is the only thing I understand about this tbh, wether it replicates the behaviour recommended by upstream.
There was a problem hiding this comment.
I set the same parameters and values as in the upstream.
I don't know much about proxying.
There was a problem hiding this comment.
I am not feeling to great about just copying upstream values especially if we are not sure if they also not just copied that from somewhere without deeper thought.
Izorkin
force-pushed
the
update-mastodon-nginx
branch
3 times, most recently
from
cdc2c7c
to
01a0c97
Compare
|
Added missing proxy headers. |
Izorkin
force-pushed
the
update-mastodon-nginx
branch
from
01a0c97
to
53e8986
Compare
|
Removed |
Izorkin
force-pushed
the
update-mastodon-nginx
branch
from
53e8986
to
7c7d94f
Compare
|
Added location and settings for sw.js.map file (mastodon ver 4.0.0rc1). |
| locations."= /sw.js" = { | ||
| tryFiles = "$uri =404"; | ||
| priority = 2110; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=604800, must-revalidate'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; | ||
|
|
||
| locations."= /sw.js.map" = { | ||
| tryFiles = "$uri =404"; | ||
| priority = 2120; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=604800, must-revalidate'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; | ||
|
|
||
| locations."^~ /assets/" = { | ||
| tryFiles = "$uri =404"; | ||
| priority = 2210; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=2419200, must-revalidate'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; | ||
|
|
There was a problem hiding this comment.
There is a lot of repetition here. Can you use listToAttrs or so for locations?
There was a problem hiding this comment.
Duplicate lines have already been moved to the nginxCommonHeaders variable.
There was a problem hiding this comment.
there's still a lot of duplication, particularly the tryFiles and Cache-Control headers, which are the same for each location except sw.js. +1 to turion's suggestion of listToAttrs, especially if priority isn't necessary
There was a problem hiding this comment.
I don't see how it can be done. Are there any examples?
There was a problem hiding this comment.
in #202408 i declare sidekiqUnits which calls lib.attrsets.mapAttrs' to transform cfg.sidekiqProcesses (an attrset of attrsets containing jobClasses and threads) into a bunch of systemd units based on a template. I then merge those units with the rest of the config using lib.attrsets.recursiveUpdate.
I think you could take a similar approach here by declaring an attrset of attrsets containing things like the cache-control max-age and the headers to use. you could also have an extraAttrs attr that you merge into the location's attrset and taking precedence over whatever's in the template, if you wanted maximum flexibility for setting location-specific settings, or you could have an extraConfig attr that is simply appended.
There was a problem hiding this comment.
I think this will make it harder to read nginx configuration.
I used a similar variant in PeerTube service:
nixpkgs/nixos/modules/services/web-apps/peertube.nix
Lines 467 to 744 in 2afac7a
|
This is a lot of custom config. It is bound to go out of sync with the upstream recommendations eventually. Can we maybe instead simply use the upstream source config file and include it instead of replicating it? https://github.com/mastodon/mastodon/pull/19438/files#diff-47fc0317b265a70f29e18f9c34069ba84a520061e96d0b2dd03c9ee16cfc6b3e |
I don't think we have another way than to configure nginx through the NixOS module system, right? |
Yes, but I would have thought one can use |
|
Probably rather |
This is difficult to adapt, also the flexibility of the host configuration will be lost. For example it will not be possible to activate http2/3 protocols. |
|
Updated and rebased PR. |
Izorkin
force-pushed
the
update-mastodon-nginx
branch
2 times, most recently
from
af237ae
to
a51989b
Compare
| nginxCommonHeaders = '' | ||
| add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains'; | ||
| '' | ||
| # Mastodon in upstream is not supported HTTP3 protocol. |
There was a problem hiding this comment.
| # Mastodon in upstream is not supported HTTP3 protocol. | |
| # Upstream does not supported HTTP3 protocol |
Why do we have this, if upstream is not supporting it? Wouldn't we break things then?
There was a problem hiding this comment.
Fixed.
It won't break. I've been using the HTTP3 protocol on my copy for a long time.
| add_header Alt-Svc 'h3=":443"; ma=86400'; | ||
| ''; | ||
|
|
||
| nginxProxyHeaders = '' |
There was a problem hiding this comment.
