5 files changed, 82 insertions, 38 deletions

diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example
index 03ff000b6..fcf76718e 100644
--- a/installation/caddyfile-pleroma.example
+++ b/installation/caddyfile-pleroma.example
@@ -24,6 +24,11 @@ example.tld  {
   # If you do not want to use the mediaproxy function, remove these lines.
   # To use this directive, you need the http.cache plugin for Caddy.
   cache {
+    match_path /media
+    default_max_age 720m
+  }
+
+  cache {
     match_path /proxy
     default_max_age 720m
   }
diff --git a/installation/init.d/pleroma b/installation/init.d/pleroma
index 9582d65d4..ed50bb551 100755
--- a/installation/init.d/pleroma
+++ b/installation/init.d/pleroma
@@ -1,7 +1,7 @@
 #!/sbin/openrc-run
 
 # Requires OpenRC >= 0.35
-directory=~pleroma/pleroma
+directory=/opt/pleroma
 
 command=/usr/bin/mix
 command_args="phx.server"
@@ -12,10 +12,10 @@ export PORT=4000
 export MIX_ENV=prod
 
 # Ask process to terminate within 30 seconds, otherwise kill it
-retry="SIGTERM/30 SIGKILL/5"
+retry="SIGTERM/30/SIGKILL/5"
 
 pidfile="/var/run/pleroma.pid"
 
 depend() {
     need nginx postgresql
-}
\ No newline at end of file
+}
diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx
index 46b84fb50..a3d55e4bf 100644
--- a/installation/pleroma.nginx
+++ b/installation/pleroma.nginx
@@ -15,12 +15,13 @@ server {
     return         301 https://$server_name$request_uri;
 
     # Uncomment this if you need to use the 'webroot' method with certbot. Make sure
-    # that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and
-    # that is is accessible by the webserver. You may need to load this file with the ssl
-    # server block commented out, run certbot to get the certificate, and then uncomment it.
+    # that the directory exists and that it is accessible by the webserver. If you followed
+    # the guide, you already ran 'sudo mkdir -p /var/lib/letsencrypt' to create the folder.
+    # You may need to load this file with the ssl server block commented out, run certbot
+    # to get the certificate, and then uncomment it.
     #
     # location ~ /\.well-known/acme-challenge {
-    #     root <path to install>/pleroma/priv/static/;
+    #     root /var/lib/letsencrypt/.well-known/acme-challenge;
     # }
 }
 
@@ -79,8 +80,10 @@ server {
         proxy_cache_valid  200 206 301 304 1h;
         proxy_cache_lock on;
         proxy_ignore_client_abort on;
-        proxy_buffering off;
+        proxy_buffering on;
         chunked_transfer_encoding on;
+        proxy_ignore_headers Cache-Control;
+        proxy_hide_header Cache-Control;
         proxy_pass http://localhost:4000;
     }
 }
diff --git a/installation/pleroma.service b/installation/pleroma.service
index f1ed56cb3..5dcbc1387 100644
--- a/installation/pleroma.service
+++ b/installation/pleroma.service
@@ -3,18 +3,28 @@ Description=Pleroma social network
 After=network.target postgresql.service
 
 [Service]
-User=pleroma
-WorkingDirectory=/home/pleroma/pleroma
-Environment="HOME=/home/pleroma"
-Environment="MIX_ENV=prod"
-ExecStart=/usr/local/bin/mix phx.server
 ExecReload=/bin/kill $MAINPID
 KillMode=process
 Restart=on-failure
 
+; Name of the user that runs the Pleroma service.
+User=pleroma
+; Declares that Pleroma runs in production mode.
+Environment="MIX_ENV=prod"
+
+; Make sure that all paths fit your installation.
+; Path to the home directory of the user running the Pleroma service.
+Environment="HOME=/var/lib/pleroma"
+; Path to the folder containing the Pleroma installation.
+WorkingDirectory=/opt/pleroma
+; Path to the Mix binary.
+ExecStart=/usr/bin/mix phx.server
+
 ; Some security directives.
 ; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
 PrivateTmp=true
+; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false.
+ProtectHome=true
 ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
 ProtectSystem=full
 ; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl
index 63c1cb74d..92153d8ef 100644
--- a/installation/pleroma.vcl
+++ b/installation/pleroma.vcl
@@ -14,43 +14,45 @@ acl purge {
 sub vcl_recv {
     # Redirect HTTP to HTTPS
     if (std.port(server.ip) != 443) {
-        set req.http.x-redir = "https://" + req.http.host + req.url;
-        return (synth(750, ""));
+      set req.http.x-redir = "https://" + req.http.host + req.url;
+      return (synth(750, ""));
+    }
+
+    # CHUNKED SUPPORT
+    if (req.http.Range ~ "bytes=") {
+      set req.http.x-range = req.http.Range;
     }
 
