commit:5e38dfd4a6a42cd5b57d935528c27f62fa7af45f
author:Chip Black
committer:Chip Black
date:Wed Dec 28 01:24:22 2022 -0600
parents:dd5867f580c801725bf3cbd141cb3780f53c8e97
Move SSL out of the mastodon jail
diff --git a/build-mastodon.sh b/build-mastodon.sh
line changes: +3/-3
index 5315c83..32a86a7
--- a/build-mastodon.sh
+++ b/build-mastodon.sh
@@ -39,6 +39,7 @@ SCRIPT
 sed -e "s/\$DB_HOST/$POSTGRES_ADDR/" \
     -e "s/\$REDIS_HOST/$REDIS_ADDR/" \
     -e "s/\$HOSTNAME/$HOSTNAME/" \
+    -e "s/\$MASTODON_ADDR/$MASTODON_ADDR/" \
     mastodon/env.production.tmpl > env.production
 bastille cp $JAILNAME env.production /home/mastodon/live/.env.production
 rm env.production
@@ -50,10 +51,9 @@ bastille service $JAILNAME mastodon-streaming start
 bastille service $JAILNAME mastodon-sidekiq start
 bastille service $JAILNAME mastodon-web start
 
-sed -e "s/\$HOSTNAME/$HOSTNAME/" mastodon/nginx.conf.tmpl > nginx.conf
+sed -e "s/\$HOSTNAME/$HOSTNAME/" \
+    mastodon/nginx.conf.tmpl > nginx.conf
 bastille cp $JAILNAME nginx.conf /usr/local/etc/nginx/
 rm nginx.conf
-bastille cp $JAILNAME mastodon/mastodon.crt /usr/local/etc/nginx/
-bastille cp $JAILNAME mastodon/mastodon.key /usr/local/etc/nginx/
 bastille sysrc $JAILNAME nginx_enable=YES
 bastille service $JAILNAME nginx start

diff --git a/mastodon/env.production.tmpl b/mastodon/env.production.tmpl
line changes: +1/-0
index 94c02d1..fe92164
--- a/mastodon/env.production.tmpl
+++ b/mastodon/env.production.tmpl
@@ -20,3 +20,4 @@ SMTP_AUTH_METHOD=plain
 SMTP_OPENSSL_VERIFY_MODE=none
 SMTP_FROM_ADDRESS='Mastodon <notifications@$HOSTNAME>'
 MAX_TOOT_CHARS=65536
+TRUSTED_PROXY_IP=$MASTODON_ADDR

diff --git a/mastodon/mastodon.crt b/mastodon/mastodon.crt
line changes: +0/-21
index 2f10c0d..0000000
--- a/mastodon/mastodon.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDZTCCAk2gAwIBAgIUZUK4CzUipMn3EQ0uqL4VbZSrrZAwDQYJKoZIhvcNAQEL
-BQAwQjELMAkGA1UEBhMCREExIDAeBgNVBAoMF1RoZSBEb21pbmlvbiBvZiBBd2Vz
-b21lMREwDwYDVQQDDAhtYXN0b2RvbjAeFw0yMjA4MTAwMDA3MTVaFw0yMjA5MDkw
-MDA3MTVaMEIxCzAJBgNVBAYTAkRBMSAwHgYDVQQKDBdUaGUgRG9taW5pb24gb2Yg
-QXdlc29tZTERMA8GA1UEAwwIbWFzdG9kb24wggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQDC/9mq1N9aknisUjkqFHMjHRHIZhicCWwkadwqNHmF2V7Yw4/U
-maHdF62hdLE6gx56OITKWtwmxP+zoebfCjdVRCK7W5Ua7+e3PAd1ixFetu3bhEXQ
-BpRkRtPhXTZj1VPD0+6e72w+esSbIonll7rWxmOA8E/7C8R3WFB9f7CYuTCW05+a
-VEzXyFIju7b0JX9UUib+gtbusCn/m1NV76tZUIg7qprQY8/nsKNcGIQXg2p78OND
-XId+X3HIPoCgErQaV6pkLOu2E4Ulllou0vEHTrOhXM0kVibQDqJKQnHTiiH5WfNk
-qd/E57Nct1TDe+Km9molaTUzA8gn4VxEVgBbAgMBAAGjUzBRMB0GA1UdDgQWBBT0
-7vTzIyf5MJ7vuS9drzdEAeRVdTAfBgNVHSMEGDAWgBT07vTzIyf5MJ7vuS9drzdE
-AeRVdTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCbPWbKPWYt
-vgZfG4D+e222OAbrpi9Co2/jHq780nqo1VYS6E6/leTagg4EdqZuHgaTudkWarCb
-8mj0owonOGC0sWkItEpzQ4b5q1+2e2s1STiDyHrI8SKJhkKqnYl2AUXkw8uPaTdX
-pt6aMCxCUSwEUw8RmhP4HHwUIHMlvyF+7azBVqB4j2GskPqwnqej6+4tiIq/fjv0
-ipEdSjiHpoPqrxOy58k9l/Al/gKimpk0dq9gLAAUfoqtUsw29QLH+pgBvihfVUfO
-ZmjDEYDj6/JZ/J2OJpCUeORVUbaKubrF5BBMpq0XIdoWDL3FoxgCJ+D9ElA+5kBH
-5WCUf/drcQVW
------END CERTIFICATE-----

