dbscripts: Unbreak mirrorauth

archlinux.org started rejecting connections without SNI because of experiments with deploying HTTP/3. See: !850

dbscripts: Unbreak mirrorauth
b3959d7c · Jan Alexander Steffens (heftig) · a9f7038b · b3959d7c
Verified Commit b3959d7c authored 8 months ago by Jan Alexander Steffens (heftig)
--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -47,14 +47,16 @@ server {
    }

    location = /devel/mirrorauth/ {
+        # Authentication to archweb
        internal;
+        proxy_pass https://archlinux.org;

        # Do not pass the request body, only http authorisation header is required
        proxy_pass_request_body off;
        proxy_set_header        Content-Length "";

        # Proxy headers
-        proxy_set_header        Host                    "archlinux.org";
+        proxy_set_header        Host                    $proxy_host;
        proxy_set_header        X-Sent-From             "{{ vault_archweb_x_sent_from_secret }}";

        # Cache responses from the auth proxy
@@ -66,9 +68,12 @@ server {
        proxy_cache_use_stale         updating;
        proxy_cache_background_update on;

-        # Authentication to archweb
-        proxy_pass https://archlinux.org;
-        proxy_ssl_verify on;
+        # Verify destination TLS cert
+        proxy_ssl_verify              on;
        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+
+        # Send SNI with TLS handshake
+        proxy_ssl_server_name         on;
+        proxy_ssl_name                $proxy_host;
    }
 }