diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
| commit | ef430522256013665205cdda05636846cc622251 (patch) | |
| tree | 0912b6175af9e97fa76aaf47613bd1926893dc67 /roles/git/files/etc | |
| parent | 4e347178a85468cb2a6451a3a57c3379f832ca97 (diff) | |
nginx: Don't hard-code the HPKP headers.
Instead, lookup the pubkeys and compute the digests on the fly. But
never modify the actual header snippet to avoid locking our users out.
Diffstat (limited to 'roles/git/files/etc')
| -rw-r--r-- | roles/git/files/etc/nginx/sites-available/git | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index ca71e0d..0ec65e2 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -10,43 +10,43 @@ server { error_log /var/log/nginx/git.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name git.fripost.org; access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; include snippets/headers.conf; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; - add_header Public-Key-Pins 'pin-sha256="HOoiXgC7tolzZ31b65UzbAKhpCCA7I0iNdO7NEuL0lU="; pin-sha256="7F+6dSG3D3X3SSLXmb4GWWqUViztamLmmCBlYCi4a10="; max-age=15778800'; + ssl_certificate ssl/git.fripost.org.pem; + ssl_certificate_key ssl/git.fripost.org.key; + include snippets/git.fripost.org.hpkp-hdr; location ^~ /static/ { alias /usr/share/cgit/; expires 30d; } # Bypass the CGI to return static files stored on disk. Try first repo with # a trailing '.git', then without. location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" { root /var/lib/gitolite/repositories; try_files /$1.git/objects/$2 /$1/objects/$2 =404; expires 30d; gzip off; # TODO honor git-daemon-export-ok } # disallow push over HTTP/HTTPS location ~* "^/[^/]+/git-receive-pack$" { return 403; } location ~* "^/[^/]+/(?:HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$" { |