Open up certbot to everyone and mastodon to my-ip only
This commit is contained in:
parent
0d053edcfe
commit
fe897152f5
2 changed files with 42 additions and 42 deletions
|
|
@ -18,7 +18,7 @@ server {
|
||||||
server_name {{ domain_name }};
|
server_name {{ domain_name }};
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
root /srv/mastodon/live/public;
|
root /srv/mastodon/src/live/public;
|
||||||
location /.well-known/acme-challenge/ {
|
location /.well-known/acme-challenge/ {
|
||||||
allow all;
|
allow all;
|
||||||
root /var/www/certbot;
|
root /var/www/certbot;
|
||||||
|
|
@ -36,10 +36,10 @@ server {
|
||||||
allow {{ my_ip }}/32;
|
allow {{ my_ip }}/32;
|
||||||
deny all;
|
deny all;
|
||||||
|
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/chain.pem;
|
# ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/chain.pem;
|
||||||
ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||||
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||||
|
|
@ -54,7 +54,7 @@ server {
|
||||||
sendfile on;
|
sendfile on;
|
||||||
client_max_body_size 80m;
|
client_max_body_size 80m;
|
||||||
|
|
||||||
root /srv/mastodon/live/public;
|
root /srv/mastodon/src/live/public;
|
||||||
|
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_disable "msie6";
|
gzip_disable "msie6";
|
||||||
|
|
@ -147,36 +147,36 @@ server {
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^(/_matrix|/_synapse/client) {
|
# location ~ ^(/_matrix|/_synapse/client) {
|
||||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
# # note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
# # otherwise nginx will canonicalise the URI and cause signature verification
|
||||||
# errors.
|
# # errors.
|
||||||
proxy_pass http://synapse:8008;
|
# proxy_pass http://synapse:8008;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
# proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
# proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $host;
|
# proxy_set_header Host $host;
|
||||||
|
#
|
||||||
# Nginx by default only allows file uploads up to 1M in size
|
# # Nginx by default only allows file uploads up to 1M in size
|
||||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
# # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||||
client_max_body_size 50M;
|
# client_max_body_size 50M;
|
||||||
|
#
|
||||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
# # Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||||
proxy_http_version 1.1;
|
# proxy_http_version 1.1;
|
||||||
}
|
# }
|
||||||
|
#
|
||||||
location /.well-known/matrix/server {
|
# location /.well-known/matrix/server {
|
||||||
access_log off;
|
# access_log off;
|
||||||
add_header Access-Control-Allow-Origin *;
|
# add_header Access-Control-Allow-Origin *;
|
||||||
default_type application/json;
|
# default_type application/json;
|
||||||
return 200 '{"m.server": "{{ domain_name }}:443"}';
|
# return 200 '{"m.server": "{{ domain_name }}:443"}';
|
||||||
}
|
# }
|
||||||
|
#
|
||||||
location /.well-known/matrix/client {
|
# location /.well-known/matrix/client {
|
||||||
access_log off;
|
# access_log off;
|
||||||
add_header Access-Control-Allow-Origin *;
|
# add_header Access-Control-Allow-Origin *;
|
||||||
default_type application/json;
|
# default_type application/json;
|
||||||
return 200 '{"m.homeserver": {"base_url": "https://{{ domain_name }}"}}';
|
# return 200 '{"m.homeserver": {"base_url": "https://{{ domain_name }}"}}';
|
||||||
}
|
# }
|
||||||
|
|
||||||
location @proxy {
|
location @proxy {
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
|
||||||
|
|
@ -61,14 +61,14 @@ module "sg" {
|
||||||
egress_rules = [ "all-all" ]
|
egress_rules = [ "all-all" ]
|
||||||
|
|
||||||
ingress_with_cidr_blocks = [
|
ingress_with_cidr_blocks = [
|
||||||
# {
|
{
|
||||||
# rule = "http-80-tcp"
|
rule = "http-80-tcp"
|
||||||
# cidr_blocks = "0.0.0.0/0"
|
cidr_blocks = "0.0.0.0/0"
|
||||||
# },
|
},
|
||||||
# {
|
{
|
||||||
# },
|
rule = "https-443-tcp"
|
||||||
# {
|
cidr_blocks = "${chomp(data.http.myip.body)}/32"
|
||||||
# }
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue