git.bytex64.net -- build-mastodon-jail

/nginx/server.conf
map $http_upgrade $connection_upgrade {
	default upgrade;
	''      close;
}

server {
	listen 80;
	server_name $HOSTNAME;
	location / { return 301 https://$host$request_uri; }
}

server {
	listen 443 ssl http2;
	server_name $HOSTNAME;

	ssl_protocols TLSv1.3;
	ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# Uncomment these lines once you acquire a certificate:
	ssl_certificate     /usr/local/etc/nginx/mastodon.crt;
	ssl_certificate_key /usr/local/etc/nginx/mastodon.key;

	location / {
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_buffering on;
		proxy_redirect off;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
		proxy_pass http://$MASTODON_ADDR;

		tcp_nodelay on;
	}
}