server {
listen 80 ;
listen [::]:80 ;
server_name gitlist.patrikx3.com;
error_log /var/log/nginx/gitlist.patrikx3.com-error.log;
access_log /var/log/nginx/gitlist.patrikx3.com-access.log combined;
root /var/www/gitlist.patrikx3.com/public;
location ~ /.well-known {
auth_basic off;
auth_pam off;
allow all;
root /var/www/acme-challenge;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
return 301 https://$host$request_uri;
}
server {
ssl on;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name gitlist.patrikx3.com;
error_log /var/log/nginx/gitlist.patrikx3.com-error.log;
access_log /var/log/nginx/gitlist.patrikx3.com-access.log combined;
root /var/www/gitlist.patrikx3.com/public;
ssl_certificate /root/acme/ssl/patrikx3.com/fullchain.cer;
ssl_certificate_key /root/acme/ssl/patrikx3.com/patrikx3.com.key;
auth_pam "Restricted";
auth_pam_service_name "nginx";
limit_req zone=default_limit burst=1000;
limit_conn default_limit_conn 100;
location = /config.ini {
deny all;
return 404;
}
location ~ /.well-known {
auth_basic off;
auth_pam off;
allow all;
root /var/www/acme-challenge;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
set $x_frame_options_policy 'self';
add_header Strict-Transport-Security "max-age=31536000; " always;
add_header X-Frame-Options "ALLOW-FROM gitlist.patrikx3.com";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors $x_frame_options_policy";
index index.php;
location / {
autoindex on;
set $redirect_url $uri;
try_files $uri $uri/ /index.php$is_args$query_string;
}
location = /index.php {
include snippets/fastcgi-php.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/var/run/php/php7.3-fpm-git.sock;
}
# static repo files for cloning over https
location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ {
root /my/git/repos;
}
# requests that need to go to git-http-backend
location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
proxy_read_timeout 900;
fastcgi_read_timeout 900;
uwsgi_read_timeout 900;
client_max_body_size 20G;
root /my/git/repos;
fastcgi_pass unix:/var/run/fcgiwrap-git.socket;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param PATH_INFO $uri;
fastcgi_param GIT_PROJECT_ROOT $document_root;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param REMOTE_USER $remote_user;
include fastcgi_params;
}
}