     # Pipe if WebSockets request is coming through
     if (req.http.upgrade ~ "(?i)websocket") {
-        return (pipe);
+      return (pipe);
     }
 
     # Allow purging of the cache
     if (req.method == "PURGE") {
-        if (!client.ip ~ purge) {
-          return(synth(405,"Not allowed."));
-        }
-        return(purge);
+      if (!client.ip ~ purge) {
+        return(synth(405,"Not allowed."));
+      }
+      return(purge);
     }
 
     # Pleroma MediaProxy - strip headers that will affect caching
     if (req.url ~ "^/proxy/") {
-        unset req.http.Cookie;
-        unset req.http.Authorization;
-        unset req.http.Accept;
-        return (hash);
+      unset req.http.Cookie;
+      unset req.http.Authorization;
+      unset req.http.Accept;
+      return (hash);
     }
 
     # Strip headers that will affect caching from all other static content
     # This also permits caching of individual toots and AP Activities
     if ((req.url ~ "^/(media|static)/") ||
-    (req.url ~ "(?i)\.(html|js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$"))
+    (req.url ~ "(?i)\.(html|js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|mp4|ogg|webm|svg|swf|ttf|pdf|woff|woff2)$"))
     {
       unset req.http.Cookie;
       unset req.http.Authorization;
       return (hash);
     }
-
-    # Everything else should just be piped to Pleroma
-    return (pipe);
 }
 
 sub vcl_backend_response {
@@ -59,8 +61,11 @@ sub vcl_backend_response {
       set beresp.do_gzip = true;
     }
 
-    # etags are bad
-    unset beresp.http.etag;
+    # CHUNKED SUPPORT
+    if (bereq.http.x-range ~ "bytes=" && beresp.status == 206) {
+      set beresp.ttl = 10m;
+      set beresp.http.CR = beresp.http.content-range;
+    }
 
     # Don't cache objects that require authentication
     if (beresp.http.Authorization && !beresp.http.Cache-Control ~ "public") {
@@ -81,9 +86,9 @@ sub vcl_backend_response {
 
     # Do not cache redirects and errors
     if ((beresp.status >= 300) && (beresp.status < 500)) {
-        set beresp.uncacheable = true;
-        set beresp.ttl = 30s;
-        return (deliver);
+      set beresp.uncacheable = true;
+      set beresp.ttl = 30s;
+      return (deliver);
     }
 
     # Pleroma MediaProxy internally sets headers properly
@@ -92,14 +97,12 @@ sub vcl_backend_response {
     }
 
     # Strip cache-restricting headers from Pleroma on static content that we want to cache
-    # Also enable streaming of cached content to clients (no waiting for Varnish to complete backend fetch)
-    if (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$")
+    if (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|mp4|ogg|webm|svg|swf|ttf|pdf|woff|woff2)$")
     {
       unset beresp.http.set-cookie;
       unset beresp.http.Cache-Control;
       unset beresp.http.x-request-id;
       set beresp.http.Cache-Control = "public, max-age=86400";
-      set beresp.do_stream = true;
     }
 }
 
@@ -115,7 +118,30 @@ sub vcl_synth {
 # Ensure WebSockets through the pipe do not close prematurely
 sub vcl_pipe {
     if (req.http.upgrade) {
-        set bereq.http.upgrade = req.http.upgrade;
-        set bereq.http.connection = req.http.connection;
+      set bereq.http.upgrade = req.http.upgrade;
+      set bereq.http.connection = req.http.connection;
+    }
+}
+
+sub vcl_hash {
+    # CHUNKED SUPPORT
+    if (req.http.x-range ~ "bytes=") {
+      hash_data(req.http.x-range);
+      unset req.http.Range;
+    }
+}
+
+sub vcl_backend_fetch {
+    # CHUNKED SUPPORT
+    if (bereq.http.x-range) {
+      set bereq.http.Range = bereq.http.x-range;
+    }
+}
+
+sub vcl_deliver {
+    # CHUNKED SUPPORT
+    if (resp.http.CR) {
+      set resp.http.Content-Range = resp.http.CR;
+      unset resp.http.CR;
     }
 }