From c4439c630f46153c9f118d7f7e752d880206d262 Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Wed, 13 Jan 2021 07:49:20 +0100 Subject: Bump Copyright to 2021 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors ;' --- installation/download-mastofe-build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'installation') diff --git a/installation/download-mastofe-build.sh b/installation/download-mastofe-build.sh index b8a021ef3..ee353c48c 100755 --- a/installation/download-mastofe-build.sh +++ b/installation/download-mastofe-build.sh @@ -1,6 +1,6 @@ #!/bin/sh # Pleroma: A lightweight social networking server -# Copyright © 2017-2020 Pleroma Authors +# Copyright © 2017-2021 Pleroma Authors # SPDX-License-Identifier: AGPL-3.0-only project_id="74" project_branch="rebase/glitch-soc" -- cgit v1.2.3 From 3078e62488ad1d94d1d3b83faf9f2b070e4aff06 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Thu, 21 Jan 2021 12:25:18 -0600 Subject: Update Apache configuration. This has been tested. --- installation/pleroma-apache.conf | 91 ++++++++++++++++++++++------------------ 1 file changed, 51 insertions(+), 40 deletions(-) (limited to 'installation') diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index 0d627f2d7..139abe9e1 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -1,73 +1,84 @@ -# default Apache site config for Pleroma -# -# needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl -# optional modules: cache cache_disk +# Sample Apache config for Pleroma # # Simple installation instructions: -# 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. -# 3. This assumes a Debian style Apache config. Copy this file to -# /etc/apache2/sites-available/ and then add a symlink to it in -# /etc/apache2/sites-enabled/ by running 'a2ensite pleroma-apache.conf', then restart Apache. +# 1. Install your TLS certificate. We recommend using Let's Encrypt via Certbot +# 2. Replace 'example.tld' with your instance's domain. +# 3. This assumes a Debian-style Apache config. Copy this file to +# /etc/apache2/sites-available/ and then activate the site by running +# 'a2ensite pleroma-apache.conf', then restart Apache. # # Optional: enable disk-based caching for the media proxy # For details, see https://git.pleroma.social/pleroma/pleroma/wikis/How%20to%20activate%20mediaproxy # -# 1. Create the directory listed below as the CacheRoot, and make sure +# 1. Create a directory as shown below for the CacheRoot and make sure # the Apache user can write to it. # 2. Configure Apache's htcacheclean to clean the directory periodically. -# 3. Run 'a2enmod cache cache_disk' and restart Apache. +# Your OS may provide a service you can enable to do this automatically. Define servername example.tld + + LoadModule proxy_module libexec/apache24/mod_proxy.so + + + LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so + + + LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so + + + LoadModule rewrite_module libexec/apache24/mod_rewrite.so + + + LoadModule ssl_module libexec/apache24/mod_ssl.so + + + LoadModule cache_module libexec/apache24/mod_cache.so + + + LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so + + ServerName ${servername} ServerTokens Prod -ErrorLog ${APACHE_LOG_DIR}/error.log -CustomLog ${APACHE_LOG_DIR}/access.log combined +# If you want Pleroma-specific logs +#ErrorLog /var/log/httpd-pleroma-error.log +#CustomLog /var/log/httpd-pleroma-access.log combined - Redirect permanent / https://${servername} + RewriteEngine on + RewriteCond %{SERVER_NAME} =${servername} + RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] SSLEngine on SSLCertificateFile /etc/letsencrypt/live/${servername}/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/${servername}/privkey.pem + # Make sure you have the certbot-apache module installed + Include /etc/letsencrypt/options-ssl-apache.conf - # Mozilla modern configuration, tweak to your needs - SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 - SSLHonorCipherOrder on - SSLCompression off - SSLSessionTickets off - - # uncomment the following to enable mediaproxy caching on disk - # - # CacheRoot /var/cache/apache2/mod_cache_disk - # CacheDirLevels 1 - # CacheDirLength 2 - # CacheEnable disk /proxy - # CacheLock on - # + # Uncomment the following to enable MediaProxy caching on disk + #CacheRoot /tmp/pleroma-media-cache/ + #CacheDirLevels 1 + #CacheDirLength 2 + #CacheEnable disk /proxy + #CacheLock on + #CacheHeader on + #CacheDetailHeader on + ## 16MB max filesize for caching, configure as desired + #CacheMaxFileSize 16000000 + #CacheDefaultExpire 86400 RewriteEngine On RewriteCond %{HTTP:Connection} Upgrade [NC] RewriteCond %{HTTP:Upgrade} websocket [NC] - RewriteRule /(.*) ws://localhost:4000/$1 [P,L] + RewriteRule /(.*) ws://127.0.0.1:4000/$1 [P,L] + #ProxyRequests must be off or you open your server to abuse as an open proxy ProxyRequests off - # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only - # and `localhost.