Fix nginx "single path" location blocks

453bff74 · Amin Vakil · Evangelos Foutras · d7f69d80 · 453bff74 · 453bff74
Commit 453bff74 authored 3 years ago by Amin Vakil Committed by Evangelos Foutras 3 years ago
--- a/roles/archweb/templates/ipxe.archlinux.org.j2
+++ b/roles/archweb/templates/ipxe.archlinux.org.j2
@@ -30,7 +30,7 @@ server {
    ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;

-    location /releng/netboot {
+    location /releng/netboot/ {
        access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
        access_log   /var/log/nginx/{{ archweb_domain }}/access.log.json json_main;
        include uwsgi_params;
@@ -38,11 +38,11 @@ server {
    }

    # Cache django's css, js and png files.
-    location /static {
+    location /static/ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public";
-        alias /srv/http/archweb/collected_static;
+        alias /srv/http/archweb/collected_static/;
    }

    location / {

--- a/roles/archweb/templates/maintenance-nginx.d.conf.j2
+++ b/roles/archweb/templates/maintenance-nginx.d.conf.j2
@@ -78,12 +78,12 @@ server {

    error_page 503 /503.html;

-    location /.well-known/matrix/server {
+    location = /.well-known/matrix/server {
        default_type application/json;
        return 200 '{"m.server": "{{ matrix_domain }}:443"}';
    }

-    location /.well-known/matrix/client {
+    location = /.well-known/matrix/client {
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
        return 200 '{"m.homeserver": {"base_url": "https://{{ matrix_domain }}"}, "m.identity_server": {"base_url": "https://matrix.org"} }';

--- a/roles/archweb/templates/nginx.d.conf.j2
+++ b/roles/archweb/templates/nginx.d.conf.j2
@@ -38,7 +38,7 @@ server {

    include snippets/letsencrypt.conf;

-    location /.well-known {
+    location /.well-known/ {
        add_header Access-Control-Allow-Origin *;
        return 301 https://$server_name$request_uri;
    }
@@ -62,7 +62,7 @@ server {
    ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;

-    location /.well-known {
+    location /.well-known/ {
        add_header Access-Control-Allow-Origin *;
        return 301 https://{{ archweb_domain }}{{ domain['redirect']|default('$request_uri') }};
    }
@@ -108,12 +108,12 @@ server {
    ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;

-    location /.well-known/matrix/server {
+    location = /.well-known/matrix/server {
        default_type application/json;
        return 200 '{"m.server": "{{ matrix_domain }}:443"}';
    }

-    location /.well-known/matrix/client {
+    location = /.well-known/matrix/client {
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
        return 200 '{"m.homeserver": {"base_url": "https://{{ matrix_domain }}"}, "m.identity_server": {"base_url": "https://matrix.org"} }';

--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -19,7 +19,7 @@ server {
    access_log   /var/log/nginx/{{ repos_domain }}/access.log reduced;
    access_log   /var/log/nginx/{{ repos_domain }}/access.log.json json_reduced;

-    location /lastupdate {
+    location = /lastupdate {
        allow all;
    }


--- a/roles/flyspray/templates/nginx.d.conf.j2
+++ b/roles/flyspray/templates/nginx.d.conf.j2
@@ -43,15 +43,15 @@ server {
        deny all;
    }

-    location /setup {
+    location /setup/ {
        deny all;
    }

-    location /attachments {
+    location /attachments/ {
        location ~ \.php$ {return 403;}
    }

-    location /cache {
+    location /cache/ {
        location ~ \.php$ {return 403;}
    }


--- a/roles/keycloak/templates/nginx.d.conf.j2
+++ b/roles/keycloak/templates/nginx.d.conf.j2
@@ -31,7 +31,7 @@ server {
    root {{ keycloak_domain }};

    # https://w3c.github.io/webappsec-change-password-url/
-    location /.well-known/change-password {
+    location = /.well-known/change-password {
        return 302 https://$server_name/auth/realms/archlinux/account/#/security/signingin;
    }


--- a/roles/mailman/templates/nginx.d.conf.j2
+++ b/roles/mailman/templates/nginx.d.conf.j2
@@ -29,16 +29,16 @@ server {
    ssl_trusted_certificate /etc/letsencrypt/live/{{ lists_domain }}/chain.pem;

    # redirect old urls
-    location /mailman {
+    location /mailman/ {
        rewrite ^/mailman/(.*) /$1 permanent;
    }

-    location /icons {
-        alias /usr/lib/mailman/icons;
+    location /icons/ {
+        alias /usr/lib/mailman/icons/;
    }

-    location /pipermail {
-        alias /var/lib/mailman/archives/public;
+    location ~ ^/pipermail(?:/(.*))?$ {
+        alias /var/lib/mailman/archives/public/$1;
        add_header Cache-Control "public, no-cache";
        autoindex on;
    }

--- a/roles/mta_sts/templates/nginx.d.conf.j2
+++ b/roles/mta_sts/templates/nginx.d.conf.j2
@@ -30,7 +30,7 @@ server {
    ssl_certificate_key  /etc/letsencrypt/live/{{ domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;

-    location /.well-known/mta-sts.txt {
+    location = /.well-known/mta-sts.txt {
        default_type text/plain;
        return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: {{ config.mx | join('\\nmx: ')}}\n';
    }

--- a/roles/nginx/templates/letsencrypt.conf
+++ b/roles/nginx/templates/letsencrypt.conf
-location /.well-known/acme-challenge {
+location /.well-known/acme-challenge/ {
    root {{ letsencrypt_validation_dir }};
    default_type "text/plain";
    try_files $uri =404;

--- a/roles/ping/templates/nginx.d.conf.j2
+++ b/roles/ping/templates/nginx.d.conf.j2
@@ -23,7 +23,7 @@ server {
    }

    # https://man.archlinux.org/man/NetworkManager.conf.5#CONNECTIVITY_SECTION
-    location /nm-check.txt {
+    location = /nm-check.txt {
        access_log off;
        add_header Cache-Control "max-age=0, must-revalidate";
        return 200 'NetworkManager is online\n';

--- a/roles/rebuilderd/templates/nginx.d.conf.j2
+++ b/roles/rebuilderd/templates/nginx.d.conf.j2
@@ -47,12 +47,12 @@ server {
           add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }

-    location /api {
+    location /api/ {
            proxy_set_header    X-Real-IP          $remote_addr;
 	    proxy_pass http://127.0.0.1:8484;
    }

-    location /api/v0/build/report {
+    location = /api/v0/build/report {
 	    client_max_body_size 25M;
            proxy_set_header    X-Real-IP          $remote_addr;
 	    proxy_pass http://127.0.0.1:8484;