OCI無料枠から自宅鯖に移したついでに少し構成を変えました。

NginxをDockerにしてCloudflare Tunnelを使うように変えただけなんですけどね。

んで、Nginx周りがなんだかよく分からなくなったのでメモ程度で残しておきます。

Dockerは公式を参考に以下を追加

  proxy:
    image: nginx:1-alpine
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro,Z
    restart: always
    depends_on:
      - pictrs
      - lemmy-ui
    logging: *default-logging

  tunnel:
    restart: always
    image: cloudflare/cloudflared:latest
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=

nginx.conf

worker_processes 1;
events {
    worker_connections 1024;
}
http {
    upstream lemmy {
        # this needs to map to the lemmy (server) docker service hostname
        server "lemmy:8536";
    }
    upstream lemmy-ui {
        # this needs to map to the lemmy-ui docker service hostname
        server "lemmy-ui:1234";
    }

    limit_req_zone $binary_remote_addr zone=lemmy_ratelimit:10m rate=1r/s;
    server {
        # this is the port inside docker, not the public one yet
        listen 80;
        # change if needed, this is facing the public web
        server_name localhost;
        server_tokens off;

        gzip on;
        gzip_types text/css application/javascript image/svg+xml;
        gzip_vary on;

        # Upload limit, relevant for pictrs
        client_max_body_size 20M;

        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

        # frontend general requests
        location / {
            # distinguish between ui requests and backend
            # don't change lemmy-ui or lemmy here, they refer to the upstream definitions on top
            set $proxpass "http://lemmy-ui";

            if ($http_accept ~ "^application/.*$") {
              set $proxpass "http://lemmy";
            }
            if ($request_method = POST) {
              set $proxpass "http://lemmy";
            }
            proxy_pass $proxpass;

            rewrite ^(.+)/+$ $1 permanent;
            # Send actual client IP upstream
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host lm.korako.me;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        # backend
        location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
            proxy_pass "http://lemmy";
            # proxy common stuff
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

            # Rate limit
            limit_req zone=lemmy_ratelimit burst=30 nodelay;

            # Send actual client IP upstream
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host lm.korako.me;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
    map $remote_addr $remote_addr_anon {
      ~(?P\d+\.\d+\.\d+)\.    $ip.0;
      ~(?P[^:]+:[^:]+):       $ip::;
      127.0.0.1                   $remote_addr;
      ::1                         $remote_addr;
      default                     0.0.0.0;
   }
}

もう何が正解かわからないnginx.confとりあえずこれで大丈夫かなぁ・・。

あとはCloudflare Tunnelでproxy:80に通せばOK！

ちなみにこの構成だと鯖移すときに止めてまるごと圧縮して移すだけというめちゃくちゃ簡単な感じになってよきです。