Mirror
/
tildes
mirror of https://gitlab.com/tildes/tildes.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1001 Commits
1 Branch
0 Tags
3.3 MiB
Tree: f355bc6a80
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f355bc6a80'
${ noResults }
tildes/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2

116 lines
3.9 KiB
Raw Normal View History

Initial open-source release
6 years ago
Map the content_security_policy header to the request_uri.
1 year ago
Initial open-source release
6 years ago
Block SemrushBot in nginx (it ignores robots.txt)
5 years ago
Initial open-source release
6 years ago
Redirect /donate to the page on the Docs site
5 years ago
Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Fix Content-Security-Policy header Apparently add_header inside a location block doesn't... you know, actually work. This should be reasonable, but I'd still rather only allow the Stripe JS on the single page where it's necessary.
5 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Map the content_security_policy header to the request_uri.
1 year ago
Initial open-source release
6 years ago
Referrer-Policy: strict-origin-when-cross-origin Previously, this was set as "same-origin" which will only send a referrer to Tildes itself. This changes so that it will continue sending the full referrer to Tildes, but will send only the domain to external sites if they use HTTPS (and no referer to HTTP ones). This can be useful because there are often situations where an article author sees traffic coming from a site and will come to check it out and be able to participate in the discussion.
6 years ago
Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Initial open-source release
6 years ago
Salt: update states related to Prometheus Some of these states were built entirely around a single-server approach (Prometheus + monitoring being on the same server as the site), and the files have needed modifications to work with a separate monitoring server. This updates the states so that it should all happen as expected in all types of environments.
6 years ago
Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Salt: update states related to Prometheus Some of these states were built entirely around a single-server approach (Prometheus + monitoring being on the same server as the site), and the files have needed modifications to work with a separate monitoring server. This updates the states so that it should all happen as expected in all types of environments.
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
nginx: add rate-limit for requests to Pyramid This won't affect requests for static files or anything except ones that get proxied to the app. The current configuration is based on IP, and allows a rate of 4/sec, with an additional burst of 5 above the limit permitted, and burst requests allowed to go through immediately (nodelay). For more info: https://www.nginx.com/blog/rate-limiting-nginx/
6 years ago
Only apply nginx ratelimit in prod This is interfering with a few things in dev, including the debug toolbar (since all of its assets are served by the app).
5 years ago
nginx: add rate-limit for requests to Pyramid This won't affect requests for static files or anything except ones that get proxied to the app. The current configuration is based on IP, and allows a rate of 4/sec, with an additional burst of 5 above the limit permitted, and burst requests allowed to go through immediately (nodelay). For more info: https://www.nginx.com/blog/rate-limiting-nginx/
6 years ago
Initial open-source release
6 years ago
Nginx: only do "no www." redirect in production This redirect being first in the file meant that if someone tried to access a dev version through any method except using "localhost" (such as via the IP address), no server block would be matched, which causes nginx to use the first one. That resulted in a 301 redirect to tildes.net, which definitely shouldn't happen for a dev version. This change both moves the redirect to the bottom, as well as only adding it if it's the "prod" environment, since it's not needed in the dev environment at all.
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Nginx: only do "no www." redirect in production This redirect being first in the file meant that if someone tried to access a dev version through any method except using "localhost" (such as via the IP address), no server block would be matched, which causes nginx to use the first one. That resulted in a 301 redirect to tildes.net, which definitely shouldn't happen for a dev version. This change both moves the redirect to the bottom, as well as only adding it if it's the "prod" environment, since it's not needed in the dev environment at all.
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Nginx: only do "no www." redirect in production This redirect being first in the file meant that if someone tried to access a dev version through any method except using "localhost" (such as via the IP address), no server block would be matched, which causes nginx to use the first one. That resulted in a 301 redirect to tildes.net, which definitely shouldn't happen for a dev version. This change both moves the redirect to the bottom, as well as only adding it if it's the "prod" environment, since it's not needed in the dev environment at all.
