Appearance
配置反向代理
1. 生成 SSL 证书
如果你使用由你直接控制的域名,你还可以使用基于 DNS 的 ACME 质询申请 SSL 证书。可以使用 acme.sh 或 Certbot。这两个组件同时也支持集成 Nginx 进行 HTTP ACME 质询,可以自行搜索配置。
2. 导入 Mastodon 的 Nginx 配置
假设我们的 Mastodon 安装目录位于 /var/lib/mastodon。
进入 Mastodon 安装目录:
bash
cd /var/lib/mastodon从源代码导入 Nginx 配置:
bash
# 容器安装的 Nginx 配置需要从网络上下载
wget https://git.univ.town/univtown/mastodon/raw/branch/main/dist/nginx.conf
sudo mv nginx.conf /etc/nginx/sites-available/mastodon.conf
sudo ln -s /etc/nginx/sites-available/mastodon.conf /etc/nginx/sites-enabled/mastodon.confbash
sudo cp dist/nginx.conf /etc/nginx/sites-available/mastodon.conf
sudo ln -s /etc/nginx/sites-available/mastodon.conf /etc/nginx/sites-enabled/mastodon.conf3. 编辑 Nginx 配置
使用你喜欢的编辑器打开导入的 Nginx 配置文件,此处我们使用 nano:
bash
sudo nano /etc/nginx/sites-available/mastodon.conf- 如果修改了 Web 或 Streaming 服务的监听端口(特别是在容器安装时修改了映射到宿主机的端口),则 Nginx 文件中的 upstream 也应该修改。
web服务对应的上游是backend,streaming服务对应的上游是streaming。
例如,如果在 docker compose 配置中,我们将 web 服务映射到宿主机的端口改为了 13000:
yaml
web:
# You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
# build: .
image: git.univ.town/univtown/mastodon:latest
restart: always
env_file: .env.production
command: bundle exec puma -C config/puma.rb
networks:
- external_network
- internal_network
healthcheck:
# prettier-ignore
test: ['CMD-SHELL',"curl -s --noproxy localhost localhost:3000/health | grep -q 'OK' || exit 1"]
ports:
- '127.0.0.1:13000:3000'
depends_on:
- db
- redis
# - es
volumes:
- ./public/system:/mastodon/public/system在 Nginx 中,我们应该修改指向 Web 服务的上游:
perl
upstream backend {
server 127.0.0.1:3000 fail_timeout=0;
server 127.0.0.1:13000 fail_timeout=0;
}- 修改
server_name为站点域名:
假设我们的域名是 xxu.social:
perl
server {
listen 80;
listen [::]:80;
server_name example.com;
server_name xxu.social;
root /home/mastodon/live/public;
location /.well-known/acme-challenge/ { allow all; }
location / { return 301 https://$host$request_uri; }
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
server_name xxu.social; - 修改
root为实际安装的位置:
假设我们实际安装的位置是 /var/lib/mastodon,即 public 目录位于 /var/lib/mastodon/public
perl
server {
listen 80;
listen [::]:80;
server_name xxu.social;
root /home/mastodon/live/public;
root /var/lib/mastodon/public;
location /.well-known/acme-challenge/ { allow all; }
location / { return 301 https://$host$request_uri; }
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xxu.social;
# ...
root /home/mastodon/live/public;
root /var/lib/mastodon/public; - 设置 SSL 证书
假设我们在第一步配置了名为 letsencrypt 的 ACME 服务
perl
server {
listen 80;
listen [::]:80;
server_name xxu.social;
root /var/lib/mastodon/public;
location /.well-known/acme-challenge/ { allow all; }
location / { return 301 https://$host$request_uri; }
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xxu.social;
ssl_protocols TLSv1.2 TLSv1.3;
# ...
# Uncomment these lines once you acquire a certificate:
# ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2; 如果 SSL 证书由 acme.sh 等外部管理程序配置,可以参考下方“使用 acme.sh 等外部证书管理程序”的说明修改。
使用 acme.sh 等外部证书管理程序
假设我们将 SSL 证书安装到了 /var/lib/site-certificates/xxu.social,完整证书和密钥分别为 fullchain.pem 和 privkey.pem:
perl
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xxu.social;
# ...
# Uncomment these lines once you acquire a certificate:
# ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_certificate /var/lib/site-certificates/xxu.social/fullchain.pem;
ssl_certificate_key /var/lib/site-certificates/xxu.social/privkey.pem;