From 08694599aeb26b2204aa8d7783c30a09d35fa49d Mon Sep 17 00:00:00 2001 From: Sean King Date: Thu, 15 Apr 2021 23:41:34 -0600 Subject: Remove bash script for downloading new MastoFE build --- installation/download-mastofe-build.sh | 48 ---------------------------------- 1 file changed, 48 deletions(-) delete mode 100755 installation/download-mastofe-build.sh (limited to 'installation') diff --git a/installation/download-mastofe-build.sh b/installation/download-mastofe-build.sh deleted file mode 100755 index ee353c48c..000000000 --- a/installation/download-mastofe-build.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/sh -# Pleroma: A lightweight social networking server -# Copyright © 2017-2021 Pleroma Authors -# SPDX-License-Identifier: AGPL-3.0-only -project_id="74" -project_branch="rebase/glitch-soc" -static_dir="instance/static" -# For bundling: -# project_branch="pleroma" -# static_dir="priv/static" - -if [ ! -d "${static_dir}" ] -then - echo "Error: ${static_dir} directory is missing, are you sure you are running this script at the root of pleroma’s repository?" - exit 1 -fi - -last_modified="$(curl --fail -s -I 'https://git.pleroma.social/api/v4/projects/'${project_id}'/jobs/artifacts/'${project_branch}'/download?job=build' | grep '^Last-Modified:' | cut -d: -f2-)" - -echo "branch:${project_branch}" -echo "Last-Modified:${last_modified}" - -artifact="mastofe.zip" - -if [ "${last_modified}x" = "x" ] -then - echo "ERROR: Couldn't get the modification date of the latest build archive, maybe it expired, exiting..." - exit 1 -fi - -if [ -e mastofe.timestamp ] && [ "$(cat mastofe.timestamp)" = "${last_modified}" ] -then - echo "MastoFE is up-to-date, exiting..." - exit 0 -fi - -curl --fail -c - "https://git.pleroma.social/api/v4/projects/${project_id}/jobs/artifacts/${project_branch}/download?job=build" -o "${artifact}" || exit - -# TODO: Update the emoji as well -rm -fr "${static_dir}/sw.js" "${static_dir}/packs" || exit -unzip -q "${artifact}" || exit - -cp public/assets/sw.js "${static_dir}/sw.js" || exit -cp -r public/packs "${static_dir}/packs" || exit - -echo "${last_modified}" > mastofe.timestamp -rm -fr public -rm -i "${artifact}" -- cgit v1.2.3 From 9b69ccb35b8521efa58d40931b9a83266ad2f686 Mon Sep 17 00:00:00 2001 From: sleepycrow Date: Sun, 6 Mar 2022 14:24:32 +0100 Subject: Update Caddyfile to Caddy v2 --- installation/caddyfile-pleroma.example | 31 +++++-------------------------- 1 file changed, 5 insertions(+), 26 deletions(-) (limited to 'installation') diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index 7985d9c67..cc7dda011 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -5,34 +5,13 @@ # 2. Copy this section into your Caddyfile and restart Caddy. example.tld { - log /var/log/caddy/pleroma_access.log - errors /var/log/caddy/pleroma_error.log + log { + output file /var/log/caddy/pleroma.log + } - gzip + encode gzip # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only # and `localhost.` resolves to [::0] on some systems: see issue #930 - proxy / 127.0.0.1:4000 { - websocket - transparent - } - - tls { - # Remove the rest of the lines in here, if you want to support older devices - key_type p256 - ciphers ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 - } - - # If you do not want to use the mediaproxy function, remove these lines. - # To use this directive, you need the http.cache plugin for Caddy. - cache { - match_path /media - default_max_age 720m - } - - cache { - match_path /proxy - default_max_age 720m - } - # Stop removing lines here. + reverse_proxy 127.0.0.1:4000 } -- cgit v1.2.3 From 64e16e6a4be83e9328d62101cc21d10cf07e38fb Mon Sep 17 00:00:00 2001 From: Sean King Date: Sat, 16 Jul 2022 23:44:37 -0600 Subject: Document way to do notice compatibility routes with Nginx reverse-proxy instead --- installation/pleroma.nginx | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'installation') diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 9890cb2b1..8aed2daea 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -81,6 +81,19 @@ server { proxy_pass http://phoenix; } + # Uncomment this if you want notice compatibility routes for frontends like Soapbox. + # location ~ /@.