mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-09-18 14:11:48 +02:00
Merge branch 'nginx-http3' into 'master'
Enable HTTP/3 for {,aur.,wiki.}archlinux.org See merge request archlinux/infrastructure!850
This commit is contained in:
commit
7709a2f7e2
@ -12,3 +12,4 @@ fail2ban_jails:
|
||||
nginx_limit_req: true
|
||||
wireguard_address: 10.0.0.1
|
||||
wireguard_public_key: 0Vx7jfWinpTPHKPxvmKtZlp3hcLebawz+vQM8EIEm1k=
|
||||
nginx_enable_http3: true
|
||||
|
@ -7,3 +7,4 @@ fail2ban_jails:
|
||||
memcached_socket: "/run/memcached/aurweb.sock"
|
||||
wireguard_address: 10.0.0.2
|
||||
wireguard_public_key: TPLeGQ7qU6ZNtcgDbEV0SSYScvK+XS5igcPdGSXo6UA=
|
||||
nginx_enable_http3: true
|
||||
|
@ -4,3 +4,4 @@ wireguard_address: 10.0.0.22
|
||||
wireguard_public_key: bZeNWMLtyNDaFR7jjWr06nNZt/vV/OKNleV7XZZs+lc=
|
||||
nginx_extra_modules:
|
||||
- name: geoip2
|
||||
nginx_enable_http3: true
|
||||
|
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ archive_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ archive_domain }}/access.log reduced;
|
||||
|
@ -23,9 +23,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ archmanweb_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;
|
||||
|
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain['domain_name'] }};
|
||||
|
||||
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;
|
||||
|
@ -21,9 +21,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
@ -60,9 +58,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
@ -98,9 +94,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ service_domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
|
@ -54,9 +54,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain['domain'] }};
|
||||
|
||||
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;
|
||||
@ -102,9 +100,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ archweb_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;
|
||||
|
@ -59,9 +59,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ archwiki_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ archwiki_domain }}/access.log reduced;
|
||||
|
@ -35,9 +35,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ aurweb_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
|
||||
@ -142,7 +140,7 @@ server {
|
||||
location / {
|
||||
# Proxy over to aurweb's ASGI application.
|
||||
proxy_pass http://{{ aurweb_asgi_bind }};
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
|
@ -3,9 +3,7 @@ proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=auth_cache:5m inacti
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ repos_domain }} {{repos_rsync_domain}};
|
||||
root /srv/ftp;
|
||||
|
||||
|
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ debuginfod_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;
|
||||
|
@ -23,9 +23,7 @@ limit_req_zone $binary_remote_addr zone=bbslimit:10m rate=10r/s;
|
||||
limit_req_status 429;
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ fluxbb_domain }};
|
||||
root {{ fluxbb_dir }};
|
||||
index index.php;
|
||||
|
@ -25,9 +25,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ grafana_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ grafana_domain }}/access.log main;
|
||||
|
@ -24,9 +24,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ hedgedoc_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ hedgedoc_domain }}/access.log main;
|
||||
|
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ keycloak_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ keycloak_domain }}/access.log reduced;
|
||||
|
@ -35,9 +35,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ lists_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ lists_domain }}/access.log main;
|
||||
|
@ -17,9 +17,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
@ -56,9 +54,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
@ -94,9 +90,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ service_domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
|
@ -22,9 +22,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ matrix_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ matrix_domain }}/access.log reduced;
|
||||
|
@ -1,9 +1,7 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ item.value.mirror_domain }};
|
||||
root {{ item.value.target }};
|
||||
|
||||
|
@ -18,9 +18,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name mta-sts.{{ config.domains | join(' mta-sts.') }};
|
||||
|
||||
access_log /var/log/nginx/{{ domain }}/access.log reduced;
|
||||
|
@ -1,3 +1,4 @@
|
||||
letsencrypt_validation_dir: "/var/lib/letsencrypt"
|
||||
nginx_firewall_zone:
|
||||
nginx_extra_modules: []
|
||||
nginx_enable_http3: false
|
||||
|
@ -19,11 +19,12 @@
|
||||
- snippets
|
||||
|
||||
- name: Copy snippets
|
||||
template: src={{ item }} dest=/etc/nginx/snippets owner=root group=root mode=0644
