Merge branch 'nginx-http3' into 'master'

Enable HTTP/3 for {,aur.,wiki.}archlinux.org See merge request !850

Merge branch 'nginx-http3' into 'master'
7709a2f7 · Kristian Klausen · 8a63759e · 28e0f03c · 7709a2f7 · 7709a2f7
Verified Commit 7709a2f7 authored 7 months ago by Kristian Klausen
--- a/host_vars/archlinux.org/misc
+++ b/host_vars/archlinux.org/misc
@@ -12,3 +12,4 @@ fail2ban_jails:
  nginx_limit_req: true
 wireguard_address: 10.0.0.1
 wireguard_public_key: 0Vx7jfWinpTPHKPxvmKtZlp3hcLebawz+vQM8EIEm1k=
+nginx_enable_http3: true
--- a/host_vars/aur.archlinux.org/misc
+++ b/host_vars/aur.archlinux.org/misc
@@ -7,3 +7,4 @@ fail2ban_jails:
 memcached_socket: "/run/memcached/aurweb.sock"
 wireguard_address: 10.0.0.2
 wireguard_public_key: TPLeGQ7qU6ZNtcgDbEV0SSYScvK+XS5igcPdGSXo6UA=
+nginx_enable_http3: true
--- a/host_vars/wiki.archlinux.org/misc
+++ b/host_vars/wiki.archlinux.org/misc
@@ -4,3 +4,4 @@ wireguard_address: 10.0.0.22
 wireguard_public_key: bZeNWMLtyNDaFR7jjWr06nNZt/vV/OKNleV7XZZs+lc=
 nginx_extra_modules:
  - name: geoip2
+nginx_enable_http3: true
--- a/roles/archive_web/templates/nginx.d.conf.j2
+++ b/roles/archive_web/templates/nginx.d.conf.j2
@@ -16,9 +16,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ archive_domain }};

    access_log   /var/log/nginx/{{ archive_domain }}/access.log reduced;

--- a/roles/archmanweb/templates/nginx.d.conf.j2
+++ b/roles/archmanweb/templates/nginx.d.conf.j2
@@ -23,9 +23,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ archmanweb_domain }};

    access_log   /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;

--- a/roles/archweb/templates/ipxe.archlinux.org.j2
+++ b/roles/archweb/templates/ipxe.archlinux.org.j2
@@ -16,9 +16,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ domain['domain_name'] }};

    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;

--- a/roles/archweb/templates/maintenance-nginx.d.conf.j2
+++ b/roles/archweb/templates/maintenance-nginx.d.conf.j2
@@ -21,9 +21,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ domain }};

    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -60,9 +58,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ domain }};

    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -98,9 +94,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ service_domain }};

    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;

--- a/roles/archweb/templates/nginx.d.conf.j2
+++ b/roles/archweb/templates/nginx.d.conf.j2
@@ -54,9 +54,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ domain['domain'] }};

    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
@@ -102,9 +100,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ archweb_domain }};

    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;

--- a/roles/archwiki/templates/nginx.d.conf.j2
+++ b/roles/archwiki/templates/nginx.d.conf.j2
@@ -59,9 +59,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ archwiki_domain }};

    access_log   /var/log/nginx/{{ archwiki_domain }}/access.log reduced;

--- a/roles/aurweb/templates/nginx.d.conf.j2
+++ b/roles/aurweb/templates/nginx.d.conf.j2
@@ -35,9 +35,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ aurweb_domain }};

    access_log   /var/log/nginx/{{ aurweb_domain }}/access.log main;
@@ -142,7 +140,7 @@ server {
    location / {
        # Proxy over to aurweb's ASGI application.
        proxy_pass http://{{ aurweb_asgi_bind }};
-        proxy_set_header Host $http_host;
+        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Ssl on;

--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -3,9 +3,7 @@ proxy_cache_path  /var/lib/nginx/cache levels=1:2 keys_zone=auth_cache:5m inacti
 server {
    listen       80;
    listen       [::]:80;
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ repos_domain }} {{repos_rsync_domain}};
    root         /srv/ftp;


--- a/roles/debuginfod/templates/nginx.d.conf.j2
+++ b/roles/debuginfod/templates/nginx.d.conf.j2
@@ -16,9 +16,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ debuginfod_domain }};

    access_log   /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;

--- a/roles/fluxbb/templates/nginx.conf.j2
+++ b/roles/fluxbb/templates/nginx.conf.j2
@@ -23,9 +23,7 @@ limit_req_zone $binary_remote_addr zone=bbslimit:10m rate=10r/s;
 limit_req_status 429;

 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    http2  on;
+    include snippets/listen-443.conf;
    server_name {{ fluxbb_domain }};
    root {{ fluxbb_dir }};
    index index.php;

--- a/roles/grafana/templates/nginx.d.conf.j2
+++ b/roles/grafana/templates/nginx.d.conf.j2
@@ -25,9 +25,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ grafana_domain }};

    access_log   /var/log/nginx/{{ grafana_domain }}/access.log main;

--- a/roles/hedgedoc/templates/nginx.d.conf.j2
+++ b/roles/hedgedoc/templates/nginx.d.conf.j2
@@ -24,9 +24,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ hedgedoc_domain }};

    access_log   /var/log/nginx/{{ hedgedoc_domain }}/access.log main;

--- a/roles/keycloak/templates/nginx.d.conf.j2
+++ b/roles/keycloak/templates/nginx.d.conf.j2
@@ -16,9 +16,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ keycloak_domain }};

    access_log   /var/log/nginx/{{ keycloak_domain }}/access.log reduced;

--- a/roles/mailman/templates/nginx.d.conf.j2
+++ b/roles/mailman/templates/nginx.d.conf.j2
@@ -35,9 +35,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ lists_domain }};

    access_log   /var/log/nginx/{{ lists_domain }}/access.log main;

--- a/roles/maintenance/templates/nginx-maintenance.conf.j2
+++ b/roles/maintenance/templates/nginx-maintenance.conf.j2
@@ -17,9 +17,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ domain }};

    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -56,9 +54,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ domain }};

    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -94,9 +90,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ service_domain }};

    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;

--- a/roles/matrix/templates/nginx.d.conf.j2
+++ b/roles/matrix/templates/nginx.d.conf.j2
@@ -22,9 +22,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ matrix_domain }};

    access_log   /var/log/nginx/{{ matrix_domain }}/access.log reduced;

--- a/roles/mirrorsync/templates/nginx.d.conf.j2
+++ b/roles/mirrorsync/templates/nginx.d.conf.j2
 server {
    listen       80;
    listen       [::]:80;
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ item.value.mirror_domain }};
    root         {{ item.value.target }};