upstream aurweb {
server unix://{{ aurweb_socket }};
}
upstream cgit {
server unix://{{ cgit_socket }};
}
upstream smartgit {
server unix://{{ smartgit_socket }};
}
# limit Git requests to block Git DoS attempts.
# # grep aurwebgitlimit /var/log/nginx/aur.archlinux.org/error.log | awk '{ print $14 }' | sort | uniq | sort
limit_req_zone $binary_remote_addr zone=aurwebgitlimit:10m rate=30r/m;
limit_req_status 429;
server {
listen 80;
listen [::]:80;
server_name {{ aurweb_domain }};
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
access_log /var/log/nginx/{{ aurweb_domain }}/access.log.json json_main;
error_log /var/log/nginx/{{ aurweb_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ aurweb_domain }};
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
access_log /var/log/nginx/{{ aurweb_domain }}/access.log.json json_main;
error_log /var/log/nginx/{{ aurweb_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ aurweb_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/chain.pem;
root {{ aurweb_dir }}/web/html;
index index.php;
location = /trusted-user/TUbylaws.html {
return 301 https://tu-bylaws.aur.archlinux.org;
}
#
# smartgit location for Git Archive repositories
# Should be shallow-cloned:
# `git clone --depth=1 https://aur_location/archives/metadata.git`
#
# Routes:
# - /archives/metadata.git
# - /archives/users.git
# - /archives/pkgbases.git
# - /archives/pkgnames.git
#
location ~ "^/archives/(metadata|users|pkgbases|pkgnames)(\.git)/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))" {
include uwsgi_params;
uwsgi_pass smartgit;
uwsgi_modifier1 9;
uwsgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
uwsgi_param PATH_INFO /$1.git/$3;
uwsgi_param GIT_HTTP_EXPORT_ALL "";
uwsgi_param GIT_PROJECT_ROOT {{ aurweb_dir }};
}
#
# smartgit location for AUR package git repository
# Clone packages:
# `git clone https://aur_location/pkgname.git`
#
location ~ "^/([a-z0-9][a-z0-9.+_-]*?)(\.git)?/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$" {
limit_req zone=aurwebgitlimit burst=900 nodelay;
include uwsgi_params;
uwsgi_pass smartgit;
uwsgi_modifier1 9;
uwsgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
uwsgi_param PATH_INFO /aur.git/$3;
uwsgi_param GIT_HTTP_EXPORT_ALL "";
uwsgi_param GIT_NAMESPACE $1;
uwsgi_param GIT_PROJECT_ROOT {{ aurweb_dir }};
}
location ~ ^/cgit {
limit_req zone=aurwebgitlimit burst=300 nodelay;
include uwsgi_params;
rewrite ^/cgit/([^?/]+/[^?]*)?(?:\?(.*))?$ /cgit.cgi?url=$1&$2 last;
uwsgi_modifier1 9;
uwsgi_param CGIT_CONFIG {{ aurweb_conf_dir }}/cgitrc;
uwsgi_pass cgit;
}
location ~ \.gz$ {
default_type text/plain;
add_header Content-Encoding gzip;
expires 5m;
}
location ~ ^/static/(?:css|js|images)/ {
rewrite ^/static(/.*)$ $1 break;
expires 7d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location / {
# Proxy over to aurweb's ASGI application.
proxy_pass http://{{ aurweb_asgi_bind }};
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
}
}