diff --git a/mastodon/mastodon.key b/mastodon/mastodon.key
line changes: +0/-27
index 42fb60f..0000000
--- a/mastodon/mastodon.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAwv/ZqtTfWpJ4rFI5KhRzIx0RyGYYnAlsJGncKjR5hdle2MOP
-1Jmh3RetoXSxOoMeejiEylrcJsT/s6Hm3wo3VUQiu1uVGu/ntzwHdYsRXrbt24RF
-0AaUZEbT4V02Y9VTw9Punu9sPnrEmyKJ5Ze61sZjgPBP+wvEd1hQfX+wmLkwltOf
-mlRM18hSI7u29CV/VFIm/oLW7rAp/5tTVe+rWVCIO6qa0GPP57CjXBiEF4Nqe/Dj
-Q1yHfl9xyD6AoBK0GleqZCzrthOFJZZaLtLxB06zoVzNJFYm0A6iSkJx04oh+Vnz
-ZKnfxOezXLdUw3vipvZqJWk1MwPIJ+FcRFYAWwIDAQABAoIBAQC+ysyznELJgMS3
-fl/WL1oUQi4TEOoFSibYXgd/+AXrE6r8liPVlVhNVgyaC+4YXRBl74Tl5Q7AlEHI
-BaI6GunW8Kq2/L2gNJlYrFB0DtS5Am0qOnqANt/cWXyYZbaA6cpisaspMQONAlv5
-mkqoLNQvrr7O+tKWxIW/a9adZGFqmxi0iAxj0tYDlSpOdxjbFcKHImI5/S/L6MdW
-4E/TPNQQBKeE1ug3LHno+rcyQO6CEbOqGXv4E3humkTOkfOssKYViCU8ihIFcioZ
-X+oDayV1eozi1EYG4ZqKYu2Gfr4G71iB1WUUKBqEaA63pf9i1qTJ9TCgMN5ow3p0
-MffTo83RAoGBAPU7ECvxPHZe4XkYlhsC9yPiBBgq5cs9w/xPdLm1cGHEYB9Fe2Qf
-YhM0ZMaH9f3l1HOYnU4bTVHde6h0EsmIibqdqlj40y6dZzcO087gLLWC+s0IjkSP
-W3lS8T2+53d0Ex46bhAB7WjZw1QDk8bqapWIM3RFpsUw7Mr2UjImQ4P5AoGBAMuQ
-E3A6RfAV2vqk+kd1silUzEgptdjL6ZMRDtS7LOJ048vNPc0naJEwr1KgWpbi0G7i
-29o7xZKubMsiS6s3WDmjldgV9h+1c3XJVSs388vA0ccDGAdiuKWboFVdJKPurRnV
-qYEQf1z+iuEDHgphmNmo30mkvzin8IOc0L8TplPzAoGANmkVbHqI7MaehmzTGUku
-JpMGT4ptFAwvSPMkNfQw7DBTF30mJI/mBdbRKU+PX/c3jTJmbKcYH7rhrf2bEYYu
-8O38luMWkDgyZ3/ttO/+W4OlPArS7hlUtXWWuxl5aAKkH0fdlcWntGTktuZYSoFG
-hskCiaDOoN/7GglPMXtV7ZkCgYACyUEK2zFT3Oi3X4Sxb7H1kNyO7Es54WicA7LB
-RKKToufvRSrgYPa0bgcoSVuUDxytN9use/7zSAHjMd/5QvOpLk0BvSM2QeSHqy7I
-PabPlh8I60jr6PUAB0ZFhNXYjI6/+MWuJ4ymuDEsbT9/AuD1sbMErgWT//BxzLaq
-ttki8wKBgGIz2/YQ5/3fzEwr43iu+/Bv2MohD+Vz3eeTVw+nEEC0qSXjboDzzpDd
-pYG5XvlFFk72ITfCLWa12PY+i1Rsqqzeoad/qeBa3RZwkVSXfPqzziu2n85THefS
-YrYqtWpcMpbZibQB69xUaZcLZfzWpsjUf0uUoJrgSujtiXVMpw9T
------END RSA PRIVATE KEY-----

diff --git a/mastodon/nginx.conf.tmpl b/mastodon/nginx.conf.tmpl
line changes: +4/-24
index 5fe7dc6..243e87a
--- a/mastodon/nginx.conf.tmpl
+++ b/mastodon/nginx.conf.tmpl
@@ -53,27 +53,7 @@ http {
 
     server {
       listen 80;
-    #  listen [::]:80;
       server_name $HOSTNAME;
-      root /home/mastodon/live/public;
-      location /.well-known/acme-challenge/ { allow all; }
-      location / { return 301 https://$host$request_uri; }
-    }
-
-    server {
-      listen 443 ssl http2;
-    #  listen [::]:443 ssl http2;
-      server_name $HOSTNAME;
-
-      ssl_protocols TLSv1.2 TLSv1.3;
-      ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
-      ssl_prefer_server_ciphers on;
-      ssl_session_cache shared:SSL:10m;
-      ssl_session_tickets off;
-
-      # Uncomment these lines once you acquire a certificate:
-      ssl_certificate     /usr/local/etc/nginx/mastodon.crt;
-      ssl_certificate_key /usr/local/etc/nginx/mastodon.key;
 
       keepalive_timeout    70;
       sendfile             on;
@@ -110,9 +90,9 @@ http {
 
       location @proxy {
         proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Real-IP $http_x_real_ip;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
         proxy_set_header Proxy "";
         proxy_pass_header Server;
 
@@ -135,9 +115,9 @@ http {
 
       location /api/v1/streaming {
         proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Real-IP $http_x_real_ip;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
         proxy_set_header Proxy "";
 
         proxy_pass http://streaming;