erik/masto-aio
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Open up certbot to everyone and mastodon to my-ip only

Browse source
This commit is contained in:
Erik Stambaugh 2024-01-20 19:06:00 -08:00
parent 0d053edcfe
commit fe897152f5
2 changed files with 42 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
ansible/roles/mastodon/templates/nginx.conf
View file

@ -18,7 +18,7 @@ server {
server_name {{ domain_name }};
listen 80;
listen [::]:80;
root /srv/mastodon/live/public;
root /srv/mastodon/src/live/public;
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot;
@ -36,10 +36,10 @@ server {
allow {{ my_ip }}/32;
deny all;
ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/chain.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/chain.pem;
ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
@ -54,7 +54,7 @@ server {
sendfile on;
client_max_body_size 80m;
root /srv/mastodon/live/public;
root /srv/mastodon/src/live/public;
gzip on;
gzip_disable "msie6";
@ -147,36 +147,36 @@ server {
tcp_nodelay on;
}
location ~ ^(/_matrix|/_synapse/client) {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://synapse:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
location /.well-known/matrix/server {
access_log off;
add_header Access-Control-Allow-Origin *;
default_type application/json;
return 200 '{"m.server": "{{ domain_name }}:443"}';
}
location /.well-known/matrix/client {
access_log off;
add_header Access-Control-Allow-Origin *;
default_type application/json;
return 200 '{"m.homeserver": {"base_url": "https://{{ domain_name }}"}}';
}
# location ~ ^(/_matrix|/_synapse/client) {
# # note: do not add a path (even a single /) after the port in `proxy_pass`,
# # otherwise nginx will canonicalise the URI and cause signature verification
# # errors.
# proxy_pass http://synapse:8008;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header Host $host;
#
# # Nginx by default only allows file uploads up to 1M in size
# # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
# client_max_body_size 50M;
#
# # Synapse responses may be chunked, which is an HTTP/1.1 feature.
# proxy_http_version 1.1;
# }
#
# location /.well-known/matrix/server {
# access_log off;
# add_header Access-Control-Allow-Origin *;
# default_type application/json;
# return 200 '{"m.server": "{{ domain_name }}:443"}';
# }
#
# location /.well-known/matrix/client {
# access_log off;
# add_header Access-Control-Allow-Origin *;
# default_type application/json;
# return 200 '{"m.homeserver": {"base_url": "https://{{ domain_name }}"}}';
# }
location @proxy {
proxy_set_header Host $host;

16
terraform/main.tf
View file

@ -61,14 +61,14 @@ module "sg" {
egress_rules = [ "all-all" ]
ingress_with_cidr_blocks = [
# {
# rule = "http-80-tcp"
# cidr_blocks = "0.0.0.0/0"
# },
# {
# },
# {
# }
{
rule = "http-80-tcp"
cidr_blocks = "0.0.0.0/0"
},
{
rule = "https-443-tcp"
cidr_blocks = "${chomp(data.http.myip.body)}/32"
}
]
}