We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.
Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.
HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.
[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake
Ref #606
Fixes: 98f209484f7f4b28eaafda3b973bd824f6b72236 ("fluxbb: update the navbar url from bugs to gitlab")
Signed-off-by: Christian Heusel <christian@heusel.eu>
These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.
yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.
The gitdirs are just clones of public repos and don't seem to contain
anything sensitive but better safe than sorry.
Thanks to Christian Rebischke <chris@shibumi.dev>
someone has made a conky script that hits the rss feed every second, so nginx
now limits that to once per minute, returning 503 instead at other times. a
burst is also in place to prevent genuine users being blocked.
