mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
161 lines
5.1 KiB
Django/Jinja
161 lines
5.1 KiB
Django/Jinja
upstream cgit {
|
|
server unix://{{ cgit_socket }};
|
|
}
|
|
|
|
upstream smartgit {
|
|
server unix://{{ smartgit_socket }};
|
|
}
|
|
|
|
# limit Git requests to block Git DoS attempts.
|
|
# # grep aurwebgitlimit /var/log/nginx/aur.archlinux.org/error.log | awk '{ print $14 }' | sort | uniq | sort
|
|
limit_req_zone $binary_remote_addr zone=aurwebgitlimit:10m rate=30r/m;
|
|
|
|
# limit general requests to 20 r/s to block DoS attempts.
|
|
limit_req_zone $binary_remote_addr zone=aurweblimit:10m rate=20r/s;
|
|
|
|
limit_req_status 429;
|
|
|
|
# needed for long server names (dev box)
|
|
server_names_hash_bucket_size 128;
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ aurweb_domain }};
|
|
|
|
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
|
|
access_log /var/log/nginx/{{ aurweb_domain }}/access.log.json json_main;
|
|
error_log /var/log/nginx/{{ aurweb_domain }}/error.log;
|
|
|
|
include snippets/letsencrypt.conf;
|
|
|
|
location / {
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
include snippets/listen-443.conf;
|
|
server_name {{ aurweb_domain }};
|
|
|
|
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
|
|
access_log /var/log/nginx/{{ aurweb_domain }}/access.log.json json_main;
|
|
error_log /var/log/nginx/{{ aurweb_domain }}/error.log;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ aurweb_domain }}/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/chain.pem;
|
|
|
|
root {{ aurweb_dir }}/static;
|
|
index index.php;
|
|
|
|
location = /robots.txt {
|
|
alias {{ aurweb_dir }}/robots.txt;
|
|
}
|
|
|
|
# redirect /tu to /package-maintainer for external links
|
|
location ~ ^/tu($|/.*) {
|
|
return 301 https://aur.archlinux.org/package-maintainer$1;
|
|
}
|
|
|
|
#
|
|
# smartgit location for Git Archive repositories
|
|
# Should be shallow-cloned:
|
|
# `git clone --depth=1 https://aur_location/archives/metadata.git`
|
|
#
|
|
# Routes:
|
|
# - /archives/metadata.git
|
|
# - /archives/users.git
|
|
# - /archives/pkgbases.git
|
|
# - /archives/pkgnames.git
|
|
#
|
|
location ~ "^/archives/(metadata|users|pkgbases|pkgnames)(\.git)/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))" {
|
|
include uwsgi_params;
|
|
uwsgi_pass smartgit;
|
|
uwsgi_modifier1 9;
|
|
uwsgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
|
|
uwsgi_param PATH_INFO /$1.git/$3;
|
|
uwsgi_param GIT_HTTP_EXPORT_ALL "";
|
|
uwsgi_param GIT_PROJECT_ROOT {{ aurweb_dir }};
|
|
}
|
|
|
|
#
|
|
# smartgit location for AUR package git repository
|
|
# Clone packages:
|
|
# `git clone https://aur_location/pkgname.git`
|
|
#
|
|
location ~ "^/([a-z0-9][a-z0-9.+_-]*?)(\.git)?/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$" {
|
|
limit_req zone=aurwebgitlimit burst=900 nodelay;
|
|
include uwsgi_params;
|
|
uwsgi_pass smartgit;
|
|
uwsgi_modifier1 9;
|
|
uwsgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
|
|
uwsgi_param PATH_INFO /aur.git/$3;
|
|
uwsgi_param GIT_HTTP_EXPORT_ALL "";
|
|
uwsgi_param GIT_NAMESPACE $1;
|
|
uwsgi_param GIT_PROJECT_ROOT {{ aurweb_dir }};
|
|
}
|
|
|
|
location ~ ^/cgit {
|
|
limit_req zone=aurwebgitlimit burst=300 nodelay;
|
|
include uwsgi_params;
|
|
rewrite ^/cgit/([^?/]+/[^?]*)?(?:\?(.*))?$ /cgit.cgi?url=$1&$2 last;
|
|
uwsgi_modifier1 9;
|
|
uwsgi_param CGIT_CONFIG {{ aurweb_conf_dir }}/cgitrc;
|
|
uwsgi_pass cgit;
|
|
}
|
|
|
|
location ~ \.gz$ {
|
|
root {{ aurweb_dir }}/archives;
|
|
default_type text/plain;
|
|
include snippets/headers.conf;
|
|
add_header Content-Encoding gzip;
|
|
expires 5m;
|
|
}
|
|
|
|
location ~ ^/static/(?:css|js|images)/ {
|
|
rewrite ^/static(/.*)$ $1 break;
|
|
|
|
expires 7d;
|
|
include snippets/headers.conf;
|
|
add_header Pragma public;
|
|
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
|
|
}
|
|
|
|
location /rpc {
|
|
rewrite ^/rpc.php /rpc last;
|
|
proxy_pass http://127.0.0.1:10666/rpc;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
}
|
|
|
|
location = /rpc/metrics {
|
|
if ($http_authorization != "Bearer {{ vault_goaurrpc_metrics_token }}") {
|
|
return 403;
|
|
}
|
|
|
|
proxy_pass http://127.0.0.1:10666/metrics;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
}
|
|
|
|
location / {
|
|
{% block asgi_proxy %}
|
|
# Proxy over to aurweb's ASGI application.
|
|
proxy_pass http://{{ aurweb_asgi_bind }};
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Ssl on;
|
|
{% endblock %}
|
|
|
|
limit_req zone=aurweblimit burst=10 nodelay;
|
|
}
|
|
|
|
location = /metrics {
|
|
if ($http_authorization != "Bearer {{ vault_aurweb_metrics_token }}") {
|
|
return 403;
|
|
}
|
|
|
|
{{ self.asgi_proxy() }}
|
|
}
|
|
}
|