Commit Graph

99 Commits

Author SHA1 Message Date
Nolan Lawson c4023ea8f5 sw.js should be served with max-age=0 (#355)
This is a new requirement for Mastodon v1.5+; it's mentioned here: https://github.com/tootsuite/mastodon/releases/tag/v1.5.0rc1
2017-09-21 04:21:18 +02:00
Jay Logan 3a7c9c3921 Don't include RCs in initial setup (#397)
Fixing the same issue as d9e523ec15 where the command is used in Production-guide.md
2017-09-17 00:19:02 +02:00
Sadiq Saif e1c01d42ea Add VAPID keys section to needed variables section (#385)
VAPID keys are necessary for Web Push notifications to work.

Also fix a small typo.
2017-08-26 18:53:14 +02:00
Sadiq Saif fcab2b3c97 "gcc-6" should just be "gcc" (#379)
* "gcc-6" should just be "gcc"

gcc-6 isn't a valid package name

* It was `adduser mastodon` for a reason

making it with `--system and --disabled-password` breaks the rest of the guide where `su - mastodon` is used.

I use this method as it makes maintaining the Mastodon instance easier.

* eval "$(rbenv init -)" should be in ~/.bashrc as well

otherwise the correct ruby version isn't used

* Use sudo su - instead
2017-08-20 22:50:51 +02:00
Mathias B 1e98a53c85 Move curl installation (#380)
Curl need to be installed before the first time we use it. It's now installed before setting up nodejs repository.
2017-08-19 18:58:57 +02:00
Mathias B 8b6eb84430 Reduce Git dependencies (#381)
Here we can use only git-core in place of git.
2017-08-19 18:58:31 +02:00
Mathias B b69b7fee1a Fix some mistakes (#373)
- Nginx duplication in packages installation
- Specify the user type for `mastodon` (--system and --disabled-password)
- Simplify services start-up
- Clearly write how to check services are running (or not) with `systemctl status`
2017-08-16 22:13:44 +02:00
Sadiq Saif d8b2b52690 Add libicu-dev to Mastodon apt package list (#366)
libicu-dev was added with v1.5.0, updating guide with this dependency.
2017-08-03 22:45:13 +02:00
Akira fa49976371 Add emoji files for nginx cache rules. (#360)
Some cases such as nginx uses reverse proxy, emoji will return 502 if not set.
+  sort by A-z.
2017-07-30 12:54:26 +02:00
Nolan Lawson b16afa2094 Add libidn11-dev to Ubuntu package dependencies (#356)
This is now required as of Mastodon v1.5.0+ due to idn-ruby.
2017-07-29 14:19:08 +02:00
Sadiq Saif 88b89e61d9 Complete rewrite of Mastodon Production Guide (#352)
* Complete re-write of Mastodon Production Guide

I re-wrote the Mastodon Production Guide so that it has a better structure.

Work on this re-write was done on my own repo:
https://github.com/staticsafe/mastodon-documentation

* Fix typo in a heading

* Change node.js Repository section to use curl|bash method.
For simplicity's sake

* Add an explanation of the dependencies
Added in the "Various Other Dependencies" section.

* Fix links to the Ruby project, was using the link to Rails previously.
2017-07-28 18:18:01 +02:00
Akira dd52795d7d replace g++ for build essential (#354)
g++ doesn't provide necessary package for gem.
2017-07-28 04:37:05 +02:00
Shin Kojima a2352b569f `rbenv install 2.4.1` requires readline-devel (#334)
Tested on Ubuntu Server 16.04.2 LTS

See: https://github.com/rbenv/ruby-build/wiki#trouble-with-irb-or-pry

> * Trouble with irb or pry
>
> Try installing readline and recompiling Ruby.
>
>     Ubuntu: apt-get install libreadline-dev
>     Fedora: yum install readline-devel
2017-07-25 19:16:58 +02:00
sdukhovni e65ed605d3 Update index after adding yarn repository (#343) 2017-07-23 11:10:20 +02:00
Francis 0ffa554fdb Use the Yarn APT/YUM repository instead of npm (#337)
Found this seemed to work better in my experience and also allows for easy updating like any other package.
2017-07-12 02:28:57 +02:00
Sadiq Saif cc3b0e393d Add Let's Encrypt section (#335)
* Add Let's Encrypt section with a short guide to certificate tool installation, certificate generation and automated renewal.

