summaryrefslogtreecommitdiffstats
path: root/roles/git/files/etc/nginx
diff options
context:
space:
mode:
Diffstat (limited to 'roles/git/files/etc/nginx')
-rw-r--r--roles/git/files/etc/nginx/sites-available/git100
1 files changed, 43 insertions, 57 deletions
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git
index 75c1512..9e9d16e 100644
--- a/roles/git/files/etc/nginx/sites-available/git
+++ b/roles/git/files/etc/nginx/sites-available/git
@@ -1,92 +1,78 @@
server {
listen 80;
listen [::]:80;
server_name git.fripost.org;
+ include /etc/lacme/nginx.conf;
+
access_log /var/log/nginx/git.access.log;
error_log /var/log/nginx/git.error.log info;
- location ^~ /static/ {
- alias /usr/share/cgit/;
- expires 30d;
- }
-
- # Bypass the CGI to return static files stored on disk. Try first repo with
- # a trailing '.git', then without.
- location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" {
- root /var/lib/gitolite/repositories;
- try_files /$1.git/objects/$2 /$1/objects/$2 =404;
- expires 30d;
- # TODO honor git-daemon-export-ok
- }
-
- # disallow push over HTTP/HTTPS
- location ~* "^/[^/]+/git-receive-pack$" { return 403; }
-
- location ~* "^/[^/]+/(?:HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$" {
- gzip off;
- include uwsgi_params;
- uwsgi_modifier1 9;
- uwsgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories;
- uwsgi_pass unix:/run/uwsgi/app/git-http-backend/socket;
- }
-
-
- # send all other URLs to cgit
location / {
- gzip off;
- include uwsgi_params;
- uwsgi_modifier1 9;
- uwsgi_pass unix:/run/uwsgi/app/cgit/socket;
+ return 301 https://$host$request_uri;
}
}
server {
- listen 443;
- listen [::]:443;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
server_name git.fripost.org;
- include ssl/config;
- ssl_certificate /etc/nginx/ssl/git.fripost.org.pem;
- ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key;
-
access_log /var/log/nginx/git.access.log;
error_log /var/log/nginx/git.error.log info;
- location ^~ /static/ {
- alias /usr/share/cgit/;
- expires 30d;
- }
+ include snippets/headers.conf;
+ add_header Content-Security-Policy
+ "default-src 'none'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self'; frame-ancestors 'none'; form-action 'self'";
- # Bypass the CGI to return static files stored on disk. Try first repo with
- # a trailing '.git', then without.
- location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" {
- root /var/lib/gitolite/repositories;
- try_files /$1.git/objects/$2 /$1/objects/$2 =404;
+ include snippets/ssl.conf;
+ ssl_certificate ssl/git.fripost.org.pem;
+ ssl_certificate_key ssl/git.fripost.org.key;
+ include snippets/git.fripost.org.hpkp-hdr;
+
+ gzip on;
+ gzip_vary on;
+ gzip_min_length 256;
+ gzip_types application/javascript application/json application/xml image/svg+xml image/x-icon text/css text/plain;
+
+ location ^~ /static/ {
expires 30d;
- # TODO honor git-daemon-export-ok
+ alias /usr/share/cgit/;
}
# disallow push over HTTP/HTTPS
- location ~* "^/[^/]+/git-receive-pack$" { return 403; }
+ location ~ "^/.+/git-receive-pack$" { return 403; }
- location ~* "^/[^/]+/(?:HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$" {
+ location ~ "^/.+/(?:info/refs|git-upload-pack)$" {
+ limit_except GET POST { deny all; }
+ fastcgi_buffering off;
gzip off;
- include uwsgi_params;
- uwsgi_modifier1 9;
- uwsgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories;
- uwsgi_pass unix:/run/uwsgi/app/git-http-backend/socket;
+
+ fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+ fastcgi_param NO_BUFFERING "";
+
+ # cf. git-http-backend(1)
+ fastcgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param CONTENT_TYPE $content_type;
+ fastcgi_param QUERY_STRING $query_string;
+ fastcgi_param REQUEST_METHOD $request_method;
+ fastcgi_pass unix:/run/git-http-backend.socket;
}
+ location = /robots.txt { root /usr/share/cgit; }
+ location = /favicon.ico { root /usr/share/cgit; }
# send all other URLs to cgit
location / {
- gzip off;
- include uwsgi_params;
- uwsgi_modifier1 9;
- uwsgi_pass unix:/run/uwsgi/app/cgit/socket;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param CONTENT_TYPE $content_type;
+ fastcgi_param QUERY_STRING $query_string;
+ fastcgi_param REQUEST_METHOD $request_method;
+ fastcgi_pass unix:/run/cgit.socket;
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 15:47:28 +0000