From 96ec0fa64fe23d8b312eeb577f2a387c72c31b03 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Wed, 11 May 2022 16:29:59 -0500 Subject: [PATCH 1/9] Soapbox nginx: fix ld+json ActivityPub route --- installation/mastodon.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index 0b7095b7f..ec6df7532 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -3,6 +3,10 @@ # # Edit this file to change occurences of "example.com" to your own domain. +# Note: if this line causes an error, move it to nginx.conf +# https://github.com/nginx-proxy/nginx-proxy/issues/1365#issuecomment-668421898 +map_hash_bucket_size 128; + map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -12,8 +16,7 @@ map $http_upgrade $connection_upgrade { map $http_accept $activitypub_location { default /index.html; "application/activity+json" @proxy; - # Increase `map_hash_bucket_size` to enable this route: - # 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' @proxy; + 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' @proxy; } upstream backend { From 645c17eb81ffa150a6679004525d30cd37e67929 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Wed, 11 May 2022 17:12:51 -0500 Subject: [PATCH 2/9] Mastodon nginx: pull from Mastodon's /packs too --- installation/mastodon.conf | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index ec6df7532..eedc2d6fc 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -97,11 +97,12 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; } - # Soapbox build files. + # Soapbox & Mastodon (frontend) build files. # New builds produce hashed filenames, so these should be cached heavily. location /packs { add_header Cache-Control "public, max-age=31536000, immutable"; add_header Strict-Transport-Security "max-age=31536000" always; + try_files $uri @mastodon-public; } # Soapbox configuration files. @@ -116,6 +117,13 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; } + # Mastodon public files. + # https://github.com/mastodon/mastodon/tree/main/public + location @mastodon-public { + root /home/mastodon/live/public; + try_files $uri /index.html; + } + # Proxy to Mastodon's Ruby on Rails backend. location @proxy { proxy_set_header Host $host; From 20c5519e04eab69460e828e2e04e83299fa08c16 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Wed, 11 May 2022 17:27:29 -0500 Subject: [PATCH 3/9] Mastodon nginx: simplify some regexes --- installation/mastodon.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index eedc2d6fc..c932239e2 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -91,7 +91,7 @@ server { # Mastodon public files. # https://github.com/mastodon/mastodon/tree/main/public # Take only what we need for Soapbox. - location ~ ^/(assets|favicon.ico|browserconfig.xml|embed.js|android-chrome-192x192.png|apple-touch-icon.png|avatars/original/missing.png|headers/original/missing.png) { + location ~ ^/(assets|favicon.(ico|png)|browserconfig.xml|embed.js|android-chrome-192x192.png|apple-touch-icon.png|(avatars|headers)/original/missing.png) { root /home/mastodon/live/public; add_header Cache-Control "public, max-age=31536000, immutable"; add_header Strict-Transport-Security "max-age=31536000" always; From 2a389ab2252a8a98918025a1c8abc65a3c31b75e Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Wed, 11 May 2022 17:55:12 -0500 Subject: [PATCH 4/9] Mastodon nginx: simplify static files --- installation/mastodon.conf | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index c932239e2..7d1181dc2 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -73,7 +73,7 @@ server { # Fallback route. # Everything not routed should fall back to the SPA. location / { - try_files /index.html /dev/null; + try_files /dev/null @static-files; } # Mastodon backend routes. @@ -88,21 +88,12 @@ server { try_files $activitypub_location $activitypub_location; } - # Mastodon public files. - # https://github.com/mastodon/mastodon/tree/main/public - # Take only what we need for Soapbox. - location ~ ^/(assets|favicon.(ico|png)|browserconfig.xml|embed.js|android-chrome-192x192.png|apple-touch-icon.png|(avatars|headers)/original/missing.png) { - root /home/mastodon/live/public; - add_header Cache-Control "public, max-age=31536000, immutable"; - add_header Strict-Transport-Security "max-age=31536000" always; - } - # Soapbox & Mastodon (frontend) build files. # New builds produce hashed filenames, so these should be cached heavily. location /packs { add_header Cache-Control "public, max-age=31536000, immutable"; add_header Strict-Transport-Security "max-age=31536000" always; - try_files $uri @mastodon-public; + try_files /dev/null @static-files; } # Soapbox configuration files. @@ -124,6 +115,12 @@ server { try_files $uri /index.html; } + # Soapbox & Mastodon static files. + # Try Soapbox first, Mastodon, then fall back to the SPA. + location @static-files { + try_files $uri @mastodon-public; + } + # Proxy to Mastodon's Ruby on Rails backend. location @proxy { proxy_set_header Host $host; From dd91f24da790a8343e19db57f59bca5fcd5e3627 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Wed, 11 May 2022 18:04:00 -0500 Subject: [PATCH 5/9] Mastodon nginx: add .well-known routes, remove unneeded outbox route --- installation/mastodon.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index 7d1181dc2..7b7a01270 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -78,13 +78,13 @@ server { # Mastodon backend routes. # These are routes to Mastodon's API and important rendered pages. - location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|.well-known/webfinger|.well-known/host-meta|@(.