Move SSL out of the mastodon jail
sed -e "s/\$DB_HOST/$POSTGRES_ADDR/" \
-e "s/\$REDIS_HOST/$REDIS_ADDR/" \
-e "s/\$HOSTNAME/$HOSTNAME/" \
+ -e "s/\$MASTODON_ADDR/$MASTODON_ADDR/" \
mastodon/env.production.tmpl > env.production
bastille cp $JAILNAME env.production /home/mastodon/live/.env.production
rm env.production
bastille service $JAILNAME mastodon-sidekiq start
bastille service $JAILNAME mastodon-web start
-sed -e "s/\$HOSTNAME/$HOSTNAME/" mastodon/nginx.conf.tmpl > nginx.conf
+sed -e "s/\$HOSTNAME/$HOSTNAME/" \
+ mastodon/nginx.conf.tmpl > nginx.conf
bastille cp $JAILNAME nginx.conf /usr/local/etc/nginx/
rm nginx.conf
-bastille cp $JAILNAME mastodon/mastodon.crt /usr/local/etc/nginx/
-bastille cp $JAILNAME mastodon/mastodon.key /usr/local/etc/nginx/
bastille sysrc $JAILNAME nginx_enable=YES
bastille service $JAILNAME nginx start
SMTP_OPENSSL_VERIFY_MODE=none
SMTP_FROM_ADDRESS='Mastodon <notifications@$HOSTNAME>'
MAX_TOOT_CHARS=65536
+TRUSTED_PROXY_IP=$MASTODON_ADDR
------BEGIN CERTIFICATE-----
-MIIDZTCCAk2gAwIBAgIUZUK4CzUipMn3EQ0uqL4VbZSrrZAwDQYJKoZIhvcNAQEL
-BQAwQjELMAkGA1UEBhMCREExIDAeBgNVBAoMF1RoZSBEb21pbmlvbiBvZiBBd2Vz
-b21lMREwDwYDVQQDDAhtYXN0b2RvbjAeFw0yMjA4MTAwMDA3MTVaFw0yMjA5MDkw
-MDA3MTVaMEIxCzAJBgNVBAYTAkRBMSAwHgYDVQQKDBdUaGUgRG9taW5pb24gb2Yg
-QXdlc29tZTERMA8GA1UEAwwIbWFzdG9kb24wggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQDC/9mq1N9aknisUjkqFHMjHRHIZhicCWwkadwqNHmF2V7Yw4/U
-maHdF62hdLE6gx56OITKWtwmxP+zoebfCjdVRCK7W5Ua7+e3PAd1ixFetu3bhEXQ
-BpRkRtPhXTZj1VPD0+6e72w+esSbIonll7rWxmOA8E/7C8R3WFB9f7CYuTCW05+a
-VEzXyFIju7b0JX9UUib+gtbusCn/m1NV76tZUIg7qprQY8/nsKNcGIQXg2p78OND
-XId+X3HIPoCgErQaV6pkLOu2E4Ulllou0vEHTrOhXM0kVibQDqJKQnHTiiH5WfNk
-qd/E57Nct1TDe+Km9molaTUzA8gn4VxEVgBbAgMBAAGjUzBRMB0GA1UdDgQWBBT0
-7vTzIyf5MJ7vuS9drzdEAeRVdTAfBgNVHSMEGDAWgBT07vTzIyf5MJ7vuS9drzdE
-AeRVdTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCbPWbKPWYt
-vgZfG4D+e222OAbrpi9Co2/jHq780nqo1VYS6E6/leTagg4EdqZuHgaTudkWarCb
-8mj0owonOGC0sWkItEpzQ4b5q1+2e2s1STiDyHrI8SKJhkKqnYl2AUXkw8uPaTdX
-pt6aMCxCUSwEUw8RmhP4HHwUIHMlvyF+7azBVqB4j2GskPqwnqej6+4tiIq/fjv0
-ipEdSjiHpoPqrxOy58k9l/Al/gKimpk0dq9gLAAUfoqtUsw29QLH+pgBvihfVUfO
-ZmjDEYDj6/JZ/J2OJpCUeORVUbaKubrF5BBMpq0XIdoWDL3FoxgCJ+D9ElA+5kBH
-5WCUf/drcQVW
------END CERTIFICATE-----
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAwv/ZqtTfWpJ4rFI5KhRzIx0RyGYYnAlsJGncKjR5hdle2MOP
-1Jmh3RetoXSxOoMeejiEylrcJsT/s6Hm3wo3VUQiu1uVGu/ntzwHdYsRXrbt24RF
-0AaUZEbT4V02Y9VTw9Punu9sPnrEmyKJ5Ze61sZjgPBP+wvEd1hQfX+wmLkwltOf
