mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
master
infrastructure/roles/dbscripts/templates/nginx.d.conf.j2
Kristian Klausen 8dfa7e8c3e
nginx: Add plumbing for enabling HTTP/3 conditionally 
We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606
2024-08-17 21:53:32 +02:00

78 lines
2.5 KiB
Django/Jinja
Raw Permalink Blame History

proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=auth_cache:5m inactive=60m;
server {
listen 80;
listen [::]:80;
include snippets/listen-443.conf;
server_name {{ repos_domain }} {{repos_rsync_domain}};
root /srv/ftp;
include snippets/letsencrypt.conf;
ssl_certificate /etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
access_log /var/log/nginx/{{ repos_domain }}/access.log reduced;
access_log /var/log/nginx/{{ repos_domain }}/access.log.json json_reduced;
location = /lastupdate {
allow all;
}
location ~ /git(/.*) {
fastcgi_pass unix:/run/fcgiwrap.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param GIT_PROJECT_ROOT /srv/repos;
fastcgi_param PATH_INFO $1;
}
location / {
satisfy any;
auth_request /devel/mirrorauth/;
{% for host in groups['buildservers'] | sort %}
# {{ host }}
{% for address in ['ipv4_address', 'ipv6_address'] if address in hostvars[host] %}
allow {{ hostvars[host][address] }};
{% else %}
# no addresses defined in hostvars
{% endfor %}
{% endfor %}
autoindex on;
}
location = /devel/mirrorauth/ {
# Authentication to archweb
internal;
proxy_pass https://archlinux.org;
# Do not pass the request body, only http authorisation header is required
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# Proxy headers
proxy_set_header Host $proxy_host;
proxy_set_header X-Sent-From "{{ vault_archweb_x_sent_from_secret }}";
# Cache responses from the auth proxy
proxy_cache auth_cache;
proxy_cache_key $scheme$proxy_host$uri$http_authorization;
# Minimize the number of requests to archweb
proxy_cache_lock on;
proxy_cache_use_stale updating;
proxy_cache_background_update on;
# Verify destination TLS cert
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# Send SNI with TLS handshake
proxy_ssl_server_name on;
proxy_ssl_name $proxy_host;
}
}
View Git Blame Copy Permalink