mirror of
https://github.com/9001/copyparty.git
synced 2025-08-17 09:02:15 -06:00
81 lines
2.7 KiB
Plaintext
81 lines
2.7 KiB
Plaintext
# look for "max clients:" when starting copyparty, as nginx should
|
|
# not accept more consecutive clients than what copyparty is able to;
|
|
# nginx default is 512 (worker_processes 1, worker_connections 512)
|
|
#
|
|
# rarely, in some extreme usecases, it can be good to add -j0
|
|
# (40'000 requests per second, or 20gbps upload/download in parallel)
|
|
# but this is usually counterproductive and slightly buggy
|
|
#
|
|
# on fedora/rhel, remember to setsebool -P httpd_can_network_connect 1
|
|
#
|
|
# if you are behind cloudflare (or another protection service),
|
|
# remember to reject all connections which are not coming from your
|
|
# protection service -- for cloudflare in particular, you can
|
|
# generate the list of permitted IP ranges like so:
|
|
# (curl -s https://www.cloudflare.com/ips-v{4,6} | sed 's/^/allow /; s/$/;/'; echo; echo "deny all;") > /etc/nginx/cloudflare-only.conf
|
|
#
|
|
# and then enable it below by uncomenting the cloudflare-only.conf line
|
|
|
|
|
|
upstream cpp_tcp {
|
|
# alternative 1: connect to copyparty using tcp;
|
|
# cpp_uds is slightly faster and more secure, but
|
|
# cpp_tcp is easier to setup and "just works"
|
|
# ...you should however restrict copyparty to only
|
|
# accept connections from nginx by adding these args:
|
|
# -i 127.0.0.1
|
|
|
|
server 127.0.0.1:3923 fail_timeout=1s;
|
|
keepalive 1;
|
|
}
|
|
|
|
|
|
upstream cpp_uds {
|
|
# alternative 2: unix-socket, aka. "unix domain socket";
|
|
# 5-10% faster, and better isolation from other software,
|
|
# but there must be at least one unix-group which both
|
|
# nginx and copyparty is a member of; if that group is
|
|
# "www" then run copyparty with the following args:
|
|
# -i unix:770:www:/tmp/party.sock
|
|
|
|
server unix:/tmp/party.sock fail_timeout=1s;
|
|
keepalive 1;
|
|
}
|
|
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
|
|
server_name fs.example.com;
|
|
|
|
# uncomment the following line to reject non-cloudflare connections, ensuring client IPs cannot be spoofed:
|
|
#include /etc/nginx/cloudflare-only.conf;
|
|
|
|
location / {
|
|
# recommendation: replace cpp_tcp with cpp_uds below
|
|
proxy_pass http://cpp_tcp;
|
|
proxy_redirect off;
|
|
# disable buffering (next 4 lines)
|
|
proxy_http_version 1.1;
|
|
client_max_body_size 0;
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
# NOTE: with cloudflare you want this instead:
|
|
#proxy_set_header X-Forwarded-For $http_cf_connecting_ip;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Connection "Keep-Alive";
|
|
}
|
|
}
|
|
|
|
|
|
# default client_max_body_size (1M) blocks uploads larger than 256 MiB
|
|
client_max_body_size 1024M;
|
|
client_header_timeout 610m;
|
|
client_body_timeout 610m;
|
|
send_timeout 610m;
|