* Use systemctl instead of service in LE section
This is for consistency reasons.
2017-07-11 00:06:03 +02:00
bovarysme e191aaa7a3 Remove the cronjobs section from the production guide 2017-06-25 07:52:20 +02:00
wxcafé 39fe30df48 Update Production-guide.md
Fixes the problem where the `mastodon` user has /bin/false as a shell and so `sudo -iu` won't do anything
2017-06-20 13:39:20 +02:00
Hayato IZUMI 06fc3e68c5 Remove unavailable package from General dependencies for CentOS / RHEL 2017-06-18 13:52:27 +09:00
Charlotte Fields eb317b35bb added some missing info to prod. (#306)
* added some missing info

* changed login and user creation

* corrected user creation and login

hopefully
2017-06-17 15:16:48 +02:00
Aral Balkan 61d6d17904 Update command to checkout latest release.
The git tag command was incorrectly checking out release candidates instead of the latest release. Fixes #309
2017-06-15 17:22:04 +02:00
Benoît S 445dc18cd9 Missing RAILS_ENV=production and bundle exec
If you're omitting RAILS_ENV and `bundle exec` you'll have:

~~~
rake aborted!                             
NameError: uninitialized constant Annotate
[…]
~~~
2017-06-14 17:40:01 +02:00
Myles Braithwaite 2da7d4fc0a Needed pkg-config to install cld3.
In Debian the package `pkg-config` is required to install the rubygem `cld3`.
2017-05-29 14:36:32 -04:00
Eugen Rochko 8b5d2ba471 Fix API docs by adding missing attributes and methods, fix example
nginx config by removing overly specific configuration options
that confuse more than they help
2017-05-26 17:29:47 +02:00
Nolan Lawson 6b29d736ec s/assets/packs/
`assets` are now at `packs`. Unfortunately this change will permanently cache `stats.json` and `report.html`, but these aren't super critical since they're just for debugging. I confirmed that `manifest.json` is not affected and no other non-fingerprinted assets are affected.
2017-05-22 20:07:40 -07:00
Myles Braithwaite 9f752db5e0 Added note about adding backports on Debian. (#249)
Added a note about having to add Debian Backports repository to properly install `ffmpeg`.
2017-05-15 16:24:12 -07:00
Akihiko Odaki 124598b206 Add dependencies for CLD3 (#235)
This reflects commit d5cabfe5c65ac29d2f9c151b46c01a9fd885a9e0 in mastodon
repository.
2017-05-10 15:46:17 +02:00
Isao Sugimoto e97ec8f8ff more better instructions of debian jessie-backports (#232)
* more better instructions of debian jessie-backports

* minor fix
2017-05-09 09:10:10 -07:00
Ash Furrow 3ad0c4ab19 Updates for Docker documentation. See discussion in #136. (#214) 2017-05-09 10:12:02 +02:00
Darius Kazemi 03ee8bedfa Add a Debian 8 installation note (#223)
* Add a Debian 8 installation note

According to the conversation in f0a863feec, Debian 8 installs
an older version of nginx by default. This adds a note telling people
how to install a newer one.

* updating wording
2017-05-09 08:10:16 +02:00
Darius Kazemi 5b91212370 Merge pull request #204 from nolanlawson/fwenzel-patch-1
Add default CSP (take 2)
2017-05-08 11:16:49 -07:00
Nolan Lawson 8a57435b88 remove referrer-policy: strict-origin-when-cross-origin 2017-05-07 19:42:46 -07:00
Nolan Lawson 444beff404 remove unsafe-inline from script-src 2017-05-07 19:34:52 -07:00
Darius Kazemi 234175e30a Merge pull request #210 from tootsuite/Gargron-patch-1
Fix Node.js installation recommendation, also use 6.x
2017-05-07 10:15:22 -07:00
Eugen Rochko 50edeb67e2 Merge pull request #196 from kagucho/master
Use "sudo -u" instead of "sudo su"
2017-05-07 14:45:59 +02:00
Eugen Rochko 5d9994a4c2 Fix Node.js installation recommendation, also use 6.x 2017-05-06 04:38:01 +02:00
Isao Sugimoto a3097c94e5 Instructions for installing on CentOS
related: #13
2017-05-05 04:33:04 +09:00
Nolan Lawson 5bd6d4de27 update image-src/media-src to be more lax 2017-05-03 22:39:33 -07:00
Akihiko Odaki cab815878c Use "sudo -u" instead of "sudo su"
"sudo su" limits the capability of sudo to log the operations. -u option is
more straightforward and has better logging.
2017-05-03 11:02:55 +09:00
Nolan Lawson 718daad4a8 Add photos and avatars to static/immutable cache (#184) 2017-05-01 16:57:16 +02:00
Nolan Lawson f0a863feec Recommend HTTP/2 in the nginx config (#178) 2017-05-01 16:35:16 +02:00
Bjarni Rúnar Einarsson 72ed10378f Avoid hard-coding ciphers into configuration (#171)
* Avoid hard-coding ciphers into configuration

