mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
disable-oom-alert-on-build-machines
infrastructure/roles/archive_web/templates/nginx.d.conf.j2
Kristian Klausen 8dfa7e8c3e
nginx: Add plumbing for enabling HTTP/3 conditionally 
We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606
2024-08-17 21:53:32 +02:00

71 lines
3.1 KiB
Django/Jinja
Raw Permalink Blame History

server {
listen 80;
listen [::]:80;
server_name {{ archive_domain }};
access_log /var/log/nginx/{{ archive_domain }}/access.log reduced;
access_log /var/log/nginx/{{ archive_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ archive_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
access_log off;
return 301 https://$server_name$request_uri;
}
}
server {
include snippets/listen-443.conf;
server_name {{ archive_domain }};
access_log /var/log/nginx/{{ archive_domain }}/access.log reduced;
access_log /var/log/nginx/{{ archive_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ archive_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ archive_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ archive_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ archive_domain }}/chain.pem;
root {{ archive_dir }};
location /.all/ {
# XXX: This regex is reused for /repos/ below! Change both if you change this!
location ~ ^/.all/(?<filename>(?<pkgname>(?<pkgname_first_char>[^/])[^/]*)-(?<pkgver>[^-/]+)-(?<pkgrel>[0-9.]+)-(?<arch>[^-/]+)\.pkg\.tar(|\.(gz|bz2|xz|zst|lrz|lzo|Z|lz4|lz))(?<sig>\.sig)?)$ {
# https://stackoverflow.com/questions/22512112/nginx-rewrite-proxy-if-file-not-exists
try_files $uri @archive1;
}
}
# XXX: This regex is the same as for .all above. Change both if you change this!
location ~ ^/(?:repos/\d+/.*|packages/.*)/(?<filename>(?<pkgname>(?<pkgname_first_char>[^/])[^/]*)-(?<pkgver>[^-/]+)-(?<pkgrel>[0-9.]+)-(?<arch>[^-/]+)\.pkg\.tar(|\.(gz|bz2|xz|zst|lrz|lzo|Z|lz4|lz))(?<sig>\.sig)?)$ {
# https://stackoverflow.com/questions/22512112/nginx-rewrite-proxy-if-file-not-exists
try_files $uri @archive2;
}
# archive.org download URLs look like:
# https://archive.org/download/archlinux_pkg_lucene__/lucene++-1.4.2-3-i686.pkg.tar.xz
# We need to remove @.+ in the identifier (archlinux_pkg_*) but keep it in the filename at the end.
location /archive.org/ {
# Rewrite @, + and . into _
# This is recursive so it will work even for multiple replacement,
# with up to 10 replacements for each character (nginx recursion limit).
# Idea from https://stackoverflow.com/a/15934256
rewrite ^/archive\.org/([^@]*)@(.*)/(.*)$ /archive.org/$1_$2/$3;
rewrite ^/archive\.org/([^\.]*)\.(.*)/(.*)$ /archive.org/$1_$2/$3;
rewrite ^/archive\.org/([^\+]*)\+(.*)/(.*)$ /archive.org/$1_$2/$3;
# Once there are no more @.+ in the identifier part, redirect to archive.org
rewrite ^/archive\.org/([^@\+\.]*/.*)$ https://archive.org/download/$1 redirect;
}
location @archive1 {
rewrite ^ /packages/$pkgname_first_char/$pkgname/$filename;
}
location @archive2 {
rewrite ^ /archive.org/archlinux_pkg_$pkgname/$filename last;
}
autoindex on;
autoindex_exact_size off;
}
View Git Blame Copy Permalink