infrastructure/roles/mailman/templates/nginx.d.conf.j2

# limit general requests to 2 r/s to block DoS attempts.
limit_req_zone $binary_remote_addr zone=mailmanlimit:10m rate=2r/s;

limit_req_status 429;

# This is for POSTORIUS_TEMPLATE_BASE_URL and mailman_hyperkitty.Archiver's base_url.
server {
    listen       8000;
    listen       [::]:8000;
    server_name  localhost;

    access_log off;

    location / {
      include /etc/nginx/uwsgi_params;
      uwsgi_pass unix:/run/mailman-web/mailman-web.sock;
    }
}

server {
    listen       80;
    listen       [::]:80;
    server_name  {{ lists_domain }};

    access_log   /var/log/nginx/{{ lists_domain }}/access.log main;
    access_log   /var/log/nginx/{{ lists_domain }}/access.log.json json_main;
    error_log    /var/log/nginx/{{ lists_domain }}/error.log;

    include snippets/letsencrypt.conf;

    location / {
        access_log off;
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  {{ lists_domain }};

    access_log   /var/log/nginx/{{ lists_domain }}/access.log main;
    access_log   /var/log/nginx/{{ lists_domain }}/access.log.json json_main;
    error_log    /var/log/nginx/{{ lists_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ lists_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ lists_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ lists_domain }}/chain.pem;

    location /static/ {
      alias /var/lib/mailman-web/static/;
    }

    location /pipermail/ {
        alias /var/lib/mailman2/archives/public/;
    }

    location / {
      limit_req zone=mailmanlimit burst=5 nodelay;
      include /etc/nginx/uwsgi_params;
      uwsgi_pass unix:/run/mailman-web/mailman-web.sock;
    }
}