We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606

F5/nginx has blogged about this[1] and it is also mentioned in nginx's
documentation[2]:
"There could be several add_header directives. These directives are
inherited from the previous configuration level if and only if there are
no add_header directives defined on the current level. "

The problem occurs when add_header is used in a child context like a
server{} or location{} block. It is solved by moving the HSTS header
into a snippet, which is now included before all add_header lines.

For now the HSTS header is the only global header, but in the future we
may need to add more global headers, like the Alt-Svc header[3] for
HTTP/3.

[1] https://www.f5.com/company/blog/nginx/avoiding-top-10-nginx-configuration-mistakes#directive-inheritance
[2] https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Alt-Svc

Fix #608

Robin Candau authored 9 months ago and Robin Candau committed 9 months ago

> 2024/06/02 11:05:53 \[warn\] 30324#30324: the "listen ... http2" directive is deprecated, use the "http2" directive instead

Fixes #589

Leonidas Spyropoulos authored 3 years ago and Jelle van der Waa committed 3 years ago

Stop uncontrolled requests before reach php backend

Closes: #276

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Closes: #278

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Update fluxbb to the latest commit with PHP 8 compatibility, fix
permissions being to strict so http can't access it and rate limit
searching.

The gitdirs are just clones of public repos and don't seem to contain
anything sensitive but better safe than sorry.

Thanks to Christian Rebischke <chris@shibumi.dev>

The location block should also execute PHP otherwise we will just reply
with PHP files.

someone has made a conky script that hits the rss feed every second, so nginx
now limits that to once per minute, returning 503 instead at other times. a
burst is also in place to prevent genuine users being blocked.