server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name pixelfed.example; # change this to your fqdn root /home/pixelfed/public; # path to repo/public ssl_certificate /etc/nginx/ssl/server.crt; # generate your own ssl_certificate_key /etc/nginx/ssl/server.key; # or use letsencrypt ssl_protocols TLSv1.2; ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES; ssl_prefer_server_ciphers on; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; index index.php; charset utf-8; client_max_body_size 15M; location / { try_files $uri $uri/ /index.php?$query_string; } location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { access_log off; log_not_found off; } error_page 404 /index.php; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; fastcgi_index index.php; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; fastcgi_param HTTPS $https if_not_empty; fastcgi_param REDIRECT_STATUS 200; fastcgi_param HTTP_PROXY ""; } location ~ /\.(?!well-known).* { deny all; } } server { # Redirect http to https server_name pixelfed.example; # change this to your fqdn listen 80; listen [::]:80; return 301 https://$host$request_uri; }