-mlRM18hSI7u29CV/VFIm/oLW7rAp/5tTVe+rWVCIO6qa0GPP57CjXBiEF4Nqe/Dj
-Q1yHfl9xyD6AoBK0GleqZCzrthOFJZZaLtLxB06zoVzNJFYm0A6iSkJx04oh+Vnz
-ZKnfxOezXLdUw3vipvZqJWk1MwPIJ+FcRFYAWwIDAQABAoIBAQC+ysyznELJgMS3
-fl/WL1oUQi4TEOoFSibYXgd/+AXrE6r8liPVlVhNVgyaC+4YXRBl74Tl5Q7AlEHI
-BaI6GunW8Kq2/L2gNJlYrFB0DtS5Am0qOnqANt/cWXyYZbaA6cpisaspMQONAlv5
-mkqoLNQvrr7O+tKWxIW/a9adZGFqmxi0iAxj0tYDlSpOdxjbFcKHImI5/S/L6MdW
-4E/TPNQQBKeE1ug3LHno+rcyQO6CEbOqGXv4E3humkTOkfOssKYViCU8ihIFcioZ
-X+oDayV1eozi1EYG4ZqKYu2Gfr4G71iB1WUUKBqEaA63pf9i1qTJ9TCgMN5ow3p0
-MffTo83RAoGBAPU7ECvxPHZe4XkYlhsC9yPiBBgq5cs9w/xPdLm1cGHEYB9Fe2Qf
-YhM0ZMaH9f3l1HOYnU4bTVHde6h0EsmIibqdqlj40y6dZzcO087gLLWC+s0IjkSP
-W3lS8T2+53d0Ex46bhAB7WjZw1QDk8bqapWIM3RFpsUw7Mr2UjImQ4P5AoGBAMuQ
-E3A6RfAV2vqk+kd1silUzEgptdjL6ZMRDtS7LOJ048vNPc0naJEwr1KgWpbi0G7i
-29o7xZKubMsiS6s3WDmjldgV9h+1c3XJVSs388vA0ccDGAdiuKWboFVdJKPurRnV
-qYEQf1z+iuEDHgphmNmo30mkvzin8IOc0L8TplPzAoGANmkVbHqI7MaehmzTGUku
-JpMGT4ptFAwvSPMkNfQw7DBTF30mJI/mBdbRKU+PX/c3jTJmbKcYH7rhrf2bEYYu
-8O38luMWkDgyZ3/ttO/+W4OlPArS7hlUtXWWuxl5aAKkH0fdlcWntGTktuZYSoFG
-hskCiaDOoN/7GglPMXtV7ZkCgYACyUEK2zFT3Oi3X4Sxb7H1kNyO7Es54WicA7LB
-RKKToufvRSrgYPa0bgcoSVuUDxytN9use/7zSAHjMd/5QvOpLk0BvSM2QeSHqy7I
-PabPlh8I60jr6PUAB0ZFhNXYjI6/+MWuJ4ymuDEsbT9/AuD1sbMErgWT//BxzLaq
-ttki8wKBgGIz2/YQ5/3fzEwr43iu+/Bv2MohD+Vz3eeTVw+nEEC0qSXjboDzzpDd
-pYG5XvlFFk72ITfCLWa12PY+i1Rsqqzeoad/qeBa3RZwkVSXfPqzziu2n85THefS
-YrYqtWpcMpbZibQB69xUaZcLZfzWpsjUf0uUoJrgSujtiXVMpw9T
------END RSA PRIVATE KEY-----
server {
listen 80;
- # listen [::]:80;
server_name $HOSTNAME;
- root /home/mastodon/live/public;
- location /.well-known/acme-challenge/ { allow all; }
- location / { return 301 https://$host$request_uri; }
- }
-
- server {
- listen 443 ssl http2;
- # listen [::]:443 ssl http2;
- server_name $HOSTNAME;
-
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_session_tickets off;
-
- # Uncomment these lines once you acquire a certificate:
- ssl_certificate /usr/local/etc/nginx/mastodon.crt;
- ssl_certificate_key /usr/local/etc/nginx/mastodon.key;
keepalive_timeout 70;
sendfile on;
location @proxy {
proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Real-IP $http_x_real_ip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Proxy "";
proxy_pass_header Server;
location /api/v1/streaming {
proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Real-IP $http_x_real_ip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Proxy "";
proxy_pass http://streaming;