6 years ago
  1. upstream app_server {
  2. server unix:/run/gunicorn/socket fail_timeout=0;
  3. }
  5. # define map to set Expires+Cache-Control headers for files based on type
  6. map $sent_http_content_type $expires_type_map {
  7. default off;
  8. text/css max;
  9. application/javascript max;
  10. image/x-icon 1d;
  11. ~image/ max;
  12. }
  14. map $request_uri $csp_header {
  15. # The default CSP:
  16. # - "img-src data:" is needed for Spectre.css icons
  17. default "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
  18. # The CSP for the Stripe donation page:
  19. # - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
  20. "~^/donate_stripe$" "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
  21. }
  23. server {
  24. # block bots that don't obey robots.txt
  25. if ($http_user_agent ~* (SemrushBot)) {
  26. return 403;
  27. }
  29. # remove trailing slash from addresses, the $port thing is a hack for
  30. # development in Vagrant, so the port forwarding from the host is kept
  31. set $port '';
  32. if ($http_host ~ :(\d+)$) {
  33. set $port :$1;
  34. }
  35. rewrite ^/(.*)/$ https://$host$port/$1 permanent;
  37. # redirect /donate to the page on the Docs site
  38. rewrite ^/donate$ https://docs.tildes.net/donate redirect;
  40. # redirect /u/username to /user/username
  41. rewrite ^/u/(.*)$ https://$host$port/user/$1;
  43. listen 443 ssl http2;
  44. listen [::]:443 ssl http2;
  46. {% if nginx_enable_hsts %}
  47. add_header Strict-Transport-Security "max-age={{ hsts_max_age }}; includeSubDomains; preload" always;
  48. {% endif %}
  50. {% if nginx_enable_csp %}
  51. add_header Content-Security-Policy $csp_header always;
  52. {% endif %}
  54. add_header X-Content-Type-Options "nosniff" always;
  55. add_header X-Frame-Options "DENY" always;
  56. add_header X-Xss-Protection "1; mode=block" always;
  57. add_header Referrer-Policy "strict-origin-when-cross-origin" always;
  59. server_name {{ site_hostname }};
  61. keepalive_timeout 5;
  63. root {{ app_dir }}/static;
  65. # Block access to /metrics except from Prometheus server(s)
  66. location /metrics {
  67. {% for ip in prometheus_ips -%}
  68. allow {{ ip }};
  69. {% endfor -%}
  70. deny all;
  72. # try_files is unnecessary here, but I don't know the "proper" way
  73. try_files $uri @proxy_to_app;
  74. }
  76. # add Expires+Cache-Control headers from the mime-type map defined above
  77. expires $expires_type_map;
  79. location / {
  80. # checks for static file, if not found proxy to app
  81. try_files $uri @proxy_to_app;
  82. gzip_static on;
  83. }
  85. location @proxy_to_app {
  86. {% if nginx_enable_ratelimiting %}
  87. # apply rate-limiting, allowing a burst above the limit
  88. limit_req zone=tildes_app burst=5 nodelay;
  89. {% endif -%}
  91. # Cornice adds the X-Content-Type-Options header, so it will end up
  92. # being duplicated since nginx is also configured to send it (above).
  93. # It's better to drop the header coming from Gunicorn here than to
  94. # stop sending it in nginx, since if I ever stop using Cornice I would
  95. # lose that header (and probably not realize).
  96. proxy_hide_header X-Content-Type-Options;
  98. proxy_set_header Host $host;
  99. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  100. proxy_set_header X-Forwarded-Proto $scheme;
  101. proxy_redirect off;
  102. proxy_pass http://app_server;
  103. }
  104. }
  106. {% if nginx_redirect_www %}
  107. # redirect www. to base domain
  108. server {
  109. listen 80;
  110. listen 443 ssl http2;
  111. listen [::]:443 ssl http2;
  113. server_name www.{{ site_hostname }};
  114. return 301 https://{{ site_hostname }}$request_uri;
  115. }
  116. {% endif %}