mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-09-18 14:11:48 +02:00
nginx: Add plumbing for enabling HTTP/3 conditionally
We want to roll out HTTP/3 slowly, so this adds the necessary plumbing and makes it possible to enable it per host. Instead of adding the conditional logic to each nginx template, the 443 listen config is moved out into a snippet which is managed by the nginx role. HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and therefore reuseport[1][2] must be used to ensure that UDP packets for the same QUIC connection is directed to the same worker. reuseport can only be enabled once, so a default_server is added to the "inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for the latter). ssl_reject_handshake[3] is enabled as that allows enabling SSL/QUIC without specifying a certificate. [1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen [2] https://lwn.net/Articles/542629/ [3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake Ref #606
This commit is contained in:
parent
8a63759e8d
commit
8dfa7e8c3e
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ archive_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ archive_domain }}/access.log reduced;
|
||||
|
@ -23,9 +23,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ archmanweb_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;
|
||||
|
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain['domain_name'] }};
|
||||
|
||||
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;
|
||||
|
@ -21,9 +21,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
@ -60,9 +58,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
@ -98,9 +94,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ service_domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
|
@ -54,9 +54,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain['domain'] }};
|
||||
|
||||
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;
|
||||
@ -102,9 +100,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ archweb_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;
|
||||
|
@ -59,9 +59,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ archwiki_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ archwiki_domain }}/access.log reduced;
|
||||
|
@ -35,9 +35,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ aurweb_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
|
||||
|
@ -3,9 +3,7 @@ proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=auth_cache:5m inacti
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ repos_domain }} {{repos_rsync_domain}};
|
||||
root /srv/ftp;
|
||||
|
||||
|
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ debuginfod_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;
|
||||
|
@ -23,9 +23,7 @@ limit_req_zone $binary_remote_addr zone=bbslimit:10m rate=10r/s;
|
||||
limit_req_status 429;
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ fluxbb_domain }};
|
||||
root {{ fluxbb_dir }};
|
||||
index index.php;
|
||||
|
@ -25,9 +25,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ grafana_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ grafana_domain }}/access.log main;
|
||||
|
@ -24,9 +24,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ hedgedoc_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ hedgedoc_domain }}/access.log main;
|
||||
|
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ keycloak_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ keycloak_domain }}/access.log reduced;
|
||||
|
@ -35,9 +35,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ lists_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ lists_domain }}/access.log main;
|
||||
|
@ -17,9 +17,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
@ -56,9 +54,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
@ -94,9 +90,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ service_domain }};
|
||||
|
||||
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
||||
|
@ -22,9 +22,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ matrix_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ matrix_domain }}/access.log reduced;
|
||||
|
@ -1,9 +1,7 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ item.value.mirror_domain }};
|
||||
root {{ item.value.target }};
|
||||
|
||||
|
@ -18,9 +18,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name mta-sts.{{ config.domains | join(' mta-sts.') }};
|
||||
|
||||
access_log /var/log/nginx/{{ domain }}/access.log reduced;
|
||||
|
@ -1,3 +1,4 @@
|
||||
letsencrypt_validation_dir: "/var/lib/letsencrypt"
|
||||
nginx_firewall_zone:
|
||||
nginx_extra_modules: []
|
||||
nginx_enable_http3: false
|
||||
|
@ -19,11 +19,12 @@
|
||||
- snippets
|
||||
|
||||
- name: Copy snippets
|
||||
template: src={{ item }} dest=/etc/nginx/snippets owner=root group=root mode=0644
|
||||
