Commit graph

157 commits

Author SHA1 Message Date
Norm
51f09531c4 Disable gzip compression in Caddyfile
Currently Akkoma doesn't have any proper mitigations against BREACH,
which exploits the use of HTTP compression to exfiltrate sensitive data.
(see: https://akkoma.dev/AkkomaGang/akkoma/pulls/721#issuecomment-11487)

To err on the side of caution, disable gzip compression for now until we
can confirm that there's some sort of mitigation in place (whether that
would be Heal-The-Breach on the Caddy side or any Akkoma-side
mitigations).
2024-06-17 23:13:55 -04:00
Norm
962847fdc3 Uncomment media subdomain settings in Caddyfile
Now that a media subdomain is strongly recommended for security reasons,
there is no reason for them to be commented out by default.
2024-06-17 23:12:55 -04:00
Norm
7e709768c3 Use /var/tmp for media cache path in apache/nginx configs
The /var/tmp directory is not mounted as tmpfs unlike /tmp which is
mounted as such on some distros like Fedora or Arch. Since there isn't
really a benefit to having the cache on tmpfs, this change should allow
for a larger cache if needed without worrying about running out of RAM.
2024-05-15 20:42:48 -04:00
Norm
72c2d9f009 Change nginx cache size to 1 GiB
The current 10 GiB cache size is too large to fit into tmpfs for VMs and
other machines with smaller RAM sizes. Most non-Debian distros mount
/tmp on tmpfs.
2024-04-26 01:43:44 -04:00
Norm
3e9643b172 Update nginx config for Certbot's nginx plugin 2024-04-21 18:19:01 -04:00
Oneric
fb54c47f0b Update example nginx config
To account for our subdomain recommendations
2024-03-18 22:33:10 -01:00
Norm
a86b010e10
Add NoNewPrivileges to systemd service file for source installs
This setting already exists in the OTP installation directory, but
doesn't for the one used by source installs.
2023-07-22 02:40:25 -04:00
Haelwenn (lanodan) Monnier
166ddebdbc
Add no_new_privs to OpenRC service files 2023-07-22 02:40:17 -04:00
floatingghost
2aac70d690 Merge pull request 'Add config for media subdomain for Caddy' (#555) from norm/akkoma:media-subdomain-caddyfile into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/555
2023-07-17 16:30:42 +00:00
Francis Dinh
d956dc2f09
Add asdf install guide for debian/ubuntu
Closes #557
2023-05-30 21:17:26 -04:00
Francis Dinh
40627a94d4
Add config for media subdomain for Caddy
A recent group of vulnerabilities have been found in Pleroma (and
inherited by Akkoma) that involve media files either uploaded by local
users or proxied from remote instances (if media proxy is enabled).

It is recommended that media files are served on a separate subdomain
in order to mitigate this class of vulnerabilities.

Based on https://meta.akkoma.dev/t/another-vector-for-the-injection-vulnerability-found/483/2
2023-05-29 14:04:00 -04:00
quad
f1e836b183 Fix typo in installation/akkoma.service 2023-03-10 15:51:56 +00:00
Francis Dinh
03a00d005a
remove comment about old openssl versions in nginx config
I doubt many people are actually still using OpenSSL 1.0.2 or older,
since that version was first released in 2015, and last updated in 2019.
2022-12-22 19:27:16 -05:00
r3g_5z
77174acc7b
Don't listen Erlang Port Mapper Daemon (4369/tcp) on 0.0.0.0
Signed-off-by: r3g_5z <june@girlboss.ceo>
2022-12-09 21:36:21 -05:00
r3g_5z
90fce918b2
Remove unnecessary KillMode=process
It's unclear why this is the default as this is highly not recommended.
KillMode=process ends up leaving leftover orphaned processes that
escape resource management and process lifecycles, wasting resources
on servers.

Signed-off-by: r3g_5z <june@girlboss.ceo>
2022-12-09 19:10:20 -05:00
floatingghost
c62e1e3ad5 varnish config/docs (#342)
Co-authored-by: Mark Felder <feld@feld.me>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/342
2022-12-05 13:39:27 +00:00
r3g_5z
04b5c711be
Manually define PATH for Arch Linux users in systemd unit
Signed-off-by: r3g_5z <june@girlboss.ceo>
2022-12-03 14:17:54 -05:00
Norm
8557188ced
Delete 'installation/download-mastofe-build.sh'
AFAIK, this isn't being used anymore, and it's outdated anyways.
2022-11-26 19:32:09 -05:00
floatingghost
d2a185c013 Documentation updates for stable release (#73)
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/73
2022-07-15 12:27:16 +00:00
norm
c0e6f30e4d Update sample config files (#48)
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/48
Co-authored-by: norm <normandy@biribiri.dev>
Co-committed-by: norm <normandy@biribiri.dev>
2022-07-06 18:50:01 +00:00
FloatingGhost
0d012ebea1 Revert "Merge branch 'remove/mastofe' into 'develop'"
This reverts commit 6b3842cf50, reversing
changes made to 6b1282a829.
2022-01-08 21:44:37 +00:00
Sean King
08694599ae
Remove bash script for downloading new MastoFE build 2021-04-15 23:41:34 -06:00
Mark Felder
1d8f1fe077 Add a default rule to not attempt to cache any files larger than 50MB
This fixes connection failures when trying to retrieve large files.
It is less common in typical Pleroma usage, but it's possible to encounter
this on a cloud instance with lower memory.
2021-02-05 13:35:51 -06:00
Mark Felder
c6ef87d585 Note the requirement for the url_format parameter 2021-01-25 18:20:07 -06:00
Mark Felder
8373cb645b Add sudo rule, remove quoting that breaks the for loop 2021-01-25 18:15:04 -06:00
Mark Felder
003402df40 Add ability to invalidate cache entries for Apache 2021-01-21 14:20:13 -06:00
Mark Felder
3078e62488 Update Apache configuration. This has been tested. 2021-01-21 12:25:18 -06:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
Haelwenn (lanodan) Monnier
5c75bfc586
download-mastofe-build.sh: Proper exit when artifact is missing 2020-12-15 16:31:23 +01:00
rinpatch
2c55f7d7cb Remove FedSockets
Current FedSocket implementation has a bunch of problems. It doesn't
have proper error handling (in case of an error the server just doesn't
respond until the connection is closed, while the client doesn't match
any error messages and just assumes there has been an error after 15s)
and the code is full of bad descisions (see: fetch registry which uses
uuids for no reason and waits for a response by recursively querying a
 ets table until the value changes, or double JSON encoding).

