Nginx configuration

nginxをリバースプロキシとして活用し、Misskeyサーバーを直接インターネットに公開せず運用することをお勧めします。 これにより、以下のようなメリットが得られます。

• セキュリティ強化：リバースプロキシを通じてアクセスを制御することで、Misskeyサーバーに直接攻撃が及ぶリスクを軽減します。
• 柔軟な設定：nginxは柔軟な設定オプションを提供しており、リバースプロキシとしての機能だけでなく、キャッシュ¹やセキュリティポリシーの設定も行えます。

これらの利点を活かして、Misskeyサーバーをより安全かつ効率的に運用することが可能です。 また、CloudflareなどのCDNと併せて設定することで、さらなる効果を見込めます。

設定方法の一例

以下はサーバーマシン（VPSなど）に直接nginxをインストールし、認証局としてLet's Encryptを採用したケースでの設定例です。

1. Create /etc/nginx/conf.d/misskey.conf or /etc/nginx/sites-available/misskey.conf and copy the following example to the file.
   （The file name does not have to be "misskey".)
   （The file name does not have to be "misskey".)
2. Edit as follows:
   1. Replace example.tld with the domain you have prepared.Replace example.tld with the domain you have prepared.
      ssl_certificate and ssl_certificate_key should be the path to the certificate obtained from Let's Encrypt.
   2. If using a CDN such as Cloudflare, remove 4 lines from "If it's behind another reverse proxy or CDN, remove the following."
3. If you create /etc/nginx/sites-available/misskey.conf, create symlink as /etc/nginx/sites-enabled/misskey.conf.If you create /etc/nginx/sites-available/misskey.conf, create symlink as /etc/nginx/sites-enabled/misskey.conf.
   sudo ln -s /etc/nginx/sites-available/misskey.conf /etc/nginx/sites-enabled/misskey.conf
4. Run sudo nginx -t to verify that the configuration file will be loaded successfully.
5. Run sudo systemctl restart nginx to restart nginx.

Nginx config example

# For WebSocket
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache1:16m max_size=1g inactive=720m use_temp_path=off;

server {
    listen 80;
    listen [::]:80;
    server_name example.tld;

    # For SSL domain validation
    root /var/www/html;
    location /.well-known/acme-challenge/ { allow all; }
    location /.well-known/pki-validation/ { allow all; }
    location / { return 301 https://$server_name$request_uri; }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.tld;

    ssl_session_timeout 1d;
    ssl_session_cache shared:ssl_session_cache:10m;
    ssl_session_tickets off;

    # To use Let's Encrypt certificate
    ssl_certificate     /etc/letsencrypt/live/example.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;

    # To use Debian/Ubuntu's self-signed certificate (For testing or before issuing a certificate)
    #ssl_certificate     /etc/ssl/certs/ssl-cert-snakeoil.pem;
    #ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    # SSL protocol settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Change to your upload limit
    client_max_body_size 80m;

    # Proxy to Node
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_redirect off;

        # If it's behind another reverse proxy or CDN, remove the following.
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        # For WebSocket
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        # Cache settings
        proxy_cache cache1;
        proxy_cache_lock on;
        proxy_cache_use_stale updating;
        proxy_force_ranges on;
        add_header X-Cache $upstream_cache_status;
    }
}