mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-09-18 14:11:48 +02:00
Code Issues

Merge branch 'nginx-http3' into 'master'

Browse Source 
Enable HTTP/3 for {,aur.,wiki.}archlinux.org

See merge request archlinux/infrastructure!850
This commit is contained in:
Kristian Klausen 2024-08-18 14:50:23 +02:00
commit 7709a2f7e2
No known key found for this signature in database
GPG Key ID: E2BE346E410366C3
36 changed files with 75 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
host_vars/archlinux.org/misc
View File

@ -12,3 +12,4 @@ fail2ban_jails:
nginx_limit_req: true
wireguard_address: 10.0.0.1
wireguard_public_key: 0Vx7jfWinpTPHKPxvmKtZlp3hcLebawz+vQM8EIEm1k=
nginx_enable_http3: true

1
host_vars/aur.archlinux.org/misc
View File

@ -7,3 +7,4 @@ fail2ban_jails:
memcached_socket: "/run/memcached/aurweb.sock"
wireguard_address: 10.0.0.2
wireguard_public_key: TPLeGQ7qU6ZNtcgDbEV0SSYScvK+XS5igcPdGSXo6UA=
nginx_enable_http3: true

1
host_vars/wiki.archlinux.org/misc
View File

@ -4,3 +4,4 @@ wireguard_address: 10.0.0.22
wireguard_public_key: bZeNWMLtyNDaFR7jjWr06nNZt/vV/OKNleV7XZZs+lc=
nginx_extra_modules:
- name: geoip2
nginx_enable_http3: true

4
roles/archive_web/templates/nginx.d.conf.j2
View File

@ -16,9 +16,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ archive_domain }};
access_log /var/log/nginx/{{ archive_domain }}/access.log reduced;

4
roles/archmanweb/templates/nginx.d.conf.j2
View File

@ -23,9 +23,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ archmanweb_domain }};
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;

4
roles/archweb/templates/ipxe.archlinux.org.j2
View File

@ -16,9 +16,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ domain['domain_name'] }};
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;

12
roles/archweb/templates/maintenance-nginx.d.conf.j2
View File

@ -21,9 +21,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@ -60,9 +58,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@ -98,9 +94,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ service_domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;

8
roles/archweb/templates/nginx.d.conf.j2
View File

@ -54,9 +54,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ domain['domain'] }};
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;
@ -102,9 +100,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ archweb_domain }};
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;

4
roles/archwiki/templates/nginx.d.conf.j2
View File

@ -59,9 +59,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ archwiki_domain }};
access_log /var/log/nginx/{{ archwiki_domain }}/access.log reduced;

6
roles/aurweb/templates/nginx.d.conf.j2
View File

@ -35,9 +35,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ aurweb_domain }};
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
@ -142,7 +140,7 @@ server {
location / {
# Proxy over to aurweb's ASGI application.
proxy_pass http://{{ aurweb_asgi_bind }};
proxy_set_header Host $http_host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;

4
roles/dbscripts/templates/nginx.d.conf.j2
View File

@ -3,9 +3,7 @@ proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=auth_cache:5m inacti
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ repos_domain }} {{repos_rsync_domain}};
root /srv/ftp;

4
roles/debuginfod/templates/nginx.d.conf.j2
View File

@ -16,9 +16,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ debuginfod_domain }};
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;

4
roles/fluxbb/templates/nginx.conf.j2
View File

@ -23,9 +23,7 @@ limit_req_zone $binary_remote_addr zone=bbslimit:10m rate=10r/s;
limit_req_status 429;
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ fluxbb_domain }};
root {{ fluxbb_dir }};
index index.php;

4
roles/grafana/templates/nginx.d.conf.j2
View File

@ -25,9 +25,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ grafana_domain }};
access_log /var/log/nginx/{{ grafana_domain }}/access.log main;

4
roles/hedgedoc/templates/nginx.d.conf.j2
View File

@ -24,9 +24,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ hedgedoc_domain }};
access_log /var/log/nginx/{{ hedgedoc_domain }}/access.log main;

4
roles/keycloak/templates/nginx.d.conf.j2
View File

@ -16,9 +16,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ keycloak_domain }};
access_log /var/log/nginx/{{ keycloak_domain }}/access.log reduced;

4
roles/mailman/templates/nginx.d.conf.j2
View File

@ -35,9 +35,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ lists_domain }};
access_log /var/log/nginx/{{ lists_domain }}/access.log main;

12
roles/maintenance/templates/nginx-maintenance.conf.j2
View File

@ -17,9 +17,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@ -56,9 +54,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@ -94,9 +90,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ service_domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;

4
roles/matrix/templates/nginx.d.conf.j2
View File

@ -22,9 +22,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ matrix_domain }};
access_log /var/log/nginx/{{ matrix_domain }}/access.log reduced;

4
roles/mirrorsync/templates/nginx.d.conf.j2
View File

@ -1,9 +1,7 @@
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ item.value.mirror_domain }};
root {{ item.value.target }};

4
roles/mta_sts/templates/nginx.d.conf.j2
View File

@ -18,9 +18,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name mta-sts.{{ config.domains | join(' mta-sts.') }};
access_log /var/log/nginx/{{ domain }}/access.log reduced;

