Skip to content

Sutty nginx config #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fauno wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Sutty nginx config #96

Changes from 8 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
6cbc67f
fix: no-cache makes browsers cache and revalidate
fauno Dec 7, 2024
444c93e
fix: disallow embedding
fauno Dec 7, 2024
213b8bf
fix: safety options
fauno Dec 7, 2024
54ac504
fix: visitor privacy
fauno Dec 7, 2024
e3f684f
fix: more specific location
fauno Dec 7, 2024
326fe81
feat: nodeinfo
fauno Dec 7, 2024
47e759f
fix: tls
fauno Dec 7, 2024
65426c6
feat: gzip pre-compression
fauno Dec 7, 2024
ee7898d
Update ansible/roles/distributed_press/templates/nginx-static.j2
fauno Dec 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 37 additions & 10 deletions ansible/roles/distributed_press/templates/nginx-static.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,26 +12,36 @@ server {

error_page 404 /404.html;

add_header Cache-Control no-cache;
Copy link
Contributor

@RangerMauve RangerMauve Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why no cache?

Copy link
Collaborator Author

@fauno fauno Dec 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want caches to always check for content updates while reusing stored content, no-cache is the directive to use. It does this by requiring caches to revalidate each request with the origin server.

Note that no-cache does not mean "don't cache". no-cache allows caches to store a response but requires them to revalidate it before reuse. If the sense of "don't cache" that you want is actually "don't store", then no-store is the directive to use.

source

in practice since nginx is adding etag headers to every static file, it'll return 304 for cached urls so you save the body bytes, but still need an open connection to the webserver. it's a better alternative than guessing how long you need to cache and get asked why a very very very recent change doesn't show up yet.

Copy link
Collaborator Author

@fauno fauno Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i made edits to the above comment

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header 'X-Frame-Options' 'ALLOW-FROM *';
add_header X-Frame-Options "sameorigin";
Copy link
Contributor

@RangerMauve RangerMauve Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we want to allow iframes for sites by default

Copy link
Collaborator Author

@fauno fauno Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this only forbids the site to be iframed elsewhere (like a malicious site hijacking clicks)

add_header X-XSS-Protection "1; mode=block";
Copy link
Contributor

@RangerMauve RangerMauve Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we want to support XSS for stuff like p2p web apps

Copy link
Collaborator Author

@fauno fauno Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yikes!

add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
Copy link
Contributor

@RangerMauve RangerMauve Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Referrer could be good for our analytics when users navigate to DP from the thing in the footer, is there a way to support that still?

Copy link
Collaborator Author

@fauno fauno Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will instruct browsers to set the referer only to the origin if the destination is secure, so third party websites can know from where the visit came from but not the particular page


add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' '*';
add_header 'Access-Control-Allow-Headers' '*';
add_header 'X-Ipfs-Path' '/ipns/{{ item }}';

location /.well-known/webfinger {
default_type application/jrd+json;
}
location /.well-known/host-meta {
default_type application/xrd+xml;
}

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# Also try loading .html/.md/.gemini/.gmi files
try_files $uri $uri/ $uri.html $uri.md $uri.gmi $uri.gemini =404;

location = /.well-known/webfinger {
default_type application/jrd+json;
}

location = /.well-known/host-meta {
default_type application/xrd+xml;
}

location = /.well-known/nodeinfo {
default_type "application/jrd+json";
}
}

listen [::]:443 ssl; # managed by Certbot
Expand All @@ -40,15 +50,32 @@ server {
ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_cert_name}}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

ssl_early_data on;

# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1&guideline=5.7
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;

gzip_static on;

default_type "text/html";

# Some Fediverse endpoints don't include an extension and we'd need to
# configure everything. By adding index.json, we can serve these
# endpoints as directories.
index index.html index.json;
}

server {
server_name {{item}};

listen 80;
listen [::]:80;

return 301 https://{{item}}$request_uri;
return 301 https://{{item}}$request_uri;
}

Loading