-
Kristian Klausen authoredWe want to roll out HTTP/3 slowly, so this adds the necessary plumbing and makes it possible to enable it per host. Instead of adding the conditional logic to each nginx template, the 443 listen config is moved out into a snippet which is managed by the nginx role. HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and therefore reuseport[1][2] must be used to ensure that UDP packets for the same QUIC connection is directed to the same worker. reuseport can only be enabled once, so a default_server is added to the "inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for the latter). ssl_reject_handshake[3] is enabled as that allows enabling SSL/QUIC without specifying a certificate. [1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen [2] https://lwn.net/Articles/542629/ [3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake Ref #606
Kristian Klausen authoredWe want to roll out HTTP/3 slowly, so this adds the necessary plumbing and makes it possible to enable it per host. Instead of adding the conditional logic to each nginx template, the 443 listen config is moved out into a snippet which is managed by the nginx role. HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and therefore reuseport[1][2] must be used to ensure that UDP packets for the same QUIC connection is directed to the same worker. reuseport can only be enabled once, so a default_server is added to the "inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for the latter). ssl_reject_handshake[3] is enabled as that allows enabling SSL/QUIC without specifying a certificate. [1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen [2] https://lwn.net/Articles/542629/ [3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake Ref #606
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
nginx.conf.j2 3.47 KiB
server {
listen 80;
listen [::]:80;
server_name {{ fluxbb_domain }};
access_log /var/log/nginx/{{ fluxbb_domain }}/access.log;
access_log /var/log/nginx/{{ fluxbb_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ fluxbb_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
return 301 https://$server_name$request_uri;
}
}
# a limiter to stop abuse of the rss feed.
# limit to 1 requests per minute, with a burst defined when we use this
# limiter in the location directive below
limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
limit_req_zone $binary_remote_addr zone=searchlimit:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=bbslimit:10m rate=10r/s;
limit_req_status 429;
server {
include snippets/listen-443.conf;
server_name {{ fluxbb_domain }};
root {{ fluxbb_dir }};
index index.php;
access_log /var/log/nginx/{{ fluxbb_domain }}/access.log;
access_log /var/log/nginx/{{ fluxbb_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ fluxbb_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ fluxbb_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ fluxbb_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ fluxbb_domain }}/chain.pem;
location /.git {
deny all;
}
location = /search.php {
limit_req zone=searchlimit burst=10;
fastcgi_pass unix:/run/php-fpm/fluxbb.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
fastcgi_param HTTPS on;
include fastcgi_params;
}
location ~ /extern\.php {
limit_req zone=rsslimit burst=10 nodelay;
fastcgi_pass unix:/run/php-fpm/fluxbb.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
fastcgi_param HTTPS on;
include fastcgi_params;
}
location ~ ^/(?:config|header|footer)\.php {
log_not_found off;
deny all;
return 403;
}
location ~ /(cache|include|lang|plugins) {
log_not_found off; deny all;
return 403;
}
location ^~ /style/ {
expires 7d;
include snippets/headers.conf;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location ^~ /img/ {
expires 7d;
include snippets/headers.conf;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location ~ ^/(?:db_update|install)\.php {
auth_basic "Administration";
auth_basic_user_file auth/{{ fluxbb_domain }};
fastcgi_pass unix:/run/php-fpm/fluxbb.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
fastcgi_param HTTPS on;
include fastcgi_params;
}
location ~ ^/[^/]+\.php$ {
fastcgi_pass unix:/run/php-fpm/fluxbb.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
fastcgi_param HTTPS on;
include fastcgi_params;
limit_req zone=bbslimit burst=10 nodelay;
}
}