+/([^/]+) { + # proxy_pass http://phoenix/notice/$1; + # } + # + # location ~ /@.+/posts/([^/]+) { + # proxy_pass http://phoenix/notice/$1; + # } + # + # location ~ /.+/status/([^/]+) { + # proxy_pass http://phoenix/notice/$1; + # } + location ~ ^/(media|proxy) { proxy_cache pleroma_media_cache; slice 1m; -- cgit v1.2.3 From 2c7eed122e909f392e3d41efe43fc2b0b99fe842 Mon Sep 17 00:00:00 2001 From: Sean King Date: Sun, 17 Jul 2022 12:50:01 -0600 Subject: Don't accept forward slash character for nicknames --- installation/pleroma.nginx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'installation') diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 8aed2daea..d53852984 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -82,15 +82,15 @@ server { } # Uncomment this if you want notice compatibility routes for frontends like Soapbox. - # location ~ /@.+/([^/]+) { + # location ~ /@([^/]+)/([^/]+) { # proxy_pass http://phoenix/notice/$1; # } # - # location ~ /@.+/posts/([^/]+) { + # location ~ /@([^/]+)/posts/([^/]+) { # proxy_pass http://phoenix/notice/$1; # } # - # location ~ /.+/status/([^/]+) { + # location ~ /([^/]+)/status/([^/]+) { # proxy_pass http://phoenix/notice/$1; # } -- cgit v1.2.3 From 3da1b2548dd5793fcf08050470252b9574991295 Mon Sep 17 00:00:00 2001 From: Sean King Date: Mon, 18 Jul 2022 21:30:57 -0600 Subject: Actually fix with forward slashes being restricted inside nickname --- installation/pleroma.nginx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'installation') diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index d53852984..273cfb390 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -82,15 +82,15 @@ server { } # Uncomment this if you want notice compatibility routes for frontends like Soapbox. - # location ~ /@([^/]+)/([^/]+) { + # location ~ ^/@[^/]+/([^/]+)$ { # proxy_pass http://phoenix/notice/$1; # } # - # location ~ /@([^/]+)/posts/([^/]+) { + # location ~ ^/@[^/]+/posts/([^/]+)$ { # proxy_pass http://phoenix/notice/$1; # } # - # location ~ /([^/]+)/status/([^/]+) { + # location ~ ^/[^/]+/status/([^/]+)$ { # proxy_pass http://phoenix/notice/$1; # } -- cgit v1.2.3 From 243ed7d60f4b649a9dfd57a278077c084df9e309 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Wed, 10 Aug 2022 17:18:06 -0400 Subject: Update the recommended VCL configuration --- installation/pleroma.vcl | 41 +++++------------------------------------ 1 file changed, 5 insertions(+), 36 deletions(-) (limited to 'installation') diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index 4752510ea..4eb2f3cfa 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -1,4 +1,5 @@ # Recommended varnishncsa logging format: '%h %l %u %t "%m %{X-Forwarded-Proto}i://%{Host}i%U%q %H" %s %b "%{Referer}i" "%{User-agent}i"' +# Please use Varnish 7.0+ for proper Range Requests / Chunked encoding support vcl 4.1; import std; @@ -22,11 +23,6 @@ sub vcl_recv { set req.http.X-Forwarded-Proto = "https"; } - # CHUNKED SUPPORT - if (req.http.Range ~ "bytes=") { - set req.http.x-range = req.http.Range; - } - # Pipe if WebSockets request is coming through if (req.http.upgrade ~ "(?i)websocket") { return (pipe); @@ -35,9 +31,9 @@ sub vcl_recv { # Allow purging of the cache if (req.method == "PURGE") { if (!client.ip ~ purge) { - return(synth(405,"Not allowed.")); + return (synth(405,"Not allowed.")); } - return(purge); + return (purge); } } @@ -53,17 +49,11 @@ sub vcl_backend_response { return (retry); } - # CHUNKED SUPPORT - if (bereq.http.x-range ~ "bytes=" && beresp.status == 206) { - set beresp.ttl = 10m; - set beresp.http.CR = beresp.http.content-range; - } - # Bypass cache for large files # 50000000 ~ 50MB if (std.integer(beresp.http.content-length, 0) > 50000000) { set beresp.uncacheable = true; - return(deliver); + return (deliver); } # Don't cache objects that require authentication @@ -94,7 +84,7 @@ sub vcl_synth { if (resp.status == 750) { set resp.status = 301; set resp.http.Location = req.http.x-redir; - return(deliver); + return (deliver); } } @@ -106,25 +96,12 @@ sub vcl_pipe { } } -sub vcl_hash { - # CHUNKED SUPPORT - if (req.http.x-range ~ "bytes=") { - hash_data(req.http.x-range); - unset req.http.Range; - } -} - sub vcl_backend_fetch { # Be more lenient for slow servers on the fediverse if (bereq.url ~ "^/proxy/") { set bereq.first_byte_timeout = 300s; } - # CHUNKED SUPPORT - if (bereq.http.x-range) { - set bereq.http.Range = bereq.http.x-range; - } - if (bereq.retries == 0) { # Clean up the X-Varnish-Backend-503 flag that is used internally # to mark broken backend responses that should be retried. @@ -143,14 +120,6 @@ sub vcl_backend_fetch { } } -sub vcl_deliver { - # CHUNKED SUPPORT - if (resp.http.CR) { - set resp.http.Content-Range = resp.http.CR; - unset resp.http.CR; - } -} - sub vcl_backend_error { # Retry broken backend responses. set bereq.http.X-Varnish-Backend-503 = "1"; -- cgit v1.2.3 From 36519bdbee321354788fde71e33e74d7f6a353d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iva=CC=81n=20Raskovsky?= Date: Fri, 11 Nov 2022 12:22:21 -0300 Subject: allow custom db port --- installation/pleroma-mongooseim.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'installation') diff --git a/installation/pleroma-mongooseim.cfg b/installation/pleroma-mongooseim.cfg index 576f83541..3ecba5641 100755 --- a/installation/pleroma-mongooseim.cfg +++ b/installation/pleroma-mongooseim.cfg @@ -466,7 +466,7 @@ %% == PostgreSQL == %% {rdbms, global, default, [{workers, 10}], -%% [{server, {pgsql, "server", 5432, "database", "username", "password"}}]}, +%% [{server, {pgsql, "server", "port", "database", "username", "password"}}]}, %% == ODBC (MSSQL) == %% {rdbms, global, default, [{workers, 10}], -- cgit v1.2.3 From f970091c6a58d06a42594e2c4a0baa5a86617652 Mon Sep 17 00:00:00 2001 From: tusooa Date: Fri, 26 May 2023 17:17:13 -0400 Subject: Add instructions to serve media on another domain --- installation/pleroma-mediaproxy.nginx | 97 +++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 installation/pleroma-mediaproxy.nginx (limited to 'installation') diff --git a/installation/pleroma-mediaproxy.nginx b/installation/pleroma-mediaproxy.nginx new file mode 100644 index 000000000..6f2edf212 --- /dev/null +++ b/installation/pleroma-mediaproxy.nginx @@ -0,0 +1,97 @@ +# This file is for those who want to serve uploaded media and media proxy over +# another domain. This is STRONGLY RECOMMENDED. +# This is meant to be used ALONG WITH `pleroma.nginx`. + +# If this is a new instance, replace the `location ~ ^/(media|proxy)` section in +# `pleroma.nginx` with the following to completely disable access to media from the main domain: +# location ~ ^/(media|proxy) { +# return 404; +# } +# +# If you are configuring an existing instance to use another domain +# for media, you will want to keep redirecting all existing local media to the new domain +# so already-uploaded media will not break. +# Replace the `location ~ ^/(media|proxy)` section in `pleroma.nginx` with the following: +# +# location /media { +# return 301 https://some.other.domain$request_uri; +# } +# +# location /proxy { +# return 404; +# } + +server { + server_name