1
roles/nginx/defaults/main.yml
View File

@ -1,3 +1,4 @@
letsencrypt_validation_dir: "/var/lib/letsencrypt"
nginx_firewall_zone:
nginx_extra_modules: []
nginx_enable_http3: false

4
roles/nginx/tasks/main.yml
View File

@ -19,11 +19,12 @@
- snippets
- name: Copy snippets
template: src={{ item }} dest=/etc/nginx/snippets owner=root group=root mode=0644
template: src={{ item }} dest=/etc/nginx/snippets/{{ item | regex_replace('\\.j2$', '') }} owner=root group=root mode=0644
with_items:
- letsencrypt.conf
- sslsettings.conf
- headers.conf
- listen-443.conf.j2
notify:
- Reload nginx
@ -66,6 +67,7 @@
with_items:
- http
- https
- "{{ 'http3' if nginx_enable_http3 else omit }}"
when: configure_firewall
tags:
- firewall

3
roles/nginx/templates/headers.conf
View File

@ -1 +1,4 @@
add_header Strict-Transport-Security $hsts_header always;
{% if nginx_enable_http3 %}
add_header Alt-Svc $alt_svc_header always;
{% endif %}

7
roles/nginx/templates/listen-443.conf.j2 Normal file
View File

@ -0,0 +1,7 @@
listen 443 ssl;
listen [::]:443 ssl;
{% if nginx_enable_http3 %}
listen 443 quic;
listen [::]:443 quic;
{% endif %}
http2 on;

8
roles/nginx/templates/nginx-hostname-vhost.conf.j2
View File

@ -1,6 +1,14 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
{% if nginx_enable_http3 %}
listen 443 default_server quic reuseport;
listen [::]:443 default_server quic reuseport;
{% endif %}
http2 on;
ssl_reject_handshake on;
root /srv/http;
include snippets/letsencrypt.conf;

7
roles/nginx/templates/nginx.conf.j2
View File

@ -27,12 +27,13 @@ http {
log_format main
'$remote_addr $host $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" $request_time';
'"$http_user_agent" "$http_x_forwarded_for" $request_time'
'$server_protocol';
log_format reduced
'$host [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent"';
'"$http_user_agent" $server_protocol';
log_format json_main escape=json
'{'
@ -48,6 +49,7 @@ http {
'"http_user_agent":"$http_user_agent",'
'"http_x_forwarded_for":"$http_x_forwarded_for",'
'"request_time":"$request_time",'
'"server_protocol":"$server_protocol",'
# This was added to keep every log line unique as Loki drops
# log line with the same timestamp and log text:
# https://grafana.com/docs/loki/latest/overview/#timestamp-ordering
@ -65,6 +67,7 @@ http {
'"body_bytes_sent":"$body_bytes_sent",'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
'"server_protocol":"$server_protocol",'
# This was added to keep every log line unique as Loki drops
# log line with the same timestamp and log text:
# https://grafana.com/docs/loki/latest/overview/#timestamp-ordering

13
roles/nginx/templates/sslsettings.conf
View File

@ -18,4 +18,17 @@ map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
{% if nginx_enable_http3 %}
# Chrome, Firefox and curl only use the header from secure origins.
# https://issues.chromium.org/issues/40471032
# https://bugzilla.mozilla.org/show_bug.cgi?id=1730935
# https://everything.curl.dev/libcurl-http/alt-svc.html
# See headers.conf for the Alt-Svc add_header line.
map $scheme $alt_svc_header {
# Keep a low max-age for HTTP/3 while testing.
# Bump to 2592000 when we are done testing.
https 'h3=":443"; ma=3600';
}
{% endif %}
resolver 127.0.0.53;

4
roles/ping/templates/nginx.d.conf.j2
View File

@ -2,9 +2,7 @@ server {
# We don't redirect to HTTPS because a redirect is considered a captive portal.
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ ping_domain }};
access_log /var/log/nginx/{{ ping_domain }}/access.log reduced;

4
roles/public_html/templates/nginx.d.conf.j2
View File

@ -17,9 +17,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ public_domain }} www.{{ public_domain }};
root /srv/public_html;

4
roles/rebuilderd/templates/nginx.d.conf.j2
View File

@ -16,9 +16,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ rebuilderd_domain }};
access_log /var/log/nginx/{{ rebuilderd_domain }}/access.log reduced;

4
roles/redirects/templates/nginx.d.conf.j2
View File

@ -9,9 +9,7 @@ map $uri ${{ redirect.map | hash('md5') }} {
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ redirect.domain }};
access_log /var/log/nginx/{{ redirect.domain }}/access.log reduced;

4
roles/repo_archive_split_temp/templates/nginx.d.conf.j2
View File

@ -1,9 +1,7 @@
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ repos_rsync_domain }};
root /srv/ftp;

4
roles/security_tracker/templates/nginx.d.conf.j2
View File

@ -29,9 +29,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ security_tracker_domain }};
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;

4
roles/sources/templates/nginx.d.conf.j2
View File

@ -16,9 +16,7 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ sources_domain }};
access_log /var/log/nginx/{{ sources_domain }}/access.log reduced;

4
roles/syncrepo/templates/nginx.d.conf.j2
View File

@ -2,9 +2,7 @@
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/listen-443.conf;
server_name {{ domain }};
root /srv/ftp;