This change allows OpenSSL to choose the most appropriate available cipher(s) from the HIGH cipher suite. This is sufficient to get an A on the SSLLabs.com tests suite. If MEDIUM is allowed as well, the grade drops to a B which is still more than adequate for most deployments.

This type of configuration would prevent problems such as the current inability of Tusky on Android 7 devices to connect to some Mastodon instances.

The main benefit though, is this delegates the decisions about which ciphers are "good" and which ciphers are "bad" to the experts; the distribution security teams and the OpenSSL developers. If a weakness is found in a particular cipher it will get moved from HIGH to one of the lower classes (or removed entirely) and this will get deployed just like any other security update. Similarly, if new stronger ciphers are standardized (such as Curve 25519) - these will immediately become available without needing to change the configuration.

Hope this helps!

Note: I have not been able to test this change with Mastodon myself. I am using these settings in production elsewhere though, and they work quite well. Alternately, if people don't want to trust the OpenSSL definitions, please consider taking a look at https://wiki.mozilla.org/Security/Server_Side_TLS and implementing the recommendations from there.

* Also avoid SHA1

As requested during review. :)

* Fix a typo in the ssl_ciphers line

I wrote !SHA1, should have written just !SHA. Very sorry about the noise.
2017-04-27 22:25:39 +02:00
wxcafé 938575a679 Revert "Avoid hard-coding ciphers into configuration (#122)" (#170)
This reverts commit fc79d23ad0.
2017-04-27 22:15:37 +02:00
Bjarni Rúnar Einarsson fc79d23ad0 Avoid hard-coding ciphers into configuration (#122)
* Avoid hard-coding ciphers into configuration

This change allows OpenSSL to choose the most appropriate available cipher(s) from the HIGH cipher suite. This is sufficient to get an A on the SSLLabs.com tests suite. If MEDIUM is allowed as well, the grade drops to a B which is still more than adequate for most deployments.

This type of configuration would prevent problems such as the current inability of Tusky on Android 7 devices to connect to some Mastodon instances.

The main benefit though, is this delegates the decisions about which ciphers are "good" and which ciphers are "bad" to the experts; the distribution security teams and the OpenSSL developers. If a weakness is found in a particular cipher it will get moved from HIGH to one of the lower classes (or removed entirely) and this will get deployed just like any other security update. Similarly, if new stronger ciphers are standardized (such as Curve 25519) - these will immediately become available without needing to change the configuration.

Hope this helps!

Note: I have not been able to test this change with Mastodon myself. I am using these settings in production elsewhere though, and they work quite well. Alternately, if people don't want to trust the OpenSSL definitions, please consider taking a look at https://wiki.mozilla.org/Security/Server_Side_TLS and implementing the recommendations from there.

* Also avoid SHA1

As requested during review. :)
2017-04-27 22:13:27 +02:00
178inaba fbb0f346c3 Add yarn install option 2017-04-24 22:21:23 +09:00
Eugen 645fd80eff Merge pull request #134 from zorun/letsencrypt
Production guide: add support for let's encrypt in the nginx config
2017-04-23 06:00:14 +02:00
Nolan Lawson 8bc1fd2194 only add cache-control, remove comment 2017-04-22 17:09:39 -07:00
Nolan Lawson 32f4c5319f add nginx config for static assets 2017-04-22 16:19:53 -07:00
Baptiste Jonglez a8d244ad42 Production guide: add support for let's encrypt in the nginx config
This notably fixes potential issues like this one https://github.com/tootsuite/mastodon/issues/1665
2017-04-22 18:44:22 +02:00
Fred Wenzel b98af5e96d Add default CSP
Add a default CSP that allows anything from the local domain, plus inline styles, data: URIs, and no framing.
2017-04-21 21:57:48 -07:00