template: src={{ item }} dest=/etc/nginx/snippets/{{ item | regex_replace('\\.j2$', '') }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- letsencrypt.conf
|
||||
- sslsettings.conf
|
||||
- headers.conf
|
||||
- listen-443.conf.j2
|
||||
notify:
|
||||
- Reload nginx
|
||||
|
||||
@ -66,6 +67,7 @@
|
||||
with_items:
|
||||
- http
|
||||
- https
|
||||
- "{{ 'http3' if nginx_enable_http3 else omit }}"
|
||||
when: configure_firewall
|
||||
tags:
|
||||
- firewall
|
||||
|
@ -1 +1,4 @@
|
||||
add_header Strict-Transport-Security $hsts_header always;
|
||||
{% if nginx_enable_http3 %}
|
||||
add_header Alt-Svc $alt_svc_header always;
|
||||
{% endif %}
|
||||
|
7
roles/nginx/templates/listen-443.conf.j2
Normal file
7
roles/nginx/templates/listen-443.conf.j2
Normal file
@ -0,0 +1,7 @@
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
{% if nginx_enable_http3 %}
|
||||
listen 443 quic;
|
||||
listen [::]:443 quic;
|
||||
{% endif %}
|
||||
http2 on;
|
@ -1,6 +1,14 @@
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
listen 443 default_server ssl;
|
||||
listen [::]:443 default_server ssl;
|
||||
{% if nginx_enable_http3 %}
|
||||
listen 443 default_server quic reuseport;
|
||||
listen [::]:443 default_server quic reuseport;
|
||||
{% endif %}
|
||||
http2 on;
|
||||
ssl_reject_handshake on;
|
||||
root /srv/http;
|
||||
|
||||
include snippets/letsencrypt.conf;
|
||||
|
@ -27,12 +27,13 @@ http {
|
||||
log_format main
|
||||
'$remote_addr $host $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for" $request_time';
|
||||
'"$http_user_agent" "$http_x_forwarded_for" $request_time'
|
||||
'$server_protocol';
|
||||
|
||||
log_format reduced
|
||||
'$host [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent"';
|
||||
'"$http_user_agent" $server_protocol';
|
||||
|
||||
log_format json_main escape=json
|
||||
'{'
|
||||
@ -48,6 +49,7 @@ http {
|
||||
'"http_user_agent":"$http_user_agent",'
|
||||
'"http_x_forwarded_for":"$http_x_forwarded_for",'
|
||||
'"request_time":"$request_time",'
|
||||
'"server_protocol":"$server_protocol",'
|
||||
# This was added to keep every log line unique as Loki drops
|
||||
# log line with the same timestamp and log text:
|
||||
# https://grafana.com/docs/loki/latest/overview/#timestamp-ordering
|
||||
@ -65,6 +67,7 @@ http {
|
||||
'"body_bytes_sent":"$body_bytes_sent",'
|
||||
'"http_referrer":"$http_referer",'
|
||||
'"http_user_agent":"$http_user_agent",'
|
||||
'"server_protocol":"$server_protocol",'
|
||||
# This was added to keep every log line unique as Loki drops
|
||||
# log line with the same timestamp and log text:
|
||||
# https://grafana.com/docs/loki/latest/overview/#timestamp-ordering
|
||||
|
@ -18,4 +18,17 @@ map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
|
||||
{% if nginx_enable_http3 %}
|
||||
# Chrome, Firefox and curl only use the header from secure origins.
|
||||
# https://issues.chromium.org/issues/40471032
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1730935
|
||||
# https://everything.curl.dev/libcurl-http/alt-svc.html
|
||||
# See headers.conf for the Alt-Svc add_header line.
|
||||
map $scheme $alt_svc_header {
|
||||
# Keep a low max-age for HTTP/3 while testing.
|
||||
# Bump to 2592000 when we are done testing.
|
||||
https 'h3=":443"; ma=3600';
|
||||
}
|
||||
|
||||
{% endif %}
|
||||
resolver 127.0.0.53;
|
||||
|
@ -2,9 +2,7 @@ server {
|
||||
# We don't redirect to HTTPS because a redirect is considered a captive portal.
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ ping_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ ping_domain }}/access.log reduced;
|
||||
|
@ -17,9 +17,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ public_domain }} www.{{ public_domain }};
|
||||
root /srv/public_html;
|
||||
|
||||
|
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ rebuilderd_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ rebuilderd_domain }}/access.log reduced;
|
||||
|
@ -9,9 +9,7 @@ map $uri ${{ redirect.map | hash('md5') }} {
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ redirect.domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ redirect.domain }}/access.log reduced;
|
||||
|
@ -1,9 +1,7 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ repos_rsync_domain }};
|
||||
root /srv/ftp;
|
||||
|
||||
|
@ -29,9 +29,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ security_tracker_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;
|
||||
|
@ -16,9 +16,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ sources_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ sources_domain }}/access.log reduced;
|
||||
|
@ -2,9 +2,7 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
include snippets/listen-443.conf;
|
||||
server_name {{ domain }};
|
||||
root /srv/ftp;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user