petamoriken · February 25, 2022 06:52
diff --git a/h2o.conf.yaml b/h2o.conf.yaml
 http2-casper: ON
 compress: ON

 header.setifempty: "X-XSS-Protection: 1; mode=block"
 header.setifempty: "Expect-CT: max-age=2592000, enforce"
 header.setifempty: "Expect-Staple: max-age=31536000; includeSubDomains; preload"

 listen:
  port: 80

 listen:
  port: 443
  ssl: 
    certificate-file: /etc/letsencrypt/live/kimamass.com/fullchain.pem
    key-file: /etc/letsencrypt/live/kimamass.com/privkey.pem
    minimum-version: TLSv1.2
    # see: https://wiki.mozilla.org/Security/Server_Side_TLS
    cipher-suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"

 stash:
  secure: &secure
    header.setifempty: "X-Frame-Options: DENY"
    header.setifempty: "X-Content-Type-Options: nosniff"
    header.setifempty: "Strict-Transport-Security: max-age=31536000; includeSubdomains; preload"

 hosts:
  "social.kimamass.com:80":
    paths:
      "/":
        redirect:
          url: https://social.kimamass.com
          status: 301

  "social.kimamass.com:443":
    paths:
      "/":
        header.set: "Strict-Transport-Security: max-age=31536000; includeSubdomains; preload"
        mruby.handler-file: /usr/local/etc/h2o/maintenance.rb
        mruby.handler: |
          lambda do |env|
            headers = {}
            if File.exists?("/home/mastodon/live/public/#{env['PATH_INFO']}")
              headers['X-Frame-Options'] = 'DENY'
              headers['X-Content-Type-Options'] = 'nosniff'
              # headers['Referrer-Policy'] = 'no-referrer-when-downgrade'
              headers['Cache-Control'] = 'public, max-age=31536000, immutable'
            end
            [399, headers, []]
          end
        file.dir: /home/mastodon/live/public

        proxy.reverse.url: http://127.0.0.1:3000
        proxy.preserve-host: ON
        proxy.timeout.io: 300000
        proxy.timeout.keepalive: 0

      "/sw.js":
        <<: *secure
        mruby.handler-file: /usr/local/etc/h2o/maintenance.rb
        header.set: "Cache-Control: no-cache"
        file.file: /home/mastodon/live/public/sw.js

      "/api/v1/streaming":
        <<: *secure
        mruby.handler-file: /usr/local/etc/h2o/maintenance.rb
        proxy.reverse.url: http://127.0.0.1:4000
        proxy.preserve-host: ON
        proxy.websocket: ON

 access-log: /var/log/h2o/access.log
 error-log: /var/log/h2o/error.log
 pid-file: /var/run/h2o/h2o.pid
diff --git a/maintenance.rb b/maintenance.rb
 class Maintenance
  def call(env)
    headers = {}
    if File.exists?('/home/mastodon/.maintenance')
      headers['Content-Type'] = 'text/plain; charset=UTF-8'
      headers['Retry-After'] = '600'
      return [503, headers, ["メンテナンス中です\n"]]
    end
    [399, headers, []]
  end
 end

 Maintenance.new
	http2-casper: ON
	compress: ON

	header.setifempty: "X-XSS-Protection: 1; mode=block"
	header.setifempty: "Expect-CT: max-age=2592000, enforce"
	header.setifempty: "Expect-Staple: max-age=31536000; includeSubDomains; preload"

	listen:
	port: 80

	listen:
	port: 443
	ssl:
	certificate-file: /etc/letsencrypt/live/kimamass.com/fullchain.pem
	key-file: /etc/letsencrypt/live/kimamass.com/privkey.pem
	minimum-version: TLSv1.2
	# see: https://wiki.mozilla.org/Security/Server_Side_TLS
	cipher-suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"

	stash:
	secure: &secure
	header.setifempty: "X-Frame-Options: DENY"
	header.setifempty: "X-Content-Type-Options: nosniff"
	header.setifempty: "Strict-Transport-Security: max-age=31536000; includeSubdomains; preload"

	hosts:
	"social.kimamass.com:80":
	paths:
	"/":
	redirect:
	url: https://social.kimamass.com
	status: 301

	"social.kimamass.com:443":
	paths:
	"/":
	header.set: "Strict-Transport-Security: max-age=31536000; includeSubdomains; preload"
	mruby.handler-file: /usr/local/etc/h2o/maintenance.rb
	mruby.handler: \|
	lambda do \|env\|
	headers = {}
	if File.exists?("/home/mastodon/live/public/#{env['PATH_INFO']}")
	headers['X-Frame-Options'] = 'DENY'
	headers['X-Content-Type-Options'] = 'nosniff'
	# headers['Referrer-Policy'] = 'no-referrer-when-downgrade'
	headers['Cache-Control'] = 'public, max-age=31536000, immutable'
	end
	[399, headers, []]
	end
	file.dir: /home/mastodon/live/public

	proxy.reverse.url: http://127.0.0.1:3000
	proxy.preserve-host: ON
	proxy.timeout.io: 300000
	proxy.timeout.keepalive: 0

	"/sw.js":
	<<: *secure
	mruby.handler-file: /usr/local/etc/h2o/maintenance.rb
	header.set: "Cache-Control: no-cache"
	file.file: /home/mastodon/live/public/sw.js

	"/api/v1/streaming":
	<<: *secure
	mruby.handler-file: /usr/local/etc/h2o/maintenance.rb
	proxy.reverse.url: http://127.0.0.1:4000
	proxy.preserve-host: ON
	proxy.websocket: ON

	access-log: /var/log/h2o/access.log
	error-log: /var/log/h2o/error.log
	pid-file: /var/run/h2o/h2o.pid
	class Maintenance
	def call(env)
	headers = {}
	if File.exists?('/home/mastodon/.maintenance')
	headers['Content-Type'] = 'text/plain; charset=UTF-8'
	headers['Retry-After'] = '600'
	return [503, headers, ["メンテナンス中です\n"]]
	end
	[399, headers, []]
	end
	end

	Maintenance.new