From 255de3fc3f9dcf133c1527f3b891e7fe4532ea37 Mon Sep 17 00:00:00 2001
From: Marco Kundt <mrckndt@riseup.net>
Date: Tue, 20 Apr 2021 19:26:34 +0200
Subject: [PATCH] move some settings around

---
 nginx/mattermost.conf | 31 +++++++++++++------------------
 1 file changed, 13 insertions(+), 18 deletions(-)

diff --git a/nginx/mattermost.conf b/nginx/mattermost.conf
index 2ae1231..d5a2ffd 100644
--- a/nginx/mattermost.conf
+++ b/nginx/mattermost.conf
@@ -28,10 +28,21 @@ server {
     listen 443 ssl http2 default_server;
     listen [::]:443 ssl http2 default_server;
 
+    # logging
+    access_log /var/log/nginx/mm.access.log;
+    error_log /var/log/nginx/mm.error.log warn;
+
+    # gzip for performance
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+
     ## ssl
     ssl_dhparam /dhparams4096.pem;
     ssl_session_timeout 1d;
-    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_cache shared:MozSSL:10m;
     ssl_session_tickets off;
 
     # intermediate configuration
@@ -57,21 +68,7 @@ server {
     add_header X-XSS-Protection "1; mode=block" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
-
-    # logging
-    access_log /var/log/nginx/mm.access.log;
-    error_log /var/log/nginx/mm.error.log warn;
-
-    # max allowed size of uploaded files
-    client_max_body_size 256M;
-
-    # gzip for performance
-    gzip on;
-    gzip_vary on;
-    gzip_proxied any;
-    gzip_comp_level 6;
-    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+    add_header Strict-Transport-Security "max-age=63072000" always;
 
     ## locations
     # ACME-challenge
@@ -87,7 +84,6 @@ server {
         return 200 "User-agent: *\nDisallow: /\n";
     }
 
-    # API websocket location
     location ~ /api/v[0-9]+/(users/)?websocket$ {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
@@ -108,7 +104,6 @@ server {
         proxy_pass http://backend;
     }
 
-    # reverse proxy location
     location / {
         client_max_body_size 50M;
         proxy_set_header Connection "";