Mirror
/
tildes
mirror of https://gitlab.com/tildes/tildes.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
975 Commits
1 Branch
0 Tags
3.2 MiB
Tree: 4cc100ab02
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4cc100ab02'
${ noResults }
tildes/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2

110 lines
3.6 KiB
Raw Normal View History

Initial open-source release
6 years ago
Block SemrushBot in nginx (it ignores robots.txt)
5 years ago
Initial open-source release
6 years ago
Redirect /donate to the page on the Docs site
5 years ago
Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Fix Content-Security-Policy header Apparently add_header inside a location block doesn't... you know, actually work. This should be reasonable, but I'd still rather only allow the Stripe JS on the single page where it's necessary.
5 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Fix Content-Security-Policy header Apparently add_header inside a location block doesn't... you know, actually work. This should be reasonable, but I'd still rather only allow the Stripe JS on the single page where it's necessary.
5 years ago
Add frame-src to CSP for Stripe The Stripe Checkout redirect was getting blocked by the Content Security Policy, and requires being allowed through frame-src like this.
5 years ago
Initial open-source release
6 years ago
Referrer-Policy: strict-origin-when-cross-origin Previously, this was set as "same-origin" which will only send a referrer to Tildes itself. This changes so that it will continue sending the full referrer to Tildes, but will send only the domain to external sites if they use HTTPS (and no referer to HTTP ones). This can be useful because there are often situations where an article author sees traffic coming from a site and will come to check it out and be able to participate in the discussion.
5 years ago
Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Initial open-source release
6 years ago
Salt: update states related to Prometheus Some of these states were built entirely around a single-server approach (Prometheus + monitoring being on the same server as the site), and the files have needed modifications to work with a separate monitoring server. This updates the states so that it should all happen as expected in all types of environments.
5 years ago
Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Salt: update states related to Prometheus Some of these states were built entirely around a single-server approach (Prometheus + monitoring being on the same server as the site), and the files have needed modifications to work with a separate monitoring server. This updates the states so that it should all happen as expected in all types of environments.
5 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
nginx: add rate-limit for requests to Pyramid This won't affect requests for static files or anything except ones that get proxied to the app. The current configuration is based on IP, and allows a rate of 4/sec, with an additional burst of 5 above the limit permitted, and burst requests allowed to go through immediately (nodelay). For more info: https://www.nginx.com/blog/rate-limiting-nginx/
5 years ago
Only apply nginx ratelimit in prod This is interfering with a few things in dev, including the debug toolbar (since all of its assets are served by the app).
5 years ago
nginx: add rate-limit for requests to Pyramid This won't affect requests for static files or anything except ones that get proxied to the app. The current configuration is based on IP, and allows a rate of 4/sec, with an additional burst of 5 above the limit permitted, and burst requests allowed to go through immediately (nodelay). For more info: https://www.nginx.com/blog/rate-limiting-nginx/
5 years ago
Initial open-source release
6 years ago
Nginx: only do "no www." redirect in production This redirect being first in the file meant that if someone tried to access a dev version through any method except using "localhost" (such as via the IP address), no server block would be matched, which causes nginx to use the first one. That resulted in a 301 redirect to tildes.net, which definitely shouldn't happen for a dev version. This change both moves the redirect to the bottom, as well as only adding it if it's the "prod" environment, since it's not needed in the dev environment at all.
5 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Nginx: only do "no www." redirect in production This redirect being first in the file meant that if someone tried to access a dev version through any method except using "localhost" (such as via the IP address), no server block would be matched, which causes nginx to use the first one. That resulted in a 301 redirect to tildes.net, which definitely shouldn't happen for a dev version. This change both moves the redirect to the bottom, as well as only adding it if it's the "prod" environment, since it's not needed in the dev environment at all.
5 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Nginx: only do "no www." redirect in production This redirect being first in the file meant that if someone tried to access a dev version through any method except using "localhost" (such as via the IP address), no server block would be matched, which causes nginx to use the first one. That resulted in a 301 redirect to tildes.net, which definitely shouldn't happen for a dev version. This change both moves the redirect to the bottom, as well as only adding it if it's the "prod" environment, since it's not needed in the dev environment at all.
