-
Notifications
You must be signed in to change notification settings - Fork 0
nginx
Jake Jarvis edited this page Dec 22, 2022
·
10 revisions
Without a default site, requests directly to the IP address (eg. http://123.123.123.123) will still hit the Mastodon backend and cause a lot of noise in logs.
- https://docs.j7k6.org/nginx-default-ssl-site/
- https://docs.j7k6.org/debian-ssl-snakeoil-certificate/
openssl req -x509 -newkey rsa:4096 -nodes -sha256 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -days 3650 -subj "/CN=localhost"
This site conf catches all non-Mastodon requests for both http and https. 444
is a non-standard code for nginx to close the connection before even sending a response.
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
server {
listen 443 default_server;
listen [::]:443 default_server;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_reject_handshake on;
# this obviously is irrelevant, but for some reason *every* nginx site
# needs to "accept" TLS v1.3, or else Mastodon gets stuck on v1.2...
include /etc/letsencrypt/options-ssl-nginx.conf;
server_name _;
return 444;
}
ln -s /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf
nginx -t
nginx -s reload
- https://github.com/google/ngx_brotli
- https://www.atlantic.net/dedicated-server-hosting/how-to-install-brotli-module-for-nginx-on-ubuntu-20-04/
- https://linuxhint.com/enable-brotli-compression-nginx/
- https://www.bowsercache.com/blog/enable-brotli-for-nginx-on-ubuntu-20-04/#install-the-brotli-module-for-nginx
Add deb-src
to /etc/apt/sources.list.d/nginx.list
:
deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu/ focal nginx
deb-src [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu/ focal nginx
cd /usr/local/src
apt-get source nginx
apt-get build-dep nginx -y
git clone --recursive https://github.com/google/ngx_brotli
cd nginx-1.22.1/
./configure --with-compat --add-dynamic-module=../ngx_brotli
make modules
cp ./objs/ngx_http_brotli_*.so /usr/lib/nginx/modules/
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;
server {
# ...
# note: keep gzip config as fallback
brotli on;
brotli_comp_level 4;
brotli_static on;
brotli_types application/atom+xml application/javascript application/json application/rss+xml
application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
brotli_min_length 256;
# ...
}
# test & reload changes:
nginx -t
nginx -s reload