ulysia/szurubooru
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: add nginx reverse proxy documentation

Browse source
This commit is contained in:
Alec Armbruster 2019-03-07 16:13:04 -08:00 committed by rr-
parent a4215e35dc
commit 2ec6b978ac
4 changed files with 62 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
INSTALL.md
View file

@ -102,3 +102,13 @@ and Docker Compose (version 1.6.0 or greater) already installed.
proxy_set_header X-Script-Name /szuru; proxy_set_header X-Script-Name /szuru;
} }
``` ```
3. **Preparing for production**
If you plan on using szurubooru in a production setting, you may opt to
use a reverse proxy for added security and caching capabilities. Start
by having the client docker listen only on localhost by changing `PORT`
in your `.env` file to `127.0.0.1:8080` instead of simply `:8080`. Then
configure NGINX (or your caching/reverse proxy server of your choice)
to proxy_pass `http://127.0.0.1:8080`. We've included an example config
located in the `nginx-vhost.production` file.

2
client/nginx.conf.docker
View file

@ -15,7 +15,7 @@ http {
log_format main '$remote_addr -> $request [$status] - ' log_format main '$remote_addr -> $request [$status] - '
'referer: $http_referer $http_x_forwarded_for'; 'referer: $http_referer $http_x_forwarded_for';
access_log /dev/stdout main; access_log /dev/stdout main;
server_tokens off;
sendfile on; sendfile on;
keepalive_timeout 65; keepalive_timeout 65;
client_max_body_size 100M; client_max_body_size 100M;

2
example.env
View file

@ -6,6 +6,8 @@ POSTGRES_PASSWORD=changeme
BUILD_INFO=latest BUILD_INFO=latest
# Port to expose HTTP service # Port to expose HTTP service
# Set to 127.0.0.1:8080 if you wish to reverse-proxy the docker's port,
# otherwise the port specified here will be publicly accessible
PORT=8080 PORT=8080
# Directory to store image data # Directory to store image data

49
nginx.vhost.production Normal file
View file

@ -0,0 +1,49 @@
# example for a production vhost for szurubooru.
# ideally, use ssl termination + cdn with a provider such as cloudflare.
# modify as needed!
# rate limiting zone
# poor man's ddos protection, essentially
limit_req_zone $binary_remote_addr zone=throttle:10m rate=25r/s;
# www -> non-www
server {
listen 80;
listen [::]:80;
server_tokens off;
server_name www.example.com
return 301 http://example.com$request_uri;
}
server {
server_name example.com;
client_max_body_size 100M;
client_body_timeout 30s;
server_tokens off;
location / {
limit_req zone=throttle burst=5 delay=3;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Script-Name /szuru;
error_page 500 501 502 504 505 506 507 508 509 510 511 @err;
error_page 503 @throttle;
}
location @err {
return 500 "server error. please try again later.";
default_type text/plain;
}
location @throttle {
return 503 "we've detected abuse on your ip. please wait and try again later.";
default_type text/plain;
}
listen 80;
listen [::]:80;
}