worker_processes 1; events { worker_connections 1024; } http { proxy_cache_path /var/cache/lemmy_frontend levels=1:2 keys_zone=lemmy_frontend_cache:10m max_size=100m use_temp_path=off; include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root /usr/share/nginx/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } server { listen 8535; server_name localhost; # Enable compression for JS/CSS/HTML bundle, for improved client load times. # It might be nice to compress JSON, but leaving that out to protect against potential # compression+encryption information leak attacks like BREACH. gzip on; gzip_types text/css application/javascript; gzip_vary on; # Only connect to this site via HTTPS for the two years add_header Strict-Transport-Security "max-age=63072000"; # Various content security headers add_header Referrer-Policy "same-origin"; add_header X-Content-Type-Options "nosniff"; add_header X-Frame-Options "DENY"; add_header X-XSS-Protection "1; mode=block"; # Upload limit for pictrs # client_max_body_size 50M; # frontend location / { # The default ports: # lemmy_port: 8536 # lemmy_ui_port: 1235 # Use :1234 if you want to develop locally, using yarn start in the lemmy-ui folder set $proxpass "http://0.0.0.0:1235"; if ($http_accept = "application/activity+json") { set $proxpass "http://0.0.0.0:8536"; } if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") { set $proxpass "http://0.0.0.0:8536"; } if ($request_method = POST) { set $proxpass "http://0.0.0.0:8536"; } proxy_pass $proxpass; rewrite ^(.+)/+$ $1 permanent; # Send actual client IP upstream proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # backend location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) { proxy_pass http://0.0.0.0:8536; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Rate limit # limit_req zone=lemmy_ratelimit burst=30 nodelay; # Add IP forwarding headers proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # Redirect pictshare images to pictrs location ~ /pictshare/(.*)$ { return 301 /pictrs/image/$1; } } }