NGINX Reverse Proxy with Cache

Hi. I’m not new to installing Mastodon, but this is my first time that I have tried to use Mastodon with Wasabi using NGINX reverse proxy with cache.
I have been using the following guide as recommended by some users in this forum:

My instance is relatively new. I installed it using the standard installation instructions and haven’t made in significant configurations beyond the stock installation. There are only two users (root and a regular user) and a few posts to test. So, I skipped the part in the guide about migrating the data using AWS-CLI. Was that correct?

My main problem is with the NGINX configuration file. I posted it below. It contains the original stock configuration. I added the piece that the guide mentioned above said. However, my Mastodon broke and now I only see the elephant pounding the keyboard.

To be honest, I’m not really sure how this file should be written. I don’t know what needs to be deleted from the original stock file.

Can anyone take a look at my file below (I obscured some information for privacy) and help me. I also enclosed the .env.production file below the NGINX file.

Thank you. I appreciate it very much.

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

upstream backend {
    server 127.0.0.1:3000 fail_timeout=0;
}

upstream streaming {
    server 127.0.0.1:4000 fail_timeout=0;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mastodon_media:10m inactive=7d max_size=1g;

server {
    if ($host = social(dot)bunny(dot)com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 80;
  listen [::]:80;
  server_name social(dot)bunny(dot)com;
  root /home/mastodon/live/public;
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }


}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name social(dot)bunny(dot)com;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  # Uncomment these lines once you acquire a certificate:
   ssl_certificate     /etc/letsencrypt/live/social(dot)bunny(dot)com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/social(dot)bunny(dot)com/privkey.pem;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;

  root /home/mastodon/live/public;

  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  add_header Strict-Transport-Security "max-age=31536000";

  location / {
    try_files $uri @proxy;
  }

  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }

  location /sw.js {
    add_header Cache-Control "public, max-age=0";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }

#//  location @proxy {
#    proxy_set_header Host $host;
#    proxy_set_header X-Real-IP $remote_addr;
#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#    proxy_set_header X-Forwarded-Proto $scheme;
#    proxy_set_header Proxy "";
#    proxy_pass_header Server;

#    proxy_pass http(colon)//backend; 
#    proxy_buffering on;
#    proxy_redirect off;
#    proxy_http_version 1.1;
#    proxy_set_header Upgrade $http_upgrade;
#    proxy_set_header Connection $connection_upgrade;

#    proxy_cache CACHE;
#    proxy_cache_valid 200 7d;
#    proxy_cache_valid 410 24h;
#    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
#    add_header X-Cached $upstream_cache_status;
#    add_header Strict-Transport-Security "max-age=31536000";

#    tcp_nodelay on;
#  }

  location /bunny-social/ {
                proxy_cache mastodon_media;
                proxy_cache_revalidate on;
                proxy_buffering on;
                proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
                proxy_cache_background_update on;
                proxy_cache_lock on;
                proxy_cache_valid 1d;
                proxy_cache_valid 404 1h;
                proxy_ignore_headers Cache-Control;
                add_header X-Cached $upstream_cache_status;
                proxy_pass https(colon)//s3(dot)eu-central-1(dot)wasabisys(dot)com/bunny-social/;
  }

  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Proxy "";
    proxy_pass https(colon)//s3(dot)eu-central-1(dot)wasabisys(dot)com/bunny-social/;
#    proxy_pass http(colon)//streaming;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  error_page 500 501 502 503 504 /500.html;

    ssl_certificate /etc/letsencrypt/live/social(dot)bunny(dot)com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/social(dot)bunny(dot)com/privkey.pem; # managed by Certbot
}
LOCAL_DOMAIN=social(dot)bunny(dot)com
SINGLE_USER_MODE=false
SECRET_KEY_BASE=e**
OTP_SECRET=f1***
VAPID_PRIVATE_KEY=yK***
VAPID_PUBLIC_KEY=BGGJ**yY0=
DB_HOST=/var/run/postgresql
DB_PORT=5432
DB_NAME=mastodon_production
DB_USER=mastodon
DB_PASS=
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=
SMTP_SERVER=smtp(dot)mailgun(dot)org
SMTP_PORT=587
SMTP_LOGIN=postmaster@social(dot)bunny(dot)com
SMTP_PASSWORD=d4931b7***
SMTP_AUTH_METHOD=plain
SMTP_OPENSSL_VERIFY_MODE=none
SMTP_FROM_ADDRESS='Mastodon <notifications@social(dot)bunny(dot)com>'

S3_ENABLED=true
S3_BUCKET=bunny-social
AWS_ACCESS_KEY_ID=18WV38LW8GXGY5CMRH3R
AWS_SECRET_ACCESS_KEY=ZZeR******
S3_PROTOCOL=https
S3_HOSTNAME=social(dot)bunny(dot)com
S3_ENDPOINT=https://s3.eu-central-1.wasabisys.com/

This is the hostname which will be used to access your images. But this is the same domain as your LOCAL_DOMAIN - I don’t think it will work. In the Stan’s story the name media.mstdn.io is used which is used extra for media only and it should be redirected to the content delivery network, in this case Wasabi, via DNS.

To be more specific: mstdn.io admin profile is using the following address:

https://mstdn.io/@admin

However the avatar is available via media.mstdn.io

https://media.mstdn.io/mstdn-media/accounts/avatars/000/005/363/original/f53bdb7553721f0c.png

which currently points to CloudFlare because they no longer use Wasabi.