forked from klaussilveira/gitlist
-
Notifications
You must be signed in to change notification settings - Fork 9
/
gitlist.patrikx3.com.conf
110 lines (86 loc) · 3 KB
/
gitlist.patrikx3.com.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
server {
listen 80 ;
listen [::]:80 ;
server_name gitlist.patrikx3.com;
error_log /var/log/nginx/gitlist.patrikx3.com-error.log;
access_log /var/log/nginx/gitlist.patrikx3.com-access.log combined;
root /var/www/gitlist.patrikx3.com/public;
location ~ /.well-known {
auth_basic off;
auth_pam off;
allow all;
root /var/www/acme-challenge;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
return 301 https://$host$request_uri;
}
server {
ssl on;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name gitlist.patrikx3.com;
error_log /var/log/nginx/gitlist.patrikx3.com-error.log;
access_log /var/log/nginx/gitlist.patrikx3.com-access.log combined;
root /var/www/gitlist.patrikx3.com/public;
ssl_certificate /root/acme/ssl/patrikx3.com/fullchain.cer;
ssl_certificate_key /root/acme/ssl/patrikx3.com/patrikx3.com.key;
# it uses the built in Linux security called PAM,
# but you could use a
# auth_basic on;
# auth_basic_user_file /etc/nginx/.htpasswd;
auth_pam "Restricted";
auth_pam_service_name "nginx";
limit_req zone=default_limit burst=1000;
limit_conn default_limit_conn 100;
location ~ /.well-known {
auth_basic off;
auth_pam off;
allow all;
root /var/www/acme-challenge;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
set $x_frame_options_policy 'self';
add_header Strict-Transport-Security "max-age=31536000; " always;
add_header X-Frame-Options "ALLOW-FROM gitlist.patrikx3.com";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors $x_frame_options_policy";
index index.php;
location / {
autoindex on;
set $redirect_url $uri;
try_files $uri $uri/ /index.php$is_args$query_string;
}
location = /index.php {
include snippets/fastcgi-php.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/var/run/php/php8.0-fpm-git.sock;
}
# static repo files for cloning over https
location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ {
root /my/git/repos;
}
# requests that need to go to git-http-backend
location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
proxy_read_timeout 900;
fastcgi_read_timeout 900;
uwsgi_read_timeout 900;
client_max_body_size 20G;
root /my/git/repos;
fastcgi_pass unix:/var/run/fcgiwrap-git.socket;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param PATH_INFO $uri;
fastcgi_param GIT_PROJECT_ROOT $document_root;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param REMOTE_USER $remote_user;
include fastcgi_params;
}
}