mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
disable-oom-alert-on-build-machines
infrastructure/roles/ping/templates/nginx.d.conf.j2
Kristian Klausen 8dfa7e8c3e
nginx: Add plumbing for enabling HTTP/3 conditionally 
We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606
2024-08-17 21:53:32 +02:00

37 lines
1.2 KiB
Django/Jinja
Raw Permalink Blame History

server {
# We don't redirect to HTTPS because a redirect is considered a captive portal.
listen 80;
listen [::]:80;
include snippets/listen-443.conf;
server_name {{ ping_domain }};
access_log /var/log/nginx/{{ ping_domain }}/access.log reduced;
access_log /var/log/nginx/{{ ping_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ ping_domain }}/error.log;
include snippets/letsencrypt.conf;
ssl_certificate /etc/letsencrypt/live/{{ ping_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ ping_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ ping_domain }}/chain.pem;
default_type text/plain;
location = / {
return 200 'This domain is used for connectivity checking (captive portal detection).\n';
}
# https://man.archlinux.org/man/NetworkManager.conf.5#CONNECTIVITY_SECTION
location = /nm-check.txt {
access_log off;
include snippets/headers.conf;
add_header Cache-Control "max-age=0, must-revalidate";
return 200 'NetworkManager is online\n';
}
location / {
access_log off;
return 404;
}
}
View Git Blame Copy Permalink