Commits · 989a8a4b7de5f4356a81cafd30b67c93b2bd8343 · Arch Linux / infrastructure

Oct 03, 2021
- Fix nginx "single path" location blocks · 453bff74
  Amin Vakil authored 3 years ago and Evangelos Foutras committed 3 years ago
  
  453bff74
Jun 16, 2021
- flyspray: Add support for bugs.al.org->GitLab redirect · 3b868260
  Kristian Klausen authored 3 years ago
  
  To be used as we begin migrating Flyspray tasks to GitLab. Fix #320
  3b868260
May 03, 2021
- Remove obsolete NGINX directives to use http2_max_field_size defaults. · b3e87b17
  Andrea Denisse Gómez Martínez authored 3 years ago and Jelle van der Waa committed 3 years ago
  
  Closes #317.
  b3e87b17
Apr 08, 2021

Kristian Klausen authored 4 years ago and

A extra access_log entry was added with the following commands:
$ cd roles
$ grep -lr access_log | xargs -P 1 -n 1 sed -i '/access_log/ s/\(.*\)\( \)\(\(reduced\|main\);$\)/\1 \3\n\1.json json_\3/'

Verified

b70d04fa

Oct 22, 2020
- nginx: Don't expose the nginx version · 9021a45e
  Kristian Klausen authored 4 years ago and Sven-Hendrik Haase committed 4 years ago
  
  9021a45e
Sep 23, 2020
- Fix for ansible 2.10 (fixes #149) · d68771ea
  Sven-Hendrik Haase authored 4 years ago
  
  Verified
  
  d68771ea
Sep 05, 2020

nginx: use reload instead of restart when nginx configuration changes · 24091c52
Jakub Klinkovský authored 4 years ago

Unverified

24091c52

nginx: move the fastcgi cache configuration to the archwiki role · fc23daf5

Jakub Klinkovský authored 4 years ago

This is much cleaner because the nginx role does not have to set the
fastcgi_cache variable to "false" by default, which was overridden by
host_vars/apollo.archlinux.org to "wiki", but the value was still
hardcoded in the config.

At first, I was wondering that the cache "zone" name should be
generalized to improve the configuration (from the original per-host to
per-service), but that would be an overkill since the fastcgi cache is
used only for the wiki...

Unverified

fc23daf5

Jun 17, 2020
- fix E303 'Using command rather than module' · a4a4f3e7
  Frederik Schwan authored 4 years ago and Sven-Hendrik Haase committed 4 years ago
  
  also use systemd instead of service module
  Verified
  
  a4a4f3e7
Jun 12, 2020
- fix E206 'Variables should have spaces before and after: {{ var_name }}' · 2b2bd065
  Frederik Schwan authored 4 years ago
  
  Verified
  
  2b2bd065
Oct 13, 2019

nginx: Add toplevel-snippets mechanism · 2b1ba2f3

Sven-Hendrik Haase authored 5 years ago

This allows you to add snippets for toplevel nginx configuration directives that can't go into the http level.
Use this for loading modules and such.

Verified

2b1ba2f3

Sep 05, 2019
- nginx: Modernize SSL settings · 9c57ddae
  Jan Alexander Steffens (heftig) authored 5 years ago
  
  Enables TLS 1.3.
  Verified
  
  9c57ddae
- nginx.conf: Increase types hash size to avoid warning · c14207d3
  Jan Alexander Steffens (heftig) authored 5 years ago
  
  Verified
  
  c14207d3
- nginx.conf: Consistent whitespace · cab6271c
  Jan Alexander Steffens (heftig) authored 5 years ago
  
  Verified
  
  cab6271c
Sep 01, 2019

archwiki: cache /load.php requests to offload php-fpm · 1aefa81d

Jelle van der Waa authored 5 years ago

These are static requests for JS/CSS assets which are the topmost
request for the wiki. Caching these in nginx helps a lot to turn down
the load.

1aefa81d

May 14, 2019

certbot/nginx: Reload nginx via hook instead of directly in the certbot · 28acf6db

Florian Pritz authored 5 years ago

service

Some machines use certbot, but don't have nginx so we shouldn't force
the reload here.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Verified

28acf6db

Mar 24, 2019
- Refactor certbot into dedicated role · dacb47a7
  Florian Pritz authored 6 years ago
  
  Signed-off-by: Florian Pritz <bluewind@xinu.at>
  Verified
  
  dacb47a7
Feb 16, 2019

nginx: Increase http2_max_field_size for AUR · 552c5273

Florian Pritz authored 6 years ago


This is changed globally because it is probably fine for other services
too.

