Commit Graph
13 Commits
Author SHA1 Message Date
Yurii IzorkinandGitHub a9ff5c8309 templates/systemd/mastodon: update sandbox mode (#16235)
* templates/systemd/mastodon: add new sandboxing options

* templates/systemd/mastodon: add '@privileged' and remove duplicates SystemCallFilters

* templates/systemd/mastodon: add '@ipc' SystemCallFilter

* templates/systemd/mastodon: add '@memlock' SystemCallFilter

* templates/systemd/mastodon: allow '@resources' filter to mastodon-web service
2021-10-25 16:31:20 +02:00
Peter Dave HelloandGitHub a2afcac7d9 Make sure nginx always send HSTS header (#16633)
By default, it'll only send those headers when the response code is one of the following:
- 200, 201, 204, 206, 301, 302, 303, 304, 307 & 308

As all the traffics should be https, the http protocol only exists to do 301 redirect,
and always send the HSTS header is almost one of the best practices, we should set
nginx to do so.

Reference:
- https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
- https://ssl-config.mozilla.org/
2021-08-20 10:54:11 +01:00
Peter Dave HelloandGitHub e03dc3956f Disable nginx ssl_session_tickets for better security (#16632)
It's default turned on, but it's better to turn it off for security reason.

Reference:
- https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
- https://github.com/mozilla/server-side-tls/issues/135
2021-08-20 08:15:07 +01:00
Akihiko OdakiandGitHub 8af7f3b063 Preload libjemalloc.so for long-running Ruby (#16462)
Always mark jemalloc needed if jemalloc is enabled by akihikodaki · Pull Request #4627 · ruby/ruby
https://github.com/ruby/ruby/pull/4627
> Symbols exported by jemalloc is referred by the shared library but not
> by the executables when building Ruby as a shared library with
> jemalloc. It causes shared libraries such as the GNU C++ library
> occasionally rely on the memory allocator provided by the standard C
> library. Worse, the resolved symbols can later be replaced with
> jemalloc, and jemalloc may see pointers from the standard C library,
> which results in various failures.
> e.g. https://github.com/tootsuite/mastodon/issues/15751

As a workaround, do not rely on jemalloc enablement of Ruby, and
preload libjemalloc.so instead.
2021-07-05 19:16:35 +02:00
Yurii IzorkinandGitHub 7da104eb11 templates/systemd/mastodon: optimize SystemCallFilters (#16127) 2021-04-27 20:34:53 +02:00
Yurii IzorkinandGitHub 863ae47b51 templates/systemd/mastodon: update sandbox mode (#16103) 2021-04-24 13:41:03 +02:00
Yurii IzorkinandGitHub 297a3cf904 templates/systemd/mastodon: enable sandbox mode (#15937) 2021-03-24 10:46:13 +01:00
Cecylia BocovichandGitHub 38bc4b9562 Set X-Forwarded-Proto to request scheme (#15310) (#15498)
This fixes a bug that prevents logins to mastodon onion services. The
nginx directive assumed all requests were made over https, causing a
domain mismatch for onion services that have https redirects disabled.
The fix more correctly sets X-Forwarded-Proto to the actual scheme used
in the request.
2021-01-05 22:25:07 +01:00
ShleeandGitHub 514cd874a7 Update nginx.conf (#13066) 2020-03-08 16:04:25 +01:00
ichi_iandEugen Rochko 49f57b5534 Add TLS v1.3 support (#11603)
Maintain TLS v1.2 compatibility (might want to drop this later) and add support for TLS v1.3
2019-08-30 07:42:50 +02:00
Eugen RochkoandGitHub b7379da6cc Cache error 410 responses in recommended nginx configuration (#10425) 2019-03-30 03:14:31 +01:00
Nolan LawsonandEugen Rochko 658b4621a6 perf: run node directly when streaming (#10032) 2019-02-13 18:52:36 +01:00
Eugen RochkoandGitHub 6465972caf Add nginx and systemd templates (#8770)
So they can be copied during installation instead of looking
them up in the documentation

Make default sidekiq configuration use weighted queues

Remove deprecated docs directory
2018-09-24 16:46:05 +02:00