diff options
Diffstat (limited to 'installation')
| -rw-r--r-- | installation/caddyfile-pleroma.example | 5 | ||||
| -rwxr-xr-x | installation/init.d/pleroma | 6 | ||||
| -rwxr-xr-x | installation/netbsd/rc.d/pleroma | 57 | ||||
| -rw-r--r-- | installation/openbsd/httpd.conf | 36 | ||||
| -rwxr-xr-x | installation/openbsd/rc.d/pleromad | 34 | ||||
| -rw-r--r-- | installation/openbsd/relayd.conf | 44 | ||||
| -rw-r--r-- | installation/pleroma-apache.conf | 18 | ||||
| -rw-r--r-- | installation/pleroma.nginx | 27 | ||||
| -rw-r--r-- | installation/pleroma.service | 22 | ||||
| -rw-r--r-- | installation/pleroma.supervisord | 21 | ||||
| -rw-r--r-- | installation/pleroma.vcl | 76 |
11 files changed, 305 insertions, 41 deletions
diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index 03ff000b6..fcf76718e 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -24,6 +24,11 @@ example.tld { # If you do not want to use the mediaproxy function, remove these lines. # To use this directive, you need the http.cache plugin for Caddy. cache { + match_path /media + default_max_age 720m + } + + cache { match_path /proxy default_max_age 720m } diff --git a/installation/init.d/pleroma b/installation/init.d/pleroma index 9582d65d4..ed50bb551 100755 --- a/installation/init.d/pleroma +++ b/installation/init.d/pleroma @@ -1,7 +1,7 @@ #!/sbin/openrc-run # Requires OpenRC >= 0.35 -directory=~pleroma/pleroma +directory=/opt/pleroma command=/usr/bin/mix command_args="phx.server" @@ -12,10 +12,10 @@ export PORT=4000 export MIX_ENV=prod # Ask process to terminate within 30 seconds, otherwise kill it -retry="SIGTERM/30 SIGKILL/5" +retry="SIGTERM/30/SIGKILL/5" pidfile="/var/run/pleroma.pid" depend() { need nginx postgresql -}
\ No newline at end of file +} diff --git a/installation/netbsd/rc.d/pleroma b/installation/netbsd/rc.d/pleroma new file mode 100755 index 000000000..1114668ee --- /dev/null +++ b/installation/netbsd/rc.d/pleroma @@ -0,0 +1,57 @@ +#!/bin/sh +# PROVIDE: pleroma +# REQUIRE: DAEMON pgsql + +if [ -f /etc/rc.subr ]; then + . /etc/rc.subr +fi + +name="pleroma" +rcvar=${name} +command="/usr/pkg/bin/elixir" +command_args="--detached -S /usr/pkg/bin/mix phx.server" +start_precmd="ulimit -n unlimited" +pidfile="/dev/null" + +pleroma_chdir="${pleroma_home}/pleroma" +pleroma_env="HOME=${pleroma_home} MIX_ENV=prod" + +check_pidfile() +{ + pid=$(pgrep -U "${pleroma_user}" /bin/beam.smp$) + echo -n "${pid}" +} + +if [ -f /etc/rc.subr -a -d /etc/rc.d -a -f /etc/rc.d/DAEMON ]; then + # newer NetBSD + load_rc_config ${name} + run_rc_command "$1" +else + # ancient NetBSD, Solaris and illumos, Linux, etc... + cmd=${1:-start} + + case ${cmd} in + start) + echo "Starting ${name}." + ${start_cmd} + ;; + + stop) + echo "Stopping ${name}." + check_pidfile + ! [ -n ${pid} ] && kill ${pid} + ;; + + restart) + ( $0 stop ) + sleep 5 + $0 start + ;; + + *) + echo 1>&2 "Usage: $0 [start|stop|restart]" + exit 1 + ;; + esac + exit 0 +fi diff --git a/installation/openbsd/httpd.conf b/installation/openbsd/httpd.conf new file mode 100644 index 000000000..82f4803fd --- /dev/null +++ b/installation/openbsd/httpd.conf @@ -0,0 +1,36 @@ +# +# Default httpd.conf file for Pleroma on OpenBSD +# Simple installation instructions +# 1. Place file in /etc +# 2. Replace <IPv4 address> with your public IP address +# 3. If using IPv6, uncomment IPv6 lines and replace <IPv6 address> with your public IPv6 address +# 4. Check file using 'doas httpd -n' +# 5. Enable and start httpd: +# # doas rcctl enable httpd +# # doas rcctl start httpd +# + +ext_inet="<IPv4 address>" +#ext_inet6="<IPv6 address>" + +server "default" { + listen on $ext_inet port 80 # Comment to disable listening on IPv4 +# listen on $ext_inet6 port 80 # Comment to disable listening on IPv6 + listen on 127.0.0.1 port 80 # Do NOT comment this line + + log syslog + directory no index + + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + + location "/robots.txt" { root "/htdocs/local/" } + location "/*" { block return 302 "https://$HTTP_HOST$REQUEST_URI" } +} + +types { + include "/usr/share/misc/mime.types" +} + diff --git a/installation/openbsd/rc.d/pleromad b/installation/openbsd/rc.d/pleromad new file mode 100755 index 000000000..19ac4bb51 --- /dev/null +++ b/installation/openbsd/rc.d/pleromad @@ -0,0 +1,34 @@ +#!