diff --git a/installation/mastodon.conf b/installation/mastodon.conf index 0b7095b7f..361e4341c 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -3,6 +3,10 @@ # # Edit this file to change occurences of "example.com" to your own domain. +# Note: if this line causes an error, move it to nginx.conf +# https://github.com/nginx-proxy/nginx-proxy/issues/1365#issuecomment-668421898 +map_hash_bucket_size 128; + map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -10,10 +14,9 @@ map $http_upgrade $connection_upgrade { # ActivityPub routing. map $http_accept $activitypub_location { - default /index.html; - "application/activity+json" @proxy; - # Increase `map_hash_bucket_size` to enable this route: - # 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' @proxy; + default @soapbox; + "application/activity+json" @mastodon; + 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' @mastodon; } upstream backend { @@ -67,38 +70,34 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; + # Content Security Policy (CSP) + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + add_header Content-Security-Policy "base-uri 'none'; default-src 'none'; font-src 'self'; img-src 'self' https: data: blob:; style-src 'self' 'unsafe-inline'; media-src 'self' https: data:; frame-src 'self' https:; manifest-src 'self'; connect-src 'self' data: blob:; script-src 'self'; child-src 'self'; worker-src 'self';"; + # Fallback route. - # Everything not routed should fall back to the SPA. + # Try static files, then fall back to the SPA. location / { - try_files /index.html /dev/null; + try_files /dev/null @static-files; } # Mastodon backend routes. # These are routes to Mastodon's API and important rendered pages. - location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|.well-known/webfinger|.well-known/host-meta|@(.+)/embed$) { - try_files /dev/null @proxy; + location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|nodeinfo|.well-known/(webfinger|host-meta|nodeinfo|change-password)|@(.+)/embed$) { + try_files /dev/null @mastodon; } # Mastodon ActivityPub routes. # Conditionally send to Mastodon by Accept header. - location ~ ^/(inbox|outbox|users|@(.+)) { - try_files $activitypub_location $activitypub_location; + location ~ ^/(inbox|users|@(.+)) { + try_files /dev/null $activitypub_location; } - # Mastodon public files. - # https://github.com/mastodon/mastodon/tree/main/public - # Take only what we need for Soapbox. - location ~ ^/(assets|favicon.ico|browserconfig.xml|embed.js|android-chrome-192x192.png|apple-touch-icon.png|avatars/original/missing.png|headers/original/missing.png) { - root /home/mastodon/live/public; - add_header Cache-Control "public, max-age=31536000, immutable"; - add_header Strict-Transport-Security "max-age=31536000" always; - } - - # Soapbox build files. + # Soapbox & Mastodon (frontend) build files. # New builds produce hashed filenames, so these should be cached heavily. location /packs { add_header Cache-Control "public, max-age=31536000, immutable"; add_header Strict-Transport-Security "max-age=31536000" always; + try_files /dev/null @static-files; } # Soapbox configuration files. @@ -113,8 +112,26 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; } + # Soapbox SPA (Single Page App). + location @soapbox { + try_files /index.html /dev/null; + } + + # Mastodon public files (fallback to Soapbox SPA). + # https://github.com/mastodon/mastodon/tree/main/public + location @mastodon-public { + root /home/mastodon/live/public; + try_files $uri @soapbox; + } + + # Soapbox & Mastodon static files. + # Try Soapbox first, Mastodon, then fall back to the SPA. + location @static-files { + try_files $uri @mastodon-public; + } + # Proxy to Mastodon's Ruby on Rails backend. - location @proxy { + location @mastodon { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;