mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
7b14027a45
> 2024/06/02 11:05:53 \[warn\] 30324#30324: the "listen ... http2" directive is deprecated, use the "http2" directive instead Fixes https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/589
74 lines
2.3 KiB
Django/Jinja
74 lines
2.3 KiB
Django/Jinja
proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=auth_cache:5m inactive=60m;
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
http2 on;
|
|
server_name {{ repos_domain }} {{repos_rsync_domain}};
|
|
root /srv/ftp;
|
|
|
|
include snippets/letsencrypt.conf;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
|
|
|
|
access_log /var/log/nginx/{{ repos_domain }}/access.log reduced;
|
|
access_log /var/log/nginx/{{ repos_domain }}/access.log.json json_reduced;
|
|
|
|
location = /lastupdate {
|
|
allow all;
|
|
}
|
|
|
|
location ~ /git(/.*) {
|
|
fastcgi_pass unix:/run/fcgiwrap.sock;
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
|
|
fastcgi_param GIT_PROJECT_ROOT /srv/repos;
|
|
fastcgi_param PATH_INFO $1;
|
|
}
|
|
|
|
location / {
|
|
satisfy any;
|
|
auth_request /devel/mirrorauth/;
|
|
|
|
{% for host in groups['buildservers'] | sort %}
|
|
# {{ host }}
|
|
{% for address in ['ipv4_address', 'ipv6_address'] if address in hostvars[host] %}
|
|
allow {{ hostvars[host][address] }};
|
|
{% else %}
|
|
# no addresses defined in hostvars
|
|
{% endfor %}
|
|
|
|
{% endfor %}
|
|
autoindex on;
|
|
}
|
|
|
|
location = /devel/mirrorauth/ {
|
|
internal;
|
|
|
|
# Do not pass the request body, only http authorisation header is required
|
|
proxy_pass_request_body off;
|
|
proxy_set_header Content-Length "";
|
|
|
|
# Proxy headers
|
|
proxy_set_header Host "archlinux.org";
|
|
proxy_set_header X-Sent-From "{{ vault_archweb_x_sent_from_secret }}";
|
|
|
|
# Cache responses from the auth proxy
|
|
proxy_cache auth_cache;
|
|
proxy_cache_key $scheme$proxy_host$uri$http_authorization;
|
|
|
|
# Minimize the number of requests to archweb
|
|
proxy_cache_lock on;
|
|
proxy_cache_use_stale updating;
|
|
|
|
# Authentication to archweb
|
|
proxy_pass https://archlinux.org;
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
|
}
|
|
}
|