/bin/ksh +# +# Default init file for Pleroma on OpenBSD +# +# Simple installation instructions: +# 1. Install Pleroma per wiki instructions +# 2. Place this pleromad file in /etc/rc.d +# 3. Enable and start Pleroma +# # doas rcctl enable pleromad +# # doas rcctl start pleromad +# + +daemon="/usr/local/bin/elixir" +daemon_flags="--detached -S /usr/local/bin/mix phx.server" +daemon_user="_pleroma" + +. /etc/rc.d/rc.subr + +rc_reload=NO +pexp="phx.server" + +rc_check() { + pgrep -q -U _pleroma -f "phx.server" +} + +rc_start() { + ${rcexec} "cd pleroma; ${daemon} ${daemon_flags}" +} + +rc_stop() { + pkill -q -U _pleroma -f "phx.server" +} + +rc_cmd $1 diff --git a/installation/openbsd/relayd.conf b/installation/openbsd/relayd.conf new file mode 100644 index 000000000..31c2c1129 --- /dev/null +++ b/installation/openbsd/relayd.conf @@ -0,0 +1,44 @@ +# +# Default relayd.conf file for Pleroma on OpenBSD +# Simple installation instructions: +# 1. Place in /etc +# 2. Replace <ipaddr> with your public IPv4 address +# 3. If using IPv6i, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address +# 4. Check file using 'doas relayd -n' +# 5. Reload/start relayd +# # doas rcctl enable relayd +# # doas rcctl start relayd +# + +ext_inet="<ipaddr>" +#ext_inet6="<ip6addr>" + +table <pleroma_server> { 127.0.0.1 } +table <httpd_server> { 127.0.0.1 } + +http protocol plerup { # Protocol for upstream pleroma server + #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit + tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA0-POLY1305" + tls ecdhe secp384r1 + + # Forward some paths to the local server (as pleroma won't respond to them as you might want) + pass request quick path "/robots.txt" forward to <httpd_server> + + # Append a bunch of headers + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictl required by pleroma but adding them won't hurt + match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + + match request header append "Connection" value "upgrade" + +} + +relay wwwtls { + listen on $ext_inet port https tls # Comment to disable listening on IPv4 +# listen on $ext_inet6 port https tls # Comment to disable listening on IPv6 + + protocol plerup + + forward to <pleroma_server> port 4000 check http "/" code 200 + forward to <httpd_server> port 80 check http "/robots.txt" code 200 +} + diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index d5e75044f..2beb7c4cc 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -1,6 +1,7 @@ # default Apache site config for Pleroma # # needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl +# optional modules: cache cache_disk # # Simple installation instructions: # 1. Install your TLS certificate, possibly using Let's Encrypt. @@ -8,6 +9,14 @@ # 3. This assumes a Debian style Apache config. Copy this file to # /etc/apache2/sites-available/ and then add a symlink to it in # /etc/apache2/sites-enabled/ by running 'a2ensite pleroma-apache.conf', then restart Apache. +# +# Optional: enable disk-based caching for the media proxy +# For details, see https://git.pleroma.social/pleroma/pleroma/wikis/How%20to%20activate%20mediaproxy +# +# 1. Create the directory listed below as the CacheRoot, and make sure +# the Apache user can write to it. +# 2. Configure Apache's htcacheclean to clean the directory periodically. +# 3. Run 'a2enmod cache cache_disk' and restart Apache. Define servername example.tld @@ -34,6 +43,15 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCompression off SSLSessionTickets off + # uncomment the following to enable mediaproxy caching on disk + # <IfModule mod_cache_disk.c> + # CacheRoot /var/cache/apache2/mod_cache_disk + # CacheDirLevels 1 + # CacheDirLength 2 + # CacheEnable disk /proxy + # CacheLock on + # </IfModule> + RewriteEngine On RewriteCond %{HTTP:Connection} Upgrade [NC] RewriteCond %{HTTP:Upgrade} websocket [NC] diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index e1184fe77..cc75d78b2 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -11,16 +11,19 @@ proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cac server { server_name example.tld; + listen 80; + listen [::]:80; return 301 https://$server_name$request_uri; # Uncomment this if you need to use the 'webroot' method with certbot. Make sure - # that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and - # that is is accessible by the webserver. You may need to load this file with the ssl - # server block commented out, run certbot to get the certificate, and then uncomment it. + # that the directory exists and that it is accessible by the webserver. If you followed + # the guide, you already ran 'sudo mkdir -p /var/lib/letsencrypt' to create the folder. + # You may need to load this file with the ssl server block commented out, run certbot + # to get the certificate, and then uncomment it. # # location ~ /\.well-known/acme-challenge { - # root <path to install>/pleroma/priv/static/; + # root /var/lib/letsencrypt/.well-known/acme-challenge; # } } @@ -28,10 +31,13 @@ server { ssl_session_cache shared:ssl_session_cache:10m; server { + server_name example.tld; + listen 443 ssl http2; + listen [::]:443 ssl http2; ssl_session_timeout 5m; - ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/example.tld/chain.pem; ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; @@ -47,8 +53,6 @@ server { ssl_stapling on; ssl_stapling_verify on; - server_name example.tld; - gzip_vary on; gzip_proxied any; gzip_comp_level 6; @@ -72,10 +76,17 @@ server { location ~ ^/(media|proxy) { proxy_cache pleroma_media_cache; + slice 1m; + proxy_cache_key $host$uri$is_args$args$slice_range; + proxy_set_header Range $slice_range; + proxy_http_version 1.1; + proxy_cache_valid 200 206 301 304 1h; proxy_cache_lock on; proxy_ignore_client_abort on; - proxy_buffering off; + proxy_buffering on; chunked_transfer_encoding on; + proxy_ignore_headers Cache-Control; + proxy_hide_header Cache-Control; proxy_pass http://localhost:4000; } } diff --git a/installation/pleroma.service b/installation/pleroma.service index 6955e5cc6..5dcbc1387 100644 --- a/installation/pleroma.service +++ b/installation/pleroma.service @@ -3,24 +3,36 @@ Description=Pleroma social network After=network.target postgresql.service [Service] -User=pleroma -WorkingDirectory=/home/pleroma/pleroma -Environment="HOME=/home/pleroma" -Environment="MIX_ENV=prod" -ExecStart=/usr/local/bin/mix phx.server ExecReload=/bin/kill $MAINPID KillMode=process Restart=on-failure +; Name of the user that runs the Pleroma service. +User=pleroma +; Declares that Pleroma runs in production mode. +Environment="MIX_ENV=prod" + +; Make sure that all paths fit your installation. +; Path to the home directory of the user running the Pleroma service. +Environment="HOME=/var/lib/pleroma" +; Path to the folder containing the Pleroma installation. +WorkingDirectory=/opt/pleroma +; Path to the Mix binary. +ExecStart=/usr/bin/mix phx.server + ; Some security directives. ; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. PrivateTmp=true +; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. +ProtectHome=true ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. ProtectSystem=full ; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. PrivateDevices=false ; Ensures that the service process and all its children can never gain new privileges through execve(). NoNewPrivileges=true +; Drops the sysadmin capability from the daemon. +CapabilityBoundingSet=~CAP_SYS_ADMIN [Install] WantedBy=multi-user.target diff --git a/installation/pleroma.supervisord b/installation/pleroma.supervisord new file mode 100644 index 000000000..19efffd6e --- /dev/null +++ b/installation/pleroma.supervisord @@ -0,0 +1,21 @@ +; Assumes pleroma is installed in /home/pleroma/pleroma and running as the pleroma user +; Also assumes mix is in /usr/bin, this might differ on BSDs or niche Linux distros +; Logs into /home/pleroma/logs +[program:pleroma] +command=/usr/bin/mix phx.server +directory=/home/pleroma/pleroma +autostart=true +autorestart=true +user=pleroma +environment = + MIX_ENV=prod, + HOME=/home/pleroma, + USER=pleroma, + PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/pleroma/bin:%(ENV_PATH)s", + PWD=/home/pleroma/pleroma +stdout_logfile=/home/pleroma/logs/stdout.log +stdout_logfile_maxbytes=50MB +stdout_logfile_backups=10 +stderr_logfile=/home/pleroma/logs/stderr.log +stderr_logfile_maxbytes=50MB +stderr_logfile_backups=10