|
||||
template: src={{ item }} dest=/etc/nginx/snippets/{{ item | regex_replace('\\.j2$', '') }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- letsencrypt.conf
|
||||
- sslsettings.conf
|
||||
- headers.conf
|
||||
- listen-443.conf.j2
|
||||
notify:
|
||||
- Reload nginx
|
||||
|
||||
@ -66,6 +67,7 @@
|
||||
with_items:
|
||||
- http
|
||||
- https
|
||||
- "{{ 'http3' if nginx_enable_http3 else omit }}"
|
||||
when: configure_firewall
|
||||
tags:
|
||||
- firewall
|
||||
|
@ -1 +1,4 @@
|
||||
add_header Strict-Transport-Security $hsts_header always;
|
||||
{% if nginx_enable_http3 %}
|
||||
add_header Alt-Svc $alt_svc_header always;
|
||||
{% endif %}
|
||||
|
7
roles/nginx/templates/listen-443.conf.j2
Normal file
7
roles/nginx/templates/listen-443.conf.j2
Normal file
@ -0,0 +1,7 @@
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
{% if nginx_enable_http3 %}
|
||||
listen 443 quic;
|
||||
listen [::]:443 quic;
|
||||
{% endif %}
|
||||
http2 on;
|
@ -1,6 +1,14 @@
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
listen 443 default_server ssl;
|
||||
listen [::]:443 default_server ssl;
|
||||
{% if nginx_enable_http3 %}
|
||||
listen 443 default_server quic reuseport;
|
||||
listen [::]:443 default_server quic reuseport;
|
||||
{% endif %}
|
||||
http2 on;
|
||||
ssl_reject_handshake on;
|
||||
root /srv/http;
|
||||
|
||||
include snippets/letsencrypt.conf;
|
||||
|
@ -27,12 +27,13 @@ http {
|
||||
log_format main
|
||||
'$remote_addr $host $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for" $request_time';
|
||||
'"$http_user_agent" "$http_x_forwarded_for" $request_time'
|
||||
'$server_protocol';
|
||||
|
||||
log_format reduced
|
||||
'$host [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent"';
|
||||
'"$http_user_agent" $server_protocol';
|
||||
|
||||
log_format json_main escape=json
|
||||
'{'
|
||||
@ -48,6 +49,7 @@ http {
|
||||
'"http_user_agent":"$http_user_agent",'
|
||||
'"http_x_forwarded_for":"$http_x_forwarded_for",'
|
||||
'"request_time":"$request_time",'
|
||||
'"server_protocol":"$server_protocol",'
|
||||
# This was added to keep every log line unique as Loki drops
|
||||
# log line with the same timestamp and log text:
|
||||
# https://grafana.com/docs/loki/latest/overview/#timestamp-ordering
|
||||
@ -65,6 +67,7 @@ http {
|
||||
'"body_bytes_sent":"$body_bytes_sent",'
|
||||
'"http_referrer":"$http_referer",'
|
||||
'"http_user_agent":"$http_user_agent",'
|
||||
'"server_protocol":"$server_protocol",'
|
||||
# This was added to keep every log line unique as Loki drops
|
||||
# log line with the same timestamp and log text:
|
||||
# https://grafana.com/docs/loki/latest/overview/#timestamp-ordering
|
||||
|
@ -18,4 +18,17 @@ map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
|
||||
{% if nginx_enable_http3 %}
|
||||
# Chrome, Firefox and curl only use the header from secure origins.
|
||||
# https://issues.chromium.org/issues/40471032
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1730935
|
||||
# https://everything.curl.dev/libcurl-http/alt-svc.html
|
||||
# See headers.conf for the Alt-Svc add_header line.
|
||||
map $scheme $alt_svc_header {
|
||||
# Keep a low max-age for HTTP/3 while testing.
|
||||
# Bump to 2592000 when we are done testing.
|
||||
https 'h3=":443"; ma=3600';
|
||||
}
|
||||
|
||||
{% endif %}
|
||||
resolver 127.0.0.53;
|
||||
|
@ -2,9 +2,7 @@ server {
|
||||
# We don't redirect to HTTPS because a redirect is considered a captive portal.
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ ping_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ ping_domain }}/access.log reduced;
|
||||
|
@ -17,9 +17,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ public_domain }} www.{{ public_domain }};
|
||||
root /srv/public_html;
|
||||
|
||||
|
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ rebuilderd_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ rebuilderd_domain }}/access.log reduced;
|
||||
|
@ -9,9 +9,7 @@ map $uri ${{ redirect.map | hash('md5') }} {
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ redirect.domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ redirect.domain }}/access.log reduced;
|
||||
|
@ -1,9 +1,7 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ repos_rsync_domain }};
|
||||
root /srv/ftp;
|
||||
|
||||
|
@ -29,9 +29,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ security_tracker_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;
|
||||
|
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ sources_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ sources_domain }}/access.log reduced;
|
||||
|
@ -2,9 +2,7 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain }};
|
||||
root /srv/ftp;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user