nginx.d.conf.j2 5.9 KB
Newer Older
1
2
# limit rss requests to 1 r/m
limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
3
4
5
6

# limit general requests to 20 r/s to block DoS attempts.
limit_req_zone $binary_remote_addr zone=archweblimit:10m rate=20r/s;

7
8
limit_req_status 429;

9
10
11
uwsgi_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=archwebcache:10m inactive=60m;
uwsgi_cache_key "$scheme$host$request_uri";

12
13
14
15
16
map $uri $cache_key {
    default            $scheme$host$request_uri;
    /devel/mirrorauth/ $scheme$host$request_uri$http_authorization;
}

17
18
19
upstream archweb {
    server unix:///run/uwsgi/archweb.sock;
}
20
21
22
23
24
25
26
27
28

{% if archweb_domains_templates -%}
{% for domain in archweb_domains_templates | dict2items(key_name='domain_name', value_name='template_name') %}
{% include domain['template_name'] %}
{% endfor %}
{%- endif %}

{% if archweb_domains_redirects %}
{% for domain in archweb_domains_redirects | dict2items(key_name='domain', value_name='redirect') %}
29
30
31
32

server {
    listen       80;
    listen       [::]:80;
33
    server_name  {{ domain['domain'] }};
34

35
    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
Kristian Klausen's avatar
Kristian Klausen committed
36
    access_log   /var/log/nginx/{{ archweb_domain }}/access.log.json json_reduced;
37
38
39
40
    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;

    include snippets/letsencrypt.conf;

41
    location /.well-known/ {
42
43
44
45
        add_header Access-Control-Allow-Origin *;
        return 301 https://$server_name$request_uri;
    }

46
    location / {
47
        access_log off;
48
        return 301 https://$server_name$request_uri;
49
50
    }
}
51

52
53
54
server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
55
    server_name  {{ domain['domain'] }};
56

57
    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
Kristian Klausen's avatar
Kristian Klausen committed
58
    access_log   /var/log/nginx/{{ archweb_domain }}/access.log.json json_reduced;
59
60
61
62
63
64
    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ archweb_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;

65
    location /.well-known/ {
66
67
68
69
        add_header Access-Control-Allow-Origin *;
        return 301 https://{{ archweb_domain }}{{ domain['redirect']|default('$request_uri') }};
    }

70
    location / {
71
        access_log off;
72
        return 301 https://{{ archweb_domain }}{{ domain['redirect']|default('$request_uri') }};
73
74
    }
}
75
{% endfor %}
76
77

server {
78
79
80
81
{% else %}

server {
{% endif %}
82
83
84
85
    listen       80;
    listen       [::]:80;
    server_name  {{ archweb_domain }};

86
    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
Kristian Klausen's avatar
Kristian Klausen committed
87
    access_log   /var/log/nginx/{{ archweb_domain }}/access.log.json json_reduced;
88
89
90
91
92
    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;

    include snippets/letsencrypt.conf;

    location / {
93
        access_log off;
94
        return 301 https://$server_name$request_uri;
95
96
97
98
    }
}

server {
99
100
101
102
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  {{ archweb_domain }};

103
    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
Kristian Klausen's avatar
Kristian Klausen committed
104
    access_log   /var/log/nginx/{{ archweb_domain }}/access.log.json json_reduced;
105
106
107
108
109
110
    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ archweb_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;

111
    location = /.well-known/matrix/server {
112
        default_type application/json;
113
114
115
        return 200 '{"m.server": "{{ matrix_domain }}:443"}';
    }

116
    location = /.well-known/matrix/client {
117
        default_type application/json;
118
119
120
121
        add_header Access-Control-Allow-Origin *;
        return 200 '{"m.homeserver": {"base_url": "https://{{ matrix_domain }}"}, "m.identity_server": {"base_url": "https://matrix.org"} }';
    }

Kristian Klausen's avatar
Kristian Klausen committed
122
    location = /robots.txt {
123
124
125
        alias {{ archweb_dir }}/archlinux.org/robots.txt;
    }

Kristian Klausen's avatar
Kristian Klausen committed
126
    location = /humans.txt {
127
128
129
        alias {{ archweb_dir }}/archlinux.org/humans.txt;
    }

Kristian Klausen's avatar
Kristian Klausen committed
130
    location = /google7827eadf026b4a87.html {
131
132
133
        alias {{ archweb_dir }}/archlinux.org/google7827eadf026b4a87.html;
    }

Kristian Klausen's avatar
Kristian Klausen committed
134
    location = /BingSiteAuth.xml {
135
136
137
        alias {{ archweb_dir }}/archlinux.org/BingSiteAuth.xml;
    }

Kristian Klausen's avatar
Kristian Klausen committed
138
    location = /favicon.ico {
139
140
141
        alias {{ archweb_dir }}/collected_static/favicon.ico;
    }

Kristian Klausen's avatar
Kristian Klausen committed
142
    location /pacman/ {
143
144
145
        alias {{ archweb_dir }}/archlinux.org/pacman/;
    }

Kristian Klausen's avatar
Kristian Klausen committed
146
    location /netcfg/ {
147
148
149
        alias {{ archweb_dir }}/archlinux.org/netcfg/;
    }

Kristian Klausen's avatar
Kristian Klausen committed
150
    location /logos/ {
151
152
153
        alias {{ archweb_dir }}/archlinux.org/logos/;
    }

154
    location ~ ^/iso/(.*\.(iso|img|tar\.gz|sfs)$) {
155
        deny all;
156
157
    }

Kristian Klausen's avatar
Kristian Klausen committed
158
    location /iso/ {
159
        alias {{ archweb_rsync_iso_dir }};
160
161
    }

162
    # Cache django's css, js and png files.
Kristian Klausen's avatar
Kristian Klausen committed
163
    location /static/ {
164
165
166
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public";
Kristian Klausen's avatar
Kristian Klausen committed
167
        alias {{ archweb_dir }}/collected_static/;
168
169
    }

Kristian Klausen's avatar
Kristian Klausen committed
170
171
    location /img/ {
        alias {{ archweb_dir }}/media/img/;
172
173
    }

Kristian Klausen's avatar
Kristian Klausen committed
174
    location /retro/ {
175
176
177
        alias {{ archweb_retro_dir }};
    }

178
179
180
181
182
    # Rate limit all RSS feeds
    location ~ (^/feeds/|\.xml$) {
        include uwsgi_params;
        uwsgi_pass archweb;

183
184
185
186
        uwsgi_cache archwebcache;
        uwsgi_cache_revalidate on;
        add_header X-Cache-Status $upstream_cache_status;

187
188
189
        limit_req zone=rsslimit burst=10 nodelay;
    }

190
    location / {
191
        access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
Kristian Klausen's avatar
Kristian Klausen committed
192
        access_log   /var/log/nginx/{{ archweb_domain }}/access.log.json json_main;
193
194
        include uwsgi_params;
        uwsgi_pass archweb;
195
196
197

        uwsgi_cache archwebcache;
        uwsgi_cache_revalidate on;
198
        uwsgi_cache_key $cache_key;
199
        add_header X-Cache-Status $upstream_cache_status;
200
201

        limit_req zone=archweblimit burst=10 nodelay;
202
203
    }
}