mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
fail2ban-incremental-ban
infrastructure/roles/dbscripts/templates/nginx.d.conf.j2
Jelle van der Waa 05d8933ebd dbscripts: export state repository over https using nginx 
Nginx does not directly support cgi scripts so we rely on fcgiwrap. All
git repositories under /srv/repos are exported if they have a special
git-daemon-export-ok file in their .git directory.
2023-05-22 13:04:27 +00:00

73 lines
2.3 KiB
Django/Jinja
Raw Permalink Blame History

proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=auth_cache:5m inactive=60m;
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ repos_domain }} {{repos_rsync_domain}};
root /srv/ftp;
include snippets/letsencrypt.conf;
ssl_certificate /etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
access_log /var/log/nginx/{{ repos_domain }}/access.log reduced;
access_log /var/log/nginx/{{ repos_domain }}/access.log.json json_reduced;
location = /lastupdate {
allow all;
}
location ~ /git(/.*) {
fastcgi_pass unix:/run/fcgiwrap.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param GIT_PROJECT_ROOT /srv/repos;
fastcgi_param PATH_INFO $1;
}
location / {
satisfy any;
auth_request /devel/mirrorauth/;
{% for host in groups['buildservers'] | sort %}
# {{ host }}
{% for address in ['ipv4_address', 'ipv6_address'] if address in hostvars[host] %}
allow {{ hostvars[host][address] }};
{% else %}
# no addresses defined in hostvars
{% endfor %}
{% endfor %}
autoindex on;
}
location = /devel/mirrorauth/ {
internal;
# Do not pass the request body, only http authorisation header is required
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# Proxy headers
proxy_set_header Host "archlinux.org";
proxy_set_header X-Sent-From "{{ vault_archweb_x_sent_from_secret }}";
# Cache responses from the auth proxy
proxy_cache auth_cache;
proxy_cache_key $scheme$proxy_host$uri$http_authorization;
# Minimize the number of requests to archweb
proxy_cache_lock on;
proxy_cache_use_stale updating;
# Authentication to archweb
proxy_pass https://archlinux.org;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
}
}
View Git Blame Copy Permalink