update lemmy role to match upstream

2023-12-03 00:35:25 +01:00 · 2023-12-03 00:35:25 +01:00 · 769074a8cd
parent d7041335e4
commit 769074a8cd
1 changed files with 16 additions and 44 deletions
--- a/templates/etc/nginx/sites-available/lemmy.j2
+++ b/templates/etc/nginx/sites-available/lemmy.j2
@ -2,7 +2,18 @@ limit_req_zone $binary_remote_addr zone={{ item.name }}_ratelimit:10m rate=1r/s;

 {% extends "core.j2" %}

+{% block headers %}
+
+# Various content security headers
+  add_header Referrer-Policy "same-origin";
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options "DENY";
+  add_header X-XSS-Protection "1; mode=block";
+
+{% endblock %}
+
 {% block location %}
+
 # frontend
 location / {
  # The default ports:
@ -10,16 +21,14 @@ location / {
  # lemmy_port: 8536

  set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_ui_port }};
-  if ($http_accept = "application/activity+json") {
+      if ($http_accept ~ "^application/.*$") {
    set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
  }
-  if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
+      if ($request_method = POST) {
     set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
  }
-  if ($request_method = POST) {
-    set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
-  }
  proxy_pass $proxpass;
+
  rewrite ^(.+)/+$ $1 permanent;

  # Send actual client IP upstream
@ -29,7 +38,7 @@ location / {
  }

 # backend
-location ~ ^/(api|feeds|nodeinfo|.well-known) {
+location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
  proxy_pass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
@ -38,48 +47,11 @@ location ~ ^/(api|feeds|nodeinfo|.well-known) {
  # Rate limit
  #limit_req zone={{ item.name }}_ratelimit burst=30 nodelay;

-  # Send actual client IP upstream
+  # Add IP forwarding headers
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
-{% if lemmy_pictrs_deploy == true %}
-  # pictrs only - for adding browser cache control.
-  location ~ ^/(pictrs) {
-      # allow browser cache, images never update, we can apply long term cache
-      expires 120d;
-      add_header Pragma "public";
-      add_header Cache-Control "public";
-
-      proxy_pass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
-      proxy_http_version 1.1;
-      proxy_set_header Upgrade $http_upgrade;
-      proxy_set_header Connection "upgrade";
-
-      # Rate limit
-      limit_req zone={{ item.name }}_ratelimit burst=30 nodelay;
-
-      # Add IP forwarding headers
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header Host $host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-
-  # Redirect pictshare images to pictrs
-  location ~ /pictshare/(.*)$ {
-    return 301 /pictrs/image/$1;
-  }
-{% endif %}
-
 {% endblock %}

-# Anonymize IP addresses
-# https://www.supertechcrew.com/anonymizing-logs-nginx-apache/
-#map $remote_addr $remote_addr_anon {
-#  ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
-#  ~(?P<ip>[^:]+:[^:]+):       $ip::;
-#  127.0.0.1                   $remote_addr;
-#  ::1                         $remote_addr;
-#  default                     {{ item.upstream_name }};
-#}