Commit graph

11 commits

Author SHA1 Message Date
Peter Dave Hello
e03dc3956f
Disable nginx ssl_session_tickets for better security (#16632)
It's default turned on, but it's better to turn it off for security reason.

Reference:
- https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
- https://github.com/mozilla/server-side-tls/issues/135
2021-08-20 08:15:07 +01:00
Akihiko Odaki
8af7f3b063
Preload libjemalloc.so for long-running Ruby (#16462)
Always mark jemalloc needed if jemalloc is enabled by akihikodaki · Pull Request #4627 · ruby/ruby
https://github.com/ruby/ruby/pull/4627
> Symbols exported by jemalloc is referred by the shared library but not
> by the executables when building Ruby as a shared library with
> jemalloc. It causes shared libraries such as the GNU C++ library
> occasionally rely on the memory allocator provided by the standard C
> library. Worse, the resolved symbols can later be replaced with
> jemalloc, and jemalloc may see pointers from the standard C library,
> which results in various failures.
> e.g. https://github.com/tootsuite/mastodon/issues/15751

As a workaround, do not rely on jemalloc enablement of Ruby, and
preload libjemalloc.so instead.
2021-07-05 19:16:35 +02:00
Yurii Izorkin
7da104eb11
templates/systemd/mastodon: optimize SystemCallFilters (#16127) 2021-04-27 20:34:53 +02:00
Yurii Izorkin
863ae47b51
templates/systemd/mastodon: update sandbox mode (#16103) 2021-04-24 13:41:03 +02:00
Yurii Izorkin
297a3cf904
templates/systemd/mastodon: enable sandbox mode (#15937) 2021-03-24 10:46:13 +01:00
Cecylia Bocovich
38bc4b9562
Set X-Forwarded-Proto to request scheme (#15310) (#15498)
This fixes a bug that prevents logins to mastodon onion services. The
nginx directive assumed all requests were made over https, causing a
domain mismatch for onion services that have https redirects disabled.
The fix more correctly sets X-Forwarded-Proto to the actual scheme used
in the request.
2021-01-05 22:25:07 +01:00
Shlee
514cd874a7
Update nginx.conf (#13066) 2020-03-08 16:04:25 +01:00
ichi_i
49f57b5534 Add TLS v1.3 support (#11603)
Maintain TLS v1.2 compatibility (might want to drop this later) and add support for TLS v1.3
2019-08-30 07:42:50 +02:00
Eugen Rochko
b7379da6cc
Cache error 410 responses in recommended nginx configuration (#10425) 2019-03-30 03:14:31 +01:00
Nolan Lawson
658b4621a6 perf: run node directly when streaming (#10032) 2019-02-13 18:52:36 +01:00
Eugen Rochko
6465972caf
Add nginx and systemd templates (#8770)
So they can be copied during installation instead of looking
them up in the documentation

Make default sidekiq configuration use weighted queues

Remove deprecated docs directory
2018-09-24 16:46:05 +02:00