mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
f562b4e927
This should i.e. forbid crawlers to index all of the git diffs which put's unneccessary load on the server and is not really of benefit to be indexed anyways. Link: https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/610 Reviewed-by: Sven-Hendrik Haase <svenstaro@gmail.com> Reviewed-by: Levente Polyak <anthraxx@archlinux.org> Signed-off-by: Christian Heusel <christian@heusel.eu>
151 lines
4.9 KiB
Django/Jinja
151 lines
4.9 KiB
Django/Jinja
upstream cgit {
|
|
server unix://{{ cgit_socket }};
|
|
}
|
|
|
|
upstream smartgit {
|
|
server unix://{{ smartgit_socket }};
|
|
}
|
|
|
|
# limit Git requests to block Git DoS attempts.
|
|
# # grep aurwebgitlimit /var/log/nginx/aur.archlinux.org/error.log | awk '{ print $14 }' | sort | uniq | sort
|
|
limit_req_zone $binary_remote_addr zone=aurwebgitlimit:10m rate=30r/m;
|
|
|
|
# limit general requests to 20 r/s to block DoS attempts.
|
|
limit_req_zone $binary_remote_addr zone=aurweblimit:10m rate=20r/s;
|
|
|
|
limit_req_status 429;
|
|
|
|
# needed for long server names (dev box)
|
|
server_names_hash_bucket_size 128;
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ aurweb_domain }};
|
|
|
|
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
|
|
access_log /var/log/nginx/{{ aurweb_domain }}/access.log.json json_main;
|
|
error_log /var/log/nginx/{{ aurweb_domain }}/error.log;
|
|
|
|
include snippets/letsencrypt.conf;
|
|
|
|
location / {
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
http2 on;
|
|
server_name {{ aurweb_domain }};
|
|
|
|
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
|
|
access_log /var/log/nginx/{{ aurweb_domain }}/access.log.json json_main;
|
|
error_log /var/log/nginx/{{ aurweb_domain }}/error.log;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ aurweb_domain }}/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/chain.pem;
|
|
|
|
root {{ aurweb_dir }}/static;
|
|
index index.php;
|
|
|
|
location = /robots.txt {
|
|
alias {{ aurweb_dir }}/robots.txt;
|
|
}
|
|
|
|
# redirect /tu to /package-maintainer for external links
|
|
location ~ ^/tu($|/.*) {
|
|
return 301 https://aur.archlinux.org/package-maintainer$1;
|
|
}
|
|
|
|
#
|
|
# smartgit location for Git Archive repositories
|
|
# Should be shallow-cloned:
|
|
# `git clone --depth=1 https://aur_location/archives/metadata.git`
|
|
#
|
|
# Routes:
|
|
# - /archives/metadata.git
|
|
# - /archives/users.git
|
|
# - /archives/pkgbases.git
|
|
# - /archives/pkgnames.git
|
|
#
|
|
location ~ "^/archives/(metadata|users|pkgbases|pkgnames)(\.git)/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))" {
|
|
include uwsgi_params;
|
|
uwsgi_pass smartgit;
|
|
uwsgi_modifier1 9;
|
|
uwsgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
|
|
uwsgi_param PATH_INFO /$1.git/$3;
|
|
uwsgi_param GIT_HTTP_EXPORT_ALL "";
|
|
uwsgi_param GIT_PROJECT_ROOT {{ aurweb_dir }};
|
|
}
|
|
|
|
#
|
|
# smartgit location for AUR package git repository
|
|
# Clone packages:
|
|
# `git clone https://aur_location/pkgname.git`
|
|
#
|
|
location ~ "^/([a-z0-9][a-z0-9.+_-]*?)(\.git)?/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$" {
|
|
limit_req zone=aurwebgitlimit burst=900 nodelay;
|
|
include uwsgi_params;
|
|
uwsgi_pass smartgit;
|
|
uwsgi_modifier1 9;
|
|
uwsgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
|
|
uwsgi_param PATH_INFO /aur.git/$3;
|
|
uwsgi_param GIT_HTTP_EXPORT_ALL "";
|
|
uwsgi_param GIT_NAMESPACE $1;
|
|
uwsgi_param GIT_PROJECT_ROOT {{ aurweb_dir }};
|
|
}
|
|
|
|
location ~ ^/cgit {
|
|
limit_req zone=aurwebgitlimit burst=300 nodelay;
|
|
include uwsgi_params;
|
|
rewrite ^/cgit/([^?/]+/[^?]*)?(?:\?(.*))?$ /cgit.cgi?url=$1&$2 last;
|
|
uwsgi_modifier1 9;
|
|
uwsgi_param CGIT_CONFIG {{ aurweb_conf_dir }}/cgitrc;
|
|
uwsgi_pass cgit;
|
|
}
|
|
|
|
location ~ \.gz$ {
|
|
root {{ aurweb_dir }}/archives;
|
|
default_type text/plain;
|
|
add_header Content-Encoding gzip;
|
|
expires 5m;
|
|
}
|
|
|
|
location ~ ^/static/(?:css|js|images)/ {
|
|
rewrite ^/static(/.*)$ $1 break;
|
|
|
|
expires 7d;
|
|
add_header Pragma public;
|
|
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
|
|
}
|
|
|
|
location /rpc {
|
|
rewrite ^/rpc.php /rpc last;
|
|
proxy_pass http://127.0.0.1:10666/rpc;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
}
|
|
|
|
location /rpc/metrics {
|
|
if ($http_authorization != "Bearer {{ vault_goaurrpc_metrics_token }}") {
|
|
return 403;
|
|
}
|
|
|
|
proxy_pass http://127.0.0.1:10666/metrics;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
}
|
|
|
|
location / {
|
|
# Proxy over to aurweb's ASGI application.
|
|
proxy_pass http://{{ aurweb_asgi_bind }};
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Ssl on;
|
|
|
|
limit_req zone=aurweblimit burst=10 nodelay;
|
|
}
|
|
}
|