From 952abb4a3f5d64236aeefb74dc11e31d963a6c3a Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Thu, 21 Mar 2019 00:34:40 +0100 Subject: [PATCH] Add nginx as cache for images and other small, static files --- docker-compose.yaml | 28 +++++++++++++++++---------- nginx.conf | 47 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 nginx.conf diff --git a/docker-compose.yaml b/docker-compose.yaml index 05e1fa6..1af2deb 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -12,20 +12,32 @@ services: - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events - ./volumes/traefik/acme.json:/etc/acme.json - ./traefik.toml:/traefik.toml + depends_on: + - cache restart: "always" # If you want to use the Traefik dashboard, you should expose it on a # subdomain with HTTPS and authentification: # https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f # https://github.com/containous/traefik/issues/880#issuecomment-310301168 + cache: + image: nginx:1.15-alpine + volumes: + - ./nginx.conf:/etc/nginx/nginx.conf + labels: + traefik.enable: "true" + traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" + traefik.port: "9000" + depends_on: + - peertube + restart: "always" + peertube: image: chocobozzz/peertube:v1.2.1-stretch env_file: - .env labels: - traefik.enable: "true" - traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" - traefik.port: "9000" + traefik.enable: "false" volumes: - ./volumes/data:/data - /mnt/external:/data-external @@ -38,23 +50,19 @@ services: postgres: image: postgres:10-alpine - environment: -# POSTGRES_USER: ${PEERTUBE_DB_USERNAME} -# POSTGRES_PASSWORD: ${PEERTUBE_DB_PASSWORD} - POSTGRES_DB: peertube volumes: - ./volumes/db:/var/lib/postgresql/data - restart: "always" labels: traefik.enable: "false" + restart: "always" redis: image: redis:5-alpine volumes: - ./volumes/redis:/data - restart: "always" labels: - - "traefik.enable=false" + traefik.enable: "false" + restart: "always" postfix: image: mwader/postfix-relay diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..13d04aa --- /dev/null +++ b/nginx.conf @@ -0,0 +1,47 @@ +events { + worker_connections 1024; +} + +http { + proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=peertube_cache:10m max_size=15g inactive=7d use_temp_path=off; + + server { + listen 9000; + + # Hide nginx version + server_tokens off; + + # Enable compression for JS/CSS/HTML bundle, for improved client load times. + # It might be nice to compress JSON, but leaving that out to protect against potential + # compression+encryption information leak attacks like BREACH. + gzip on; + gzip_types text/css application/javascript; + gzip_vary on; + + # Enable HSTS + # Tells browsers to stick with HTTPS and never visit the insecure HTTP + # version. Once a browser sees this header, it will only visit the site over + # HTTPS for the next 2 years: (read more on hstspreload.org) + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + + location / { + proxy_pass http://peertube:9000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + client_max_body_size 600M; + proxy_connect_timeout 600; + proxy_send_timeout 600; + proxy_read_timeout 600; + send_timeout 600; + } + location ~ ^/(static/(thumbnails|previews|avatars)|client)/ { + proxy_cache peertube_cache; + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_lock on; + add_header X-Cached $upstream_cache_status; + } + } +}