From b3959d7c9c4f459b6d69b8f1e3b7af5a8ea439ac Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
Date: Mon, 22 Jul 2024 00:17:49 +0200
Subject: [PATCH] dbscripts: Unbreak mirrorauth

archlinux.org started rejecting connections without SNI because of
experiments with deploying HTTP/3.

See: https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/850
---
 roles/dbscripts/templates/nginx.d.conf.j2 | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/roles/dbscripts/templates/nginx.d.conf.j2 b/roles/dbscripts/templates/nginx.d.conf.j2
index c629c1b92..2943dcc82 100644
--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -47,14 +47,16 @@ server {
     }
 
     location = /devel/mirrorauth/ {
+        # Authentication to archweb
         internal;
+        proxy_pass https://archlinux.org;
 
         # Do not pass the request body, only http authorisation header is required
         proxy_pass_request_body off;
         proxy_set_header        Content-Length "";
 
         # Proxy headers
-        proxy_set_header        Host                    "archlinux.org";
+        proxy_set_header        Host                    $proxy_host;
         proxy_set_header        X-Sent-From             "{{ vault_archweb_x_sent_from_secret }}";
 
         # Cache responses from the auth proxy
@@ -66,9 +68,12 @@ server {
         proxy_cache_use_stale         updating;
         proxy_cache_background_update on;
 
-        # Authentication to archweb
-        proxy_pass https://archlinux.org;
-        proxy_ssl_verify on;
+        # Verify destination TLS cert
+        proxy_ssl_verify              on;
         proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+
+        # Send SNI with TLS handshake
+        proxy_ssl_server_name         on;
+        proxy_ssl_name                $proxy_host;
     }
 }
-- 
GitLab