mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
b3959d7c9c
archlinux.org started rejecting connections without SNI because of experiments with deploying HTTP/3. See: https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/850
80 lines
2.6 KiB
Django/Jinja
80 lines
2.6 KiB
Django/Jinja
proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=auth_cache:5m inactive=60m;
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
http2 on;
|
|
server_name {{ repos_domain }} {{repos_rsync_domain}};
|
|
root /srv/ftp;
|
|
|
|
include snippets/letsencrypt.conf;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
|
|
|
|
access_log /var/log/nginx/{{ repos_domain }}/access.log reduced;
|
|
access_log /var/log/nginx/{{ repos_domain }}/access.log.json json_reduced;
|
|
|
|
location = /lastupdate {
|
|
allow all;
|
|
}
|
|
|
|
location ~ /git(/.*) {
|
|
fastcgi_pass unix:/run/fcgiwrap.sock;
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
|
|
fastcgi_param GIT_PROJECT_ROOT /srv/repos;
|
|
fastcgi_param PATH_INFO $1;
|
|
}
|
|
|
|
location / {
|
|
satisfy any;
|
|
auth_request /devel/mirrorauth/;
|
|
|
|
{% for host in groups['buildservers'] | sort %}
|
|
# {{ host }}
|
|
{% for address in ['ipv4_address', 'ipv6_address'] if address in hostvars[host] %}
|
|
allow {{ hostvars[host][address] }};
|
|
{% else %}
|
|
# no addresses defined in hostvars
|
|
{% endfor %}
|
|
|
|
{% endfor %}
|
|
autoindex on;
|
|
}
|
|
|
|
location = /devel/mirrorauth/ {
|
|
# Authentication to archweb
|
|
internal;
|
|
proxy_pass https://archlinux.org;
|
|
|
|
# Do not pass the request body, only http authorisation header is required
|
|
proxy_pass_request_body off;
|
|
proxy_set_header Content-Length "";
|
|
|
|
# Proxy headers
|
|
proxy_set_header Host $proxy_host;
|
|
proxy_set_header X-Sent-From "{{ vault_archweb_x_sent_from_secret }}";
|
|
|
|
# Cache responses from the auth proxy
|
|
proxy_cache auth_cache;
|
|
proxy_cache_key $scheme$proxy_host$uri$http_authorization;
|
|
|
|
# Minimize the number of requests to archweb
|
|
proxy_cache_lock on;
|
|
proxy_cache_use_stale updating;
|
|
proxy_cache_background_update on;
|
|
|
|
# Verify destination TLS cert
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
|
|
|
# Send SNI with TLS handshake
|
|
proxy_ssl_server_name on;
|
|
proxy_ssl_name $proxy_host;
|
|
}
|
|
}
|