5 years ago
  1. upstream app_server {
  2. server unix:/run/gunicorn/socket fail_timeout=0;
  3. }
  5. # define map to set Expires+Cache-Control headers for files based on type
  6. map $sent_http_content_type $expires_type_map {
  7. default off;
  8. text/css max;
  9. application/javascript max;
  10. image/x-icon 1d;
  11. ~image/ max;
  12. }
  14. server {
  15. # block bots that don't obey robots.txt
  16. if ($http_user_agent ~* (SemrushBot)) {
  17. return 403;
  18. }
  20. # remove trailing slash from addresses, the $port thing is a hack for
  21. # development in Vagrant, so the port forwarding from the host is kept
  22. set $port '';
  23. if ($http_host ~ :(\d+)$) {
  24. set $port :$1;
  25. }
  26. rewrite ^/(.*)/$ https://$host$port/$1 permanent;
  28. # redirect /donate to the page on the Docs site
  29. rewrite ^/donate$ https://docs.tildes.net/donate redirect;
  31. # redirect /u/username to /user/username
  32. rewrite ^/u/(.*)$ https://$host$port/user/$1;
  34. listen 443 ssl http2;
  35. listen [::]:443 ssl http2;
  37. {% if nginx_enable_hsts %}
  38. add_header Strict-Transport-Security "max-age={{ hsts_max_age }}; includeSubDomains; preload" always;
  39. {% endif %}
  41. {% if nginx_enable_csp %}
  42. # Content Security Policy:
  43. # - "img-src data:" is needed for Spectre.css icons
  44. # - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
  45. add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" always;
  46. {% endif %}
  48. add_header X-Content-Type-Options "nosniff" always;
  49. add_header X-Frame-Options "DENY" always;
  50. add_header X-Xss-Protection "1; mode=block" always;
  51. add_header Referrer-Policy "strict-origin-when-cross-origin" always;
  53. server_name {{ site_hostname }};
  55. keepalive_timeout 5;
  57. root {{ app_dir }}/static;
  59. # Block access to /metrics except from Prometheus server(s)
  60. location /metrics {
  61. {% for ip in prometheus_ips -%}
  62. allow {{ ip }};
  63. {% endfor -%}
  64. deny all;
  66. # try_files is unnecessary here, but I don't know the "proper" way
  67. try_files $uri @proxy_to_app;
  68. }
  70. # add Expires+Cache-Control headers from the mime-type map defined above
  71. expires $expires_type_map;
  73. location / {
  74. # checks for static file, if not found proxy to app
  75. try_files $uri @proxy_to_app;
  76. gzip_static on;
  77. }
  79. location @proxy_to_app {
  80. {% if nginx_enable_ratelimiting %}
  81. # apply rate-limiting, allowing a burst above the limit
  82. limit_req zone=tildes_app burst=5 nodelay;
  83. {% endif -%}
  85. # Cornice adds the X-Content-Type-Options header, so it will end up
  86. # being duplicated since nginx is also configured to send it (above).
  87. # It's better to drop the header coming from Gunicorn here than to
  88. # stop sending it in nginx, since if I ever stop using Cornice I would
  89. # lose that header (and probably not realize).
  90. proxy_hide_header X-Content-Type-Options;
  92. proxy_set_header Host $host;
  93. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  94. proxy_set_header X-Forwarded-Proto $scheme;
  95. proxy_redirect off;
  96. proxy_pass http://app_server;
  97. }
  98. }
  100. {% if nginx_redirect_www %}
  101. # redirect www. to base domain
  102. server {
  103. listen 80;
  104. listen 443 ssl http2;
  105. listen [::]:443 ssl http2;
  107. server_name www.{{ site_hostname }};
  108. return 301 https://{{ site_hostname }}$request_uri;
  109. }
  110. {% endif %}