mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
increase-debuginfod
infrastructure/roles/matrix/templates/nginx.d.conf.j2
Kristian Klausen 8dfa7e8c3e
nginx: Add plumbing for enabling HTTP/3 conditionally 
We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606
2024-08-17 21:53:32 +02:00

88 lines
2.9 KiB
Django/Jinja
Raw Permalink Blame History

{% for config in matrix_nginx_config %}
upstream matrix_{{ config.name }} {
server 127.0.0.1:{{ config.port }};
}
{% endfor %}
server {
listen 80;
listen [::]:80;
server_name {{ matrix_domain }};
access_log /var/log/nginx/{{ matrix_domain }}/access.log reduced;
access_log /var/log/nginx/{{ matrix_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ matrix_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
access_log off;
return 301 https://$server_name$request_uri;
}
}
server {
include snippets/listen-443.conf;
server_name {{ matrix_domain }};
access_log /var/log/nginx/{{ matrix_domain }}/access.log reduced;
access_log /var/log/nginx/{{ matrix_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ matrix_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ matrix_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ matrix_domain }}/chain.pem;
{% for config in matrix_nginx_config %}
# {{ config.name }}
{% for location in config.locations %}
{% if location is string %}
{% set location = { 'path': location } %}
{% endif %}
location {{ location.path }} {
access_log /var/log/nginx/{{ matrix_domain }}/access.log main;
access_log /var/log/nginx/{{ matrix_domain }}/access.log.json json_main;
{% if location.add_cors | default(false) %}
include snippets/headers.conf;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, HEAD, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization, Date";
{% endif %}
proxy_pass http://matrix_{{ config.name }}{{ location.pass | default('') }};
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_read_timeout 900s;
client_max_body_size {{ matrix_max_upload_size }};
}
{% endfor %}
{% endfor %}
{% for ep in matrix_metrics_endpoints %}
location = /metrics/{{ ep.name }} {
if ($http_authorization != "Bearer {{ vault_matrix_metrics_token }}") {
return 403;
}
proxy_pass http://127.0.0.1:{{ ep.port }}/{{ ep.path | default('') }};
}
{% endfor %}
location = /metrics {
if ($http_authorization != "Bearer {{ vault_matrix_metrics_token }}") {
return 403;
}
default_type text/plain;
return 200 "Available endpoints:\n{% for ep in matrix_metrics_endpoints %} /metrics/{{ ep.name }}\n{% endfor %}";
}
location = / {
default_type text/plain;
return 200 "Nothing to see here.";
}
location / {
return 404;
}
}
View Git Blame Copy Permalink