diff --git a/docker-compose.yml b/docker-compose.yml index 54255f3..53acfae 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -87,6 +87,7 @@ services: - 443:443 - 80:80 - 8448:8448 + - 127.0.0.1:10080:10080 networks: - matrix - registration @@ -438,7 +439,7 @@ services: - "com.centurylinklabs.watchtower.enable=false" lemmy: - image: dessalines/lemmy:0.19.3 + image: dessalines/lemmy:0.19.4 container_name: lemmy restart: unless-stopped environment: @@ -452,7 +453,7 @@ services: - lemmy lemmy-ui: - image: dessalines/lemmy-ui:0.19.3 + image: dessalines/lemmy-ui:0.19.4 container_name: lemmy-ui restart: unless-stopped environment: @@ -465,7 +466,7 @@ services: - lemmy pictrs: - image: asonix/pictrs:0.3.1 + image: asonix/pictrs:0.5.16 hostname: pictrs container_name: pictrs ports: diff --git a/swag/nginx/site-confs/links.conf b/swag/nginx/site-confs/links.conf index 7d8252c..4204acd 100644 --- a/swag/nginx/site-confs/links.conf +++ b/swag/nginx/site-confs/links.conf @@ -41,6 +41,9 @@ server { gzip_types text/css application/javascript image/svg+xml; gzip_vary on; + # Handle Tor Browser's ".onion" link detection + add_header Onion-Location "http://snb3ufnp67uudsu25epj43schrerbk7o5qlisr7ph6a3wiez7vxfjxqd.onion$request_uri" always; + # Only connect to this site via HTTPS for the two years add_header Strict-Transport-Security "max-age=63072000"; @@ -120,3 +123,115 @@ server { return 301 /pictrs/image/$1; } } + + +# Establish a rate limit for the hidden service address + limit_req_zone $binary_remote_addr zone=snb3ufnp67uudsu25epj43schrerbk7o5qlisr7ph6a3wiez7vxfjxqd.onion_ratelimit:10m rate=1r/s; + + # Add tor-specific upstream aliases as a visual aid to + # avoid editing the incorrect server block in the future + upstream lemmy-tor { + server "lemmy:8536"; + } + upstream lemmy-ui-tor { + server "lemmy-ui:1234"; + } + + # Add a copy of your current internet-facing configuration with + # "listen" and "server_listen" modified to send all traffic + # over the Tor network, incorporating the visual upstream aliases + # above. + server { + # Tell nginx to listen on the hidden service port + listen 10080; + + # Set server_name to the contents of the file: + # /var/lib/tor/hidden_lemmy_service/hostname + server_name snb3ufnp67uudsu25epj43schrerbk7o5qlisr7ph6a3wiez7vxfjxqd.onion; + + # Hide nginx version + server_tokens off; + + # Enable compression for JS/CSS/HTML bundle, for improved client load times. + # It might be nice to compress JSON, but leaving that out to protect against potential + # compression+encryption information leak attacks like BREACH. + gzip on; + gzip_types text/css application/javascript image/svg+xml; + gzip_vary on; + + # Various content security headers + add_header Referrer-Policy "same-origin"; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options "DENY"; + add_header X-XSS-Protection "1; mode=block"; + + # Upload limit for pictrs + client_max_body_size 20M; + + # frontend + location / { + # distinguish between ui requests and backend + # don't change lemmy-ui or lemmy here, they refer to the upstream definitions on top + set $proxpass "http://lemmy-ui-tor"; + + if ($http_accept = "application/activity+json") { + set $proxpass "http://lemmy-tor"; + } + if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") { + set $proxpass "http://lemmy-tor"; + } + if ($request_method = POST) { + set $proxpass "http://lemmy-tor"; + } + proxy_pass $proxpass; + + rewrite ^(.+)/+$ $1 permanent; + + # Send actual client IP upstream + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + # backend + location ~ ^/(api|feeds|nodeinfo|.well-known) { + proxy_pass "http://lemmy-tor"; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Rate limit + limit_req zone=snb3ufnp67uudsu25epj43schrerbk7o5qlisr7ph6a3wiez7vxfjxqd.onion_ratelimit burst=30 nodelay; + + # Add IP forwarding headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + # pictrs only - for adding browser cache control. + location ~ ^/(pictrs) { + # allow browser cache, images never update, we can apply long term cache + expires 120d; + add_header Pragma "public"; + add_header Cache-Control "public"; + + proxy_pass "http://lemmy-tor"; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Rate limit + limit_req zone=snb3ufnp67uudsu25epj43schrerbk7o5qlisr7ph6a3wiez7vxfjxqd.onion_ratelimit burst=30 nodelay; + + # Add IP forwarding headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + # Redirect pictshare images to pictrs + location ~ /pictshare/(.*)$ { + return 301 /pictrs/image/$1; + } + }