server { listen 80; listen [::]:80; server_name git.fripost.org; include /etc/lacme/nginx.conf; access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name git.fripost.org; access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; include snippets/headers.conf; add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self'"; include snippets/ssl.conf; ssl_certificate ssl/git.fripost.org.pem; ssl_certificate_key ssl/git.fripost.org.key; include snippets/git.fripost.org.hpkp-hdr; location ^~ /static/ { alias /usr/share/cgit/; expires 30d; } # disallow push over HTTP/HTTPS location ~ "^/.+/git-receive-pack$" { return 403; } location ~ "^/.+/(?:info/refs|git-upload-pack)$" { limit_except GET POST { deny all; } fastcgi_buffering off; gzip off; fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; fastcgi_param NO_BUFFERING ""; # cf. git-http-backend(1) fastcgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories; fastcgi_param PATH_INFO $uri; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_pass unix:/run/git-http-backend.socket; } # send all other URLs to cgit location / { gzip off; fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; fastcgi_param PATH_INFO $uri; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_pass unix:/run/cgit.socket; } }