+)/embed$) { + location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|nodeinfo|.well-known/(webfinger|host-meta|nodeinfo|change-password)|@(.+)/embed$) { try_files /dev/null @proxy; } # Mastodon ActivityPub routes. # Conditionally send to Mastodon by Accept header. - location ~ ^/(inbox|outbox|users|@(.+)) { + location ~ ^/(inbox|users|@(.+)) { try_files $activitypub_location $activitypub_location; } From d49e8c61a186042511a6f33cacbb377b5527bb3c Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Wed, 11 May 2022 18:22:07 -0500 Subject: [PATCH 6/9] Mastodon nginx: use `@soapbox` named location for consistency --- installation/mastodon.conf | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index 7b7a01270..8c1feea65 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -14,7 +14,7 @@ map $http_upgrade $connection_upgrade { # ActivityPub routing. map $http_accept $activitypub_location { - default /index.html; + default @soapbox; "application/activity+json" @proxy; 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' @proxy; } @@ -71,7 +71,7 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; # Fallback route. - # Everything not routed should fall back to the SPA. + # Try static files, then fall back to the SPA. location / { try_files /dev/null @static-files; } @@ -85,7 +85,7 @@ server { # Mastodon ActivityPub routes. # Conditionally send to Mastodon by Accept header. location ~ ^/(inbox|users|@(.+)) { - try_files $activitypub_location $activitypub_location; + try_files /dev/null $activitypub_location; } # Soapbox & Mastodon (frontend) build files. @@ -108,11 +108,16 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; } - # Mastodon public files. + # Soapbox SPA (Single Page App). + location @soapbox { + try_files /index.html /dev/null; + } + + # Mastodon public files (fallback to Soapbox SPA). # https://github.com/mastodon/mastodon/tree/main/public location @mastodon-public { root /home/mastodon/live/public; - try_files $uri /index.html; + try_files $uri @soapbox; } # Soapbox & Mastodon static files. From f08da5f8f041ffadfcd59be5644841cdbda99f3a Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Wed, 11 May 2022 18:27:11 -0500 Subject: [PATCH 7/9] Mastodon nginx: add commented out CSP --- installation/mastodon.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index 8c1feea65..21b6f9d46 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -70,6 +70,10 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; + # Content Security Policy (CSP) + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + # add_header Content-Security-Policy "base-uri 'none'; default-src 'none'; font-src 'self'; img-src 'self' https: data: blob:; style-src 'self' 'unsafe-inline'; media-src 'self' https: data:; frame-src 'self' https:; manifest-src 'self'; connect-src 'self' data: blob: wss://example.com; script-src 'self'; child-src 'self'; worker-src 'self';"; + # Fallback route. # Try static files, then fall back to the SPA. location / { From 83ae5d7cff815cd289a3daccedd3fb311509898b Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Wed, 11 May 2022 18:34:53 -0500 Subject: [PATCH 8/9] Mastodon nginx: rename `@proxy` to `@mastodon` --- installation/mastodon.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index 21b6f9d46..32833fe2d 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -15,8 +15,8 @@ map $http_upgrade $connection_upgrade { # ActivityPub routing. map $http_accept $activitypub_location { default @soapbox; - "application/activity+json" @proxy; - 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' @proxy; + "application/activity+json" @mastodon; + 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' @mastodon; } upstream backend { @@ -83,7 +83,7 @@ server { # Mastodon backend routes. # These are routes to Mastodon's API and important rendered pages. location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|nodeinfo|.well-known/(webfinger|host-meta|nodeinfo|change-password)|@(.+)/embed$) { - try_files /dev/null @proxy; + try_files /dev/null @mastodon; } # Mastodon ActivityPub routes. @@ -131,7 +131,7 @@ server { } # Proxy to Mastodon's Ruby on Rails backend. - location @proxy { + location @mastodon { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From 4980c04aff429b4bc8565fe8e42a9df4264d1003 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Wed, 11 May 2022 18:38:29 -0500 Subject: [PATCH 9/9] Mastodon nginx: enable CSP --- installation/mastodon.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installation/mastodon.conf b/installation/mastodon.conf index 32833fe2d..361e4341c 100644 --- a/installation/mastodon.conf +++ b/installation/mastodon.conf @@ -72,7 +72,7 @@ server { # Content Security Policy (CSP) # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy - # add_header Content-Security-Policy "base-uri 'none'; default-src 'none'; font-src 'self'; img-src 'self' https: data: blob:; style-src 'self' 'unsafe-inline'; media-src 'self' https: data:; frame-src 'self' https:; manifest-src 'self'; connect-src 'self' data: blob: wss://example.com; script-src 'self'; child-src 'self'; worker-src 'self';"; + add_header Content-Security-Policy "base-uri 'none'; default-src 'none'; font-src 'self'; img-src 'self' https: data: blob:; style-src 'self' 'unsafe-inline'; media-src 'self' https: data:; frame-src 'self' https:; manifest-src 'self'; connect-src 'self' data: blob:; script-src 'self'; child-src 'self'; worker-src 'self';"; # Fallback route. # Try static files, then fall back to the SPA.