Some AUR RPC requests apparently manage to hit the 4k default limit and
if they do, they get an empty response. This is an easier fix to the
problam than  changing the maximum request length in each AUR helper.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Verified

552c5273

Nov 18, 2018

nginx: Raise worker NOFILE limits · d724f8cd

Florian Pritz authored 6 years ago


This is mostly to resolve issues on luna where nginx is hitting the
limit, but the higher limit won't hurt other machines so I'm not putting
it in a variable for now.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Verified

d724f8cd

Nov 08, 2018

nginx: Randomize delay for certbot · fff3c2b8

Florian Pritz authored 6 years ago


Running it too close to 00:00 UTC just leads to errors all the time.
Running it at other times work fine so let's randomize things.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Verified

fff3c2b8

Aug 17, 2018
- add "firewall" tag to all relevant tasks · 8d681f00
  Phillip Smith (fukawi2) authored 6 years ago
  
  8d681f00
- make all firewalld changes take effect immediately · 1258e6b7
  Phillip Smith (fukawi2) authored 6 years ago
  
  1258e6b7
Aug 15, 2018
- make all firewalld changes take effect immediately · d1092308
  Phillip Smith (fukawi2) authored 6 years ago
  
  d1092308
Aug 14, 2018
- make all firewalld changes take effect immediately · efcc7619
  Phillip Smith (fukawi2) authored 6 years ago
  
  efcc7619
Jun 25, 2018

Enable cpu/memory accounting by default · 13078f86

Florian Pritz authored 6 years ago


The discovery script now uses a regex and no longer cares where exactly
accounting is enabled. Follow systemd upstream by enabling it by
default.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Verified

13078f86

May 30, 2018

nginx: Add json log format · 702be3ee
Florian Pritz authored 6 years ago
```
Signed-off-by: Florian Pritz <bluewind@xinu.at>
```
Verified

702be3ee

nginx: Reduce access log content for static data · f5ee7a08

Florian Pritz authored 6 years ago

For proxy/fastcgi/uwsgi blocks, logging is still set to the old format,
but for everything else (= static data) a reduced format is used that
excludes items that no longer make sense (request_time, remote_user) and
those that are personal information all the time (remote_addr, http_x_forwarded_for).

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Verified

f5ee7a08

Apr 23, 2018

nginx: compress application/javascript · 04e1f8ea

Jelle van der Waa authored 6 years ago

Chrome reports that our JavaScript is not compressed with gzip/brotli,
this is due to chrome receiving javascript as application type:
application/javascript.

04e1f8ea

Mar 21, 2018

Disable firewalld tasks · b847916c

Florian Pritz authored 7 years ago

Disable firewall because python2 module is not avaible and the tasks
fail which makes the playbooks fail and leads to handlers not being run.

https://github.com/ansible/ansible/issues/24855



Signed-off-by: Florian Pritz <bluewind@xinu.at>

Verified

b847916c

Mar 05, 2018
- initial commit of firewalld role and tasks · 59807399
  Phillip Smith (fukawi2) authored 7 years ago
  
  59807399
Feb 28, 2018
- Add cpu/memory accounting to many roles · b59d6b99
  Florian Pritz authored 7 years ago
  
  Signed-off-by: Florian Pritz <bluewind@xinu.at>
  Verified
  
  b59d6b99
Feb 19, 2018
- Tag nginx configs in roles as nginx · 7411e9a2
  Florian Pritz authored 7 years ago
  
  Signed-off-by: Florian Pritz <bluewind@xinu.at>
  Verified
  
  7411e9a2
- Define and use our own log format for nginx · 6bf14014
  Florian Pritz authored 7 years ago
  
  This is the same as used on luna and as expected by the zabbix nginx monitoring service. Signed-off-by: Florian Pritz <bluewind@xinu.at>
  Verified
  
  6bf14014
Oct 20, 2017
- nginx: set default letsencrypt_validation_dir value · efeeff75
  Bartłomiej Piotrowski authored 7 years ago
  
  efeeff75
Jul 05, 2017
- nginx: enable gzip and brotli compression · 0d3fe3d5
  Bartłomiej Piotrowski authored 7 years ago
  
  0d3fe3d5
Feb 10, 2017

roles/*: Fix nginx log dir permissions · ff27e416

Giancarlo Razzolini authored 8 years ago

To correctly be safe for CVE-2016-1247, we need all nginx log dirs
to be owned by both user and group root. Also, since nginx childs
runs as http user, the directories permissions must be 0755, so the
http user can descent into it. Since the logrotate will create the
log files as http:log, the nginx childs will be able to write to the
logs, but will not be able to create files inside those dirs, fully
preventing CVE-2016-1247.

Verified

ff27e416

Feb 05, 2017

Fix permissions of nginx log dirs, CVE-2016-1247 · 57d62ca8

Florian Pritz authored 8 years ago

CVE-2016-1247 is a symlink attack on the log dir of nginx since a
reopening of the logs (triggered by logrotate) opens the logs as nginx
instead of root. logrotate creates the proper log files already so
nginx doesn't need write permissions to those directories.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Verified

57d62ca8

nginx: Add logrotate config · f511f29e
Florian Pritz authored 8 years ago
```
Signed-off-by: Florian Pritz <bluewind@xinu.at>
```
Verified

f511f29e

Jan 29, 2017

roles/nginx: Use a map to only include the STS header on https · bc1cffbd

Giancarlo Razzolini authored 8 years ago

One of the things missing from the preload submission was that we
included the STS header on http connections also. Using this:
https://trac.nginx.org/nginx/ticket/289#comment:3 we are able to
only include the STS header on https connections.

Verified

bc1cffbd

Jan 26, 2017

roles/nginx: Add preload to the STS header · 9beccb72

Giancarlo Razzolini authored 8 years ago

After some weeks since it was proposed the addition of archlinux.org
to the HSTS Preload list, since there were no objections, we are
introducing this change and in the coming hours will add archlinux.org
domain to the list.

Verified

9beccb72

Admin message