I don't think we generally consider double proxies. I would just go with recommendedProxyConfig and write a changelog entry that if you are double proxying, you need to change your config.
| locations."= /sw.js" = { | ||
| tryFiles = "$uri =404"; | ||
| priority = 2110; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=604800, must-revalidate'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; | ||
|
|
||
| locations."= /sw.js.map" = { | ||
| tryFiles = "$uri =404"; | ||
| priority = 2120; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=604800, must-revalidate'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; | ||
|
|
||
| locations."^~ /assets/" = { | ||
| tryFiles = "$uri =404"; | ||
| priority = 2230; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=2419200, must-revalidate'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; | ||
|
|
||
| locations."^~ /avatars/" = { | ||
| tryFiles = "$uri =404"; | ||
| priority = 2240; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=2419200, must-revalidate'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; | ||
|
|
||
| locations."^~ /emoji/" = { | ||
| tryFiles = "$uri =404"; | ||
| priority = 2250; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=2419200, must-revalidate'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; | ||
|
|
||
| locations."^~ /headers/" = { | ||
| tryFiles = "$uri =404"; | ||
| priority = 2260; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=2419200, must-revalidate'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; | ||
|
|
||
| locations."^~ /packs/" = { | ||
| tryFiles = "$uri =404"; | ||
| priority = 2270; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=2419200, must-revalidate'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; | ||
|
|
||
| locations."^~ /sounds/" = { | ||
| tryFiles = "$uri =404"; | ||
| priority = 2280; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=2419200, must-revalidate'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; | ||
|
|
||
| locations."^~ /system/" = { | ||
| tryFiles = "$uri =404"; | ||
| alias = "/var/lib/mastodon/public-system/"; | ||
| priority = 2290; | ||
|
|
||
| extraConfig = '' | ||
| add_header Cache-Control 'public, max-age=2419200, immutable'; | ||
| ${nginxCommonHeaders} | ||
| ''; | ||
| }; |
There was a problem hiding this comment.
Those all seem to be duplicated except of the priority. I would say we move the common things in to a variable and merge the priority into that.
let
commonLocation = {
tryFiles = "$uri =404";
extraConfig = ''
add_header Cache-Control 'public, max-age=2419200, immutable';
${nginxCommonHeaders}
'';
};
in
locations."^~ /system/" = commonLocatuion / {
alias = "/var/lib/mastodon/public-system/";
priority = 2290;
};
There was a problem hiding this comment.
There are several different options, and you have to include variables for each one. It seems to me that this just makes it harder to view configuration.
| proxy_buffering off; | ||
| proxy_redirect off; |
There was a problem hiding this comment.
I am not feeling to great about just copying upstream values especially if we are not sure if they also not just copied that from somewhere without deeper thought.
Izorkin
force-pushed
the
update-mastodon-nginx
branch
2 times, most recently
from
0673157
to
accd5a4
Compare
|
Add hardened headers to user-uploaded files: |
Izorkin
force-pushed
the
update-mastodon-nginx
branch
from
accd5a4
to
f94eb38
Compare
|
Rebased PR. diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix
index 52a2708bde64..f5756b339396 100644
--- a/nixos/modules/services/web-apps/mastodon.nix
+++ b/nixos/modules/services/web-apps/mastodon.nix
@@ -789,6 +789,9 @@ in {
upstreams = {
"backend-mastodon-streaming" = {
servers = { ${if cfg.enableUnixSocket then "unix:/run/mastodon-streaming/streaming.socket" else "127.0.0.1:${toString cfg.streamingPort}"} = { fail_timeout = "0"; }; };
+ extraConfig = ''
+ least_conn;
+ '';
};
"backend-mastodon-web" = {
servers = { ${if cfg.enableUnixSocket then "unix:/run/mastodon-web/web.socket" else "127.0.0.1:${toString cfg.webPort}"} = { fail_timeout = "0"; }; };
cc @erictapen |
|
The rest of it would be good to merge as well. |
Izorkin
force-pushed
the
update-mastodon-nginx
branch
from
f94eb38
to
814eebd
Compare
|
Rebased and updated PR. |
Izorkin
force-pushed
the
update-mastodon-nginx
branch
from
814eebd
to
9e6e4b0
Compare
|
Update nginx configuration. |
Izorkin
requested review from
SuperSandro2000
and removed request for
SuperSandro2000
Izorkin
force-pushed
the
update-mastodon-nginx
branch
3 times, most recently
from
9281915
to
484beb7
Compare
|
Remove |
Izorkin
force-pushed
the
update-mastodon-nginx
branch
from
484beb7
to
d580ed7
Compare
|
Update nginx locations block. |
Izorkin
force-pushed
the
update-mastodon-nginx
branch
2 times, most recently
from
fae33b5
to
9cc7c5e
Compare
Izorkin
force-pushed
the
update-mastodon-nginx
branch
from
9cc7c5e
to
638821d
Compare
Description of changes
Update nginx configuration.
cc @erictapen @SuperSandro2000
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes