docs: improve nginx config

[bt90]

Incorporates the changes mentioned in #552:

• enable IPv6
• enable HTTP2
• ssl config according to https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6

[binwiederhier]

Thanks for the PR. I actually tried the http2 config in a VM and it seems fine. Though the proxy_http_version is still set to 1.1. Gotta try that too. The real production config is here btw: https://github.com/binwiederhier/ntfy-ansible/ -- What you changed is just the docs (which is also important!).

(Edit: Apparently http2 is not supported in the proxy module; https://serverfault.com/questions/765258/use-http-2-0-between-nginx-reverse-proxy-and-backend-webserver)

As for IPv6, I don't think I can enable that without changes to the application. See #519 for details. So maybe lets split those changes into two separate things.

[binwiederhier]

That mozilla SSL config tool is amazing!

[bt90]

So far no problems with IPv6, although I use caddy as a reverse proxy. At least for the self-hosted usecase, rate limiting should not be a huge problem. But I agree that it's tricky: https://adam-p.ca/blog/2022/02/ipv6-rate-limiting/

Applying rate limits to, say, /64 subnets seems like a solid approach.

btw sorry for the confusion. @otbutz is my work account ;)

[bt90]

Though the proxy_http_version is still set to 1.1

Without TLS in the backend that's most you can get if you don't support h2c (HTTP2 cleartext):

https://pkg.go.dev/golang.org/x/net/http2/h2c

The benefit is most likely not noticeable. HTTP/2 and HTTP/3 only offer real improvements over a WAN link.

[bt90]

A Unix domain socket on the other hand might be a real improvement 😉

[binwiederhier]

A Unix domain socket on the other hand might be a real improvement wink

ntfy does support unix sockets. Actually that may be pretty awesome, because that would cut the number of open files in half, right?

[binwiederhier]

See binwiederhier/ntfy-ansible#1

[francislavoie]

FYI, the Mozilla SSL config site is no longer maintained, as far as I know. https://twitter.com/CubicleApril/status/1438940565916225545

I would suggest using Caddy instead to simplify the setup here. Disclaimer: I help maintain Caddy. A Caddyfile config would be as simple as this, I believe:

ntfy.my.domain {
    reverse_proxy ntfy:80
}

Automates HTTPS, HTTP->HTTPS redirects, HTTP/2 and HTTP/3, modern security by default, good proxy defaults. Does everything that Nginx config does, in only 3 lines of config, and removes the need for certbot. Upgrading Caddy will keep your server secure, without needing to futz with cipher config.

You could proxy via a Unix socket file if you like. You could also proxy over h2c if that's necessary (but probably isn't, HTTP/1 is plenty fast on the local machine). IPv6 is supported.

[bt90]

@binwiederhier should I remove the IPv6 related changes for now?

[binwiederhier]

Hi @francislavoie, I have heard only good things about Caddy. I look forward to the day that I get to use it. I have instructions for Caddy in the docs already, but I have not (yet) switched on ntfy.sh.

Right now I have no reason to switch, because everything works beautifully and I have 8,000,000 other things to work on :-) While I'm sure that Caddy is easy, it's another thing to learn and I'd spend a few days changing and testing the ansible playbook and such. If it ain't broke, don't fix it... There will come a day when it'll be Caddy's turn!

@bt90 Let me take the rest of the PR and change it according to what I've done in the ansible. You've done enough. Thank you for kicking this off (despite the fact that it caused a bunch of work that I didn't want to do, hehe). The nginx config was quite outdated.