From ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 15 Oct 2023 21:16:26 +0200 Subject: surtr: ... --- hosts/surtr/http/default.nix | 8 ++++++-- hosts/surtr/matrix/default.nix | 40 +++++++++++++++++++++++++++++++++------- 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix index 6b516b00..c70eb8f8 100644 --- a/hosts/surtr/http/default.nix +++ b/hosts/surtr/http/default.nix @@ -24,16 +24,20 @@ access_log syslog:server=unix:/dev/log main; error_log syslog:server=unix:/dev/log info; - client_body_temp_path /run/nginx-client-bodies; + client_body_temp_path /run/nginx-client-bodies 2 2; + proxy_temp_path /run/nginx-proxy-bodies 2 2; ''; additionalModules = with pkgs.nginxModules; [ pam ]; + eventsConfig = '' + worker_connections 2048; + ''; }; systemd.services.nginx = { preStart = lib.mkForce config.services.nginx.preStart; serviceConfig = { SupplementaryGroups = [ "shadow" ]; ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; + RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" "nginx-proxy-bodies" ]; RuntimeDirectoryMode = "0750"; }; }; diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index fcebf9c1..7a1b968e 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix @@ -141,6 +141,9 @@ with lib; recommendedProxySettings = true; upstreams."matrix-synapse" = { + extraConfig = '' + keepalive 64; + ''; servers = { "127.0.0.1:8008" = {}; }; @@ -175,7 +178,11 @@ with lib; proxyPass = "http://matrix-synapse"; extraConfig = '' client_max_body_size 500M; + proxy_pass_header Server; + + proxy_http_version 1.1; + proxy_set_header "Connection" ""; ''; }) ["/_matrix" "/_synapse/client" "/_synapse/admin"]) // { "= /.well-known/matrix/server" = { @@ -201,7 +208,16 @@ with lib; }; }; - virtualHosts."element.synapse.li" = { + virtualHosts."element.synapse.li" = let + headerDirectives = '' + add_header Strict-Transport-Security "max-age=63072000" always; + + add_header X-Frame-Options SAMEORIGIN always; + add_header X-Content-Type-Options nosniff always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Content-Security-Policy "frame-ancestors 'self'" always; + ''; + in { forceSSL = true; kTLS = true; http3 = true; @@ -209,12 +225,7 @@ with lib; sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; extraConfig = '' - add_header Strict-Transport-Security "max-age=63072000" always; - - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'self'"; + error_page 500 502 503 504 /50x.html; ''; root = pkgs.element-web.override { @@ -225,6 +236,21 @@ with lib; }; }; }; + + locations = { + "= /index.html".extraConfig = '' + ${headerDirectives} + add_header Cache-Control "no-cache" always; + ''; + "= /version".extraConfig = '' + ${headerDirectives} + add_header Cache-Control "no-cache" always; + ''; + "/config".extraConfig = '' + ${headerDirectives} + add_header Cache-Control "no-cache" always; + ''; + }; }; }; -- cgit v1.2.3