` resolves to [::0] on some systems: see issue #930 ProxyPass / http://127.0.0.1:4000/ ProxyPassReverse / http://127.0.0.1:4000/ - - RequestHeader set Host ${servername} ProxyPreserveHost On - -# OCSP Stapling, only in httpd 2.3.3 and later -SSLUseStapling on -SSLStaplingResponderTimeout 5 -SSLStaplingReturnResponderErrors off -SSLStaplingCache shmcb:/var/run/ocsp(128000) -- cgit v1.2.3 From 003402df401f2bbf46e47017e3b7a2ec27615ea2 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Thu, 21 Jan 2021 14:20:13 -0600 Subject: Add ability to invalidate cache entries for Apache --- installation/apache-cache-purge.sh.example | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100755 installation/apache-cache-purge.sh.example (limited to 'installation') diff --git a/installation/apache-cache-purge.sh.example b/installation/apache-cache-purge.sh.example new file mode 100755 index 000000000..be1d36841 --- /dev/null +++ b/installation/apache-cache-purge.sh.example @@ -0,0 +1,25 @@ +#!/bin/sh + +# A simple shell script to delete a media from Apache's mod_disk_cache. + +SCRIPTNAME=${0##*/} + +# mod_disk_cache directory +CACHE_DIRECTORY="/tmp/pleroma-media-cache" + +## Removes an item via the htcacheclean utility +## $1 - the filename, can be a pattern . +## $2 - the cache directory. +purge_item() { + htcacheclean -p "${2}" "${1}" +} # purge_item + +purge() { + for url in "$@" + do + echo "$SCRIPTNAME delete \`$url\` from cache ($CACHE_DIRECTORY)" + purge_item "$url" $CACHE_DIRECTORY + done +} + +purge "$@" -- cgit v1.2.3 From 8373cb645b7f357eedbc3a45a2e75a81376e6ef8 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Mon, 25 Jan 2021 18:15:04 -0600 Subject: Add sudo rule, remove quoting that breaks the for loop --- installation/apache-cache-purge.sh.example | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'installation') diff --git a/installation/apache-cache-purge.sh.example b/installation/apache-cache-purge.sh.example index be1d36841..62997038d 100755 --- a/installation/apache-cache-purge.sh.example +++ b/installation/apache-cache-purge.sh.example @@ -1,6 +1,10 @@ #!/bin/sh # A simple shell script to delete a media from Apache's mod_disk_cache. +# You will likely need to setup a sudo rule like the following: +# +# Cmnd_Alias HTCACHECLEAN = /usr/local/sbin/htcacheclean +# pleroma ALL=HTCACHECLEAN, NOPASSWD: HTCACHECLEAN SCRIPTNAME=${0##*/} @@ -11,15 +15,15 @@ CACHE_DIRECTORY="/tmp/pleroma-media-cache" ## $1 - the filename, can be a pattern . ## $2 - the cache directory. purge_item() { - htcacheclean -p "${2}" "${1}" + sudo htcacheclean -v -p "${2}" "${1}" } # purge_item purge() { - for url in "$@" + for url in $@ do echo "$SCRIPTNAME delete \`$url\` from cache ($CACHE_DIRECTORY)" purge_item "$url" $CACHE_DIRECTORY done } -purge "$@" +purge $@ -- cgit v1.2.3 From c6ef87d585b63e9e26b16176b65a67d10e4b706b Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Mon, 25 Jan 2021 18:20:07 -0600 Subject: Note the requirement for the url_format parameter --- installation/apache-cache-purge.sh.example | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'installation') diff --git a/installation/apache-cache-purge.sh.example b/installation/apache-cache-purge.sh.example index 62997038d..7b4262875 100755 --- a/installation/apache-cache-purge.sh.example +++ b/installation/apache-cache-purge.sh.example @@ -5,6 +5,13 @@ # # Cmnd_Alias HTCACHECLEAN = /usr/local/sbin/htcacheclean # pleroma ALL=HTCACHECLEAN, NOPASSWD: HTCACHECLEAN +# +# Please also ensure you have enabled: +# +# config :pleroma, Pleroma.Web.MediaProxy.Invalidation.Script, url_format: :htcacheclean +# +# which will correctly format the URLs passed to this script for the htcacheclean utility. +# SCRIPTNAME=${0##*/} -- cgit v1.2.3 From 1d8f1fe0772736dd71219d244783c9d671dd7223 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Fri, 5 Feb 2021 13:32:21 -0600 Subject: Add a default rule to not attempt to cache any files larger than 50MB This fixes connection failures when trying to retrieve large files. It is less common in typical Pleroma usage, but it's possible to encounter this on a cloud instance with lower memory. --- installation/pleroma.vcl | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'installation') diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index 13dad784c..4752510ea 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -59,6 +59,13 @@ sub vcl_backend_response { set beresp.http.CR = beresp.http.content-range; } + # Bypass cache for large files + # 50000000 ~ 50MB + if (std.integer(beresp.http.content-length, 0) > 50000000) { + set beresp.uncacheable = true; + return(deliver); + } + # Don't cache objects that require authentication if (beresp.http.Authorization && !beresp.http.Cache-Control ~ "public") { set beresp.uncacheable = true; -- cgit v1.2.3