mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
8dfa7e8c3e
We want to roll out HTTP/3 slowly, so this adds the necessary plumbing and makes it possible to enable it per host. Instead of adding the conditional logic to each nginx template, the 443 listen config is moved out into a snippet which is managed by the nginx role. HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and therefore reuseport[1][2] must be used to ensure that UDP packets for the same QUIC connection is directed to the same worker. reuseport can only be enabled once, so a default_server is added to the "inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for the latter). ssl_reject_handshake[3] is enabled as that allows enabling SSL/QUIC without specifying a certificate. [1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen [2] https://lwn.net/Articles/542629/ [3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake Ref #606
63 lines
2.0 KiB
Django/Jinja
63 lines
2.0 KiB
Django/Jinja
upstream archmanweb {
|
|
server unix:///run/uwsgi/archmanweb.sock;
|
|
}
|
|
|
|
limit_req_zone $binary_remote_addr zone=archmanweb_limit:10m rate=2r/s;
|
|
limit_req_status 429;
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ archmanweb_domain }};
|
|
|
|
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;
|
|
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log.json json_reduced;
|
|
error_log /var/log/nginx/{{ archmanweb_domain }}/error.log;
|
|
|
|
include snippets/letsencrypt.conf;
|
|
|
|
location / {
|
|
access_log off;
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
include snippets/listen-443.conf;
|
|
server_name {{ archmanweb_domain }};
|
|
|
|
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;
|
|
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log.json json_reduced;
|
|
error_log /var/log/nginx/{{ archmanweb_domain }}/error.log;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/{{ archmanweb_domain }}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ archmanweb_domain }}/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ archmanweb_domain }}/chain.pem;
|
|
|
|
limit_req zone=archmanweb_limit burst=10 delay=8;
|
|
|
|
location = /favicon.ico {
|
|
alias {{ archmanweb_dir }}/repo/collected_static/archlinux-common/favicon.ico;
|
|
}
|
|
|
|
location = /robots.txt {
|
|
alias {{ archmanweb_dir }}/repo/robots.txt;
|
|
}
|
|
|
|
# Client-cache for Django's static assets
|
|
location /static/ {
|
|
expires 30d;
|
|
include snippets/headers.conf;
|
|
add_header Pragma public;
|
|
add_header Cache-Control "public";
|
|
alias {{ archmanweb_dir }}/repo/collected_static/;
|
|
}
|
|
|
|
location / {
|
|
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log main;
|
|
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log.json json_main;
|
|
include uwsgi_params;
|
|
uwsgi_pass archmanweb;
|
|
}
|
|
}
|