Kristian Klausen authored 3 years ago and Jelle van der Waa committed 3 years ago

X-Forwarded-For is defined as X-Forwarded-For: <client>, <proxy1>,
<proxy2>, and it was set to $proxy_add_x_forwarded_for which is
basically $http_x_forwarded_for,$remote_addr and headers from the client
can't be trusted!

Fix #292

Without hostname the role does not run.

Kristian Klausen authored 3 years ago and Jelle van der Waa committed 3 years ago

zram-generator defaults to 50% of the ram where systemd-swap defaults to
25% of the ram.

[1] https://lists.archlinux.org/pipermail/arch-dev-public/2021-May/030429.html

This make it much easier to compare it to upstream's version:
diff -u standalone.xml.j2 /opt/keycloak/standalone/configuration/standalone.xml

Leonidas Spyropoulos authored 3 years ago and Kristian Klausen committed 3 years ago

Update standalone.xml configuration based on documentation

https://www.keycloak.org/docs/latest/upgrading/#_install_new_version



Closes: #347

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

The arch-iso project uses QEMU for building and it uses a lot of memory
(they have crashed runner2 twice), so let's see if we can avoid that by
capping Docker's memory.

We did the revert to help a small business, but they had some time to
fix their setup, so we can revert the revert.

This reverts commit a842fbe7.

- Set "proxy_cache_lock on" to avoid sending more than one auth request
  to archweb when a cache entry doesn't exist for the credentials.
- Set "proxy_cache_use_stale updating" to prevent nginx sending multiple
  auth requests to archweb while the cache is being refreshed. [1]

[1] http://mailman.nginx.org/pipermail/nginx/2016-January/049734.html

Use $uri instead of $request_uri in proxy_cache_key to avoid caching
based on the original URI which is different for each pacman request.

The cache keys are now in the following format:

  httpsarchlinux.org/devel/mirrorauth/Basic <credentials>

Kristian Klausen authored 3 years ago and Jelle van der Waa committed 3 years ago

[1] https://archlinux.org/news/move-of-official-irc-channels-to-liberachat/

This implements authentication to our repos.archlinux.org tier 0 mirror
via archweb.

Fixes: 316b8517 ("Add missing "create ssl cert" tasks")

Ex: in case the user has multiple smartcards.

Give more memory to the apps and less to postgres.

The certificate won't be valid, anyway. Synapse actually fails to send
if the server allows STARTTLS but presents an invalid certificate.

The latter can cause duplicate Content-Type headers. Thanks to strcat
for notifying me of the issue.

Leonidas Spyropoulos authored 3 years ago and Jelle van der Waa committed 3 years ago

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Leonidas Spyropoulos authored 3 years ago and Jelle van der Waa committed 3 years ago

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Leonidas Spyropoulos authored 3 years ago and Jelle van der Waa committed 3 years ago

Closes: #332

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>