Sometime ago I almost completed rewriting fedsockets from scrach to
adress these issues. However, while doing so, I realized that fedsockets
 are just too overkill for what they were trying to accomplish, which is
 reduce the overhead of federation by not signing every message.
This could be done without reimplementing failure states and endpoint
 logic we already have with HTTP by, for example, using TLS cert auth,
or switching to a more performant signature algorithm. I opened
https://git.pleroma.social/pleroma/pleroma/-/issues/2262 for further
discussion on alternatives to fedsockets.

From discussions I had with other Pleroma developers it seems like they
 would approve the descision to remove them as well,
therefore I am submitting this patch.
2020-11-17 17:28:30 +03:00
rinpatch
cc45c69fff Remove release_env
While taking a final look at instance.gen before releasing I noticed
that the release_env task outputs messages in broken english. Upon
further inspection it seems to have even more severe issues which, in
my opinion, warrant it's at least temporary removal:
- We do not explain what it actually does, anywhere. Neither the task
 docs nor instance.gen, nor installation instructions.
- It does not respect FHS on OTP releases (uses /opt/pleroma/config even
 though we store the config in /etc/pleroma/config.exs).
- It doesn't work on OTP releases, which is the main reason it exists.
Neither systemd nor openrc service files for OTP include it.
- It is not mentioned in install guides other than the ones for Debian
and OTP releases.
2020-11-08 11:56:09 +03:00
Mark Felder
e7b0840b88 NoNewPrivileges breaks ability to send email via sendmail because it restricts ability to run setuid/setgid binaries 2020-10-23 15:32:32 -05:00
Maksim Pechnikov
14054cd004 update task messages 2020-10-15 22:28:49 +03:00
Maksim Pechnikov
20e68b30f0 added generated pleroma.env 2020-10-15 22:28:26 +03:00
Mark Felder
b3015db841 Syntax error 2020-09-30 12:49:51 -05:00
Mark Felder
49229107e8 Make it possible for Varnish logs to contain the true scheme used by clients
instead of always reporting http://
2020-09-30 12:32:54 -05:00
Mark Felder
8906f30ba1 Use an upstream for reverse proxy so future modifications are simplified 2020-09-21 16:19:08 -05:00
Mark Felder
ade7fede71 Most proxy settings can be global 2020-09-21 16:13:45 -05:00
Mark Felder
2b553b8f8e Remove duplicate setting 2020-09-21 16:11:01 -05:00
Mark Felder
75f6e5e8b7 Add FedSockets config 2020-09-21 16:10:31 -05:00
Mark Felder
dfcb1401c7 Improve FreeBSD rc script
Passes rclint now, $HOME is dynamic, and properly matches process name for signalling shutdown.
2020-08-18 10:24:34 -05:00
Farhan Khan
07376bd21a Adding installation documentation for FreeBSD + rc.d script 2020-08-13 18:59:13 -04:00
lain
5c4548d5e7 Revert "Merge branch 'issue/1023' into 'develop'"
This reverts merge request !2763
2020-08-10 13:05:13 +00:00
Maksim Pechnikov
4e0e19a706 update task messages 2020-07-16 08:52:14 +03:00
Maksim Pechnikov
3062f86613 added generated pleroma.env 2020-07-14 09:05:34 +03:00
Maksim Pechnikov
579763126f Merge branch 'develop' into issue/1855 2020-06-15 15:24:55 +03:00
Maksim Pechnikov
2e8a236cef fix invalidates media url's 2020-06-14 21:02:57 +03:00
normandy
122328b93a Update pleroma.nginx to support TLSv1.3
Based on SSL config from https://ssl-config.mozilla.org/
2020-06-12 02:05:49 -04:00
Maksim
376147fb82 Apply suggestion to installation/nginx-cache-purge.sh.example 2020-05-20 04:12:21 +00:00
Maksim Pechnikov
b5b9d161cd update purge script 2020-05-20 06:56:04 +03:00