\ No newline at end of file diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index 63c1cb74d..92153d8ef 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -14,43 +14,45 @@ acl purge { sub vcl_recv { # Redirect HTTP to HTTPS if (std.port(server.ip) != 443) { - set req.http.x-redir = "https://" + req.http.host + req.url; - return (synth(750, "")); + set req.http.x-redir = "https://" + req.http.host + req.url; + return (synth(750, "")); + } + + # CHUNKED SUPPORT + if (req.http.Range ~ "bytes=") { + set req.http.x-range = req.http.Range; } # Pipe if WebSockets request is coming through if (req.http.upgrade ~ "(?i)websocket") { - return (pipe); + return (pipe); } # Allow purging of the cache if (req.method == "PURGE") { - if (!client.ip ~ purge) { - return(synth(405,"Not allowed.")); - } - return(purge); + if (!client.ip ~ purge) { + return(synth(405,"Not allowed.")); + } + return(purge); } # Pleroma MediaProxy - strip headers that will affect caching if (req.url ~ "^/proxy/") { - unset req.http.Cookie; - unset req.http.Authorization; - unset req.http.Accept; - return (hash); + unset req.http.Cookie; + unset req.http.Authorization; + unset req.http.Accept; + return (hash); } # Strip headers that will affect caching from all other static content # This also permits caching of individual toots and AP Activities if ((req.url ~ "^/(media|static)/") || - (req.url ~ "(?i)\.(html|js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$")) + (req.url ~ "(?i)\.(html|js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|mp4|ogg|webm|svg|swf|ttf|pdf|woff|woff2)$")) { unset req.http.Cookie; unset req.http.Authorization; return (hash); } - - # Everything else should just be piped to Pleroma - return (pipe); } sub vcl_backend_response { @@ -59,8 +61,11 @@ sub vcl_backend_response { set beresp.do_gzip = true; } - # etags are bad - unset beresp.http.etag; + # CHUNKED SUPPORT + if (bereq.http.x-range ~ "bytes=" && beresp.status == 206) { + set beresp.ttl = 10m; + set beresp.http.CR = beresp.http.content-range; + } # Don't cache objects that require authentication if (beresp.http.Authorization && !beresp.http.Cache-Control ~ "public") { @@ -81,9 +86,9 @@ sub vcl_backend_response { # Do not cache redirects and errors if ((beresp.status >= 300) && (beresp.status < 500)) { - set beresp.uncacheable = true; - set beresp.ttl = 30s; - return (deliver); + set beresp.uncacheable = true; + set beresp.ttl = 30s; + return (deliver); } # Pleroma MediaProxy internally sets headers properly @@ -92,14 +97,12 @@ sub vcl_backend_response { } # Strip cache-restricting headers from Pleroma on static content that we want to cache - # Also enable streaming of cached content to clients (no waiting for Varnish to complete backend fetch) - if (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$") + if (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|mp4|ogg|webm|svg|swf|ttf|pdf|woff|woff2)$") { unset beresp.http.set-cookie; unset beresp.http.Cache-Control; unset beresp.http.x-request-id; set beresp.http.Cache-Control = "public, max-age=86400"; - set beresp.do_stream = true; } } @@ -115,7 +118,30 @@ sub vcl_synth { # Ensure WebSockets through the pipe do not close prematurely sub vcl_pipe { if (req.http.upgrade) { - set bereq.http.upgrade = req.http.upgrade; - set bereq.http.connection = req.http.connection; + set bereq.http.upgrade = req.http.upgrade; + set bereq.http.connection = req.http.connection; + } +} + +sub vcl_hash { + # CHUNKED SUPPORT + if (req.http.x-range ~ "bytes=") { + hash_data(req.http.x-range); + unset req.http.Range; + } +} + +sub vcl_backend_fetch { + # CHUNKED SUPPORT + if (bereq.http.x-range) { + set bereq.http.Range = bereq.http.x-range; + } +} + +sub vcl_deliver { + # CHUNKED SUPPORT + if (resp.http.CR) { + set resp.http.Content-Range = resp.http.CR; + unset resp.http.CR; } } |