some.other.domain; + + listen 80; + listen [::]:80; + + # Uncomment this if you need to use the 'webroot' method with certbot. Make sure + # that the directory exists and that it is accessible by the webserver. If you followed + # the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder. + # You may need to load this file with the ssl server block commented out, run certbot + # to get the certificate, and then uncomment it. + # + # location ~ /\.well-known/acme-challenge { + # root /var/lib/letsencrypt/; + # } + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + server_name some.other.domain; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_trusted_certificate /etc/letsencrypt/live/some.other.domain/chain.pem; + ssl_certificate /etc/letsencrypt/live/some.other.domain/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/some.other.domain/privkey.pem; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_prefer_server_ciphers off; + # In case of an old server with an OpenSSL version of 1.0.2 or below, + # leave only prime256v1 or comment out the following line. + ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; + ssl_stapling on; + ssl_stapling_verify on; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; + + # the nginx default is 1m, not enough for large media uploads + client_max_body_size 16m; + ignore_invalid_headers off; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { return 404; } + + location ~ ^/(media|proxy) { + proxy_cache pleroma_media_cache; + slice 1m; + proxy_cache_key $host$uri$is_args$args$slice_range; + proxy_set_header Range $slice_range; + proxy_cache_valid 200 206 301 304 1h; + proxy_cache_lock on; + proxy_ignore_client_abort on; + proxy_buffering on; + chunked_transfer_encoding on; + proxy_pass http://phoenix; + } +} -- cgit v1.2.3 From a663b73634ddf355827051cc139c0159f8eb794b Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Tue, 13 Jun 2023 12:45:18 +0200 Subject: Add no_new_privs to OpenRC service files --- installation/init.d/pleroma | 1 + 1 file changed, 1 insertion(+) (limited to 'installation') diff --git a/installation/init.d/pleroma b/installation/init.d/pleroma index 384536f7e..cb6635a0b 100755 --- a/installation/init.d/pleroma +++ b/installation/init.d/pleroma @@ -8,6 +8,7 @@ pidfile="/var/run/pleroma.pid" directory=/opt/pleroma healthcheck_delay=60 healthcheck_timer=30 +no_new_privs="yes" : ${pleroma_port:-4000} -- cgit v1.2.3 From 017e35fbf128d47c033275a70b76b72f24d7c754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?marcin=20miko=C5=82ajczak?= Date: Thu, 28 Dec 2023 00:15:32 +0100 Subject: Fix some more typos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: marcin mikołajczak --- installation/pleroma-mongooseim.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'installation') diff --git a/installation/pleroma-mongooseim.cfg b/installation/pleroma-mongooseim.cfg index 3ecba5641..6b568fd03 100755 --- a/installation/pleroma-mongooseim.cfg +++ b/installation/pleroma-mongooseim.cfg @@ -204,7 +204,7 @@ ]} ]}, - %% Following HTTP API is deprected, the new one abouve should be used instead + %% Following HTTP API is deprecated, the new one above should be used instead { {5288, "127.0.0.1"} , ejabberd_cowboy, [ {num_acceptors, 10}, @@ -824,7 +824,7 @@ %% Enable archivization for private messages (default) % {pm, [ - %% Top-level options can be overriden here if needed, for example: + %% Top-level options can be overridden here if needed, for example: % {async_writer, false} % ]}, @@ -834,7 +834,7 @@ %% % {muc, [ % {host, "muc.@HOST@"} - %% As with pm, top-level options can be overriden for MUC archive + %% As with pm, top-level options can be overridden for MUC archive % ]}, % %% Do not use a element (by default stanzaid is used) -- cgit v1.2.3