RSS Git Download  Clone
Raw Blame History
server {

	listen 80 ;
    listen [::]:80 ;

    server_name gitlist.patrikx3.com;

    error_log /var/log/nginx/gitlist.patrikx3.com-error.log;
    access_log /var/log/nginx/gitlist.patrikx3.com-access.log combined;
    root /var/www/gitlist.patrikx3.com/public;
    location ~ /.well-known {
    	auth_basic off;
    	auth_pam off;
    	allow all;
    	root /var/www/acme-challenge;
    }

    location = /robots.txt {
    	allow all;
    	log_not_found off;
    	access_log off;
    }

	return 301 https://$host$request_uri;
}


server {

    ssl on;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name gitlist.patrikx3.com;

    error_log /var/log/nginx/gitlist.patrikx3.com-error.log;
    access_log /var/log/nginx/gitlist.patrikx3.com-access.log combined;
    root /var/www/gitlist.patrikx3.com/public;

    ssl_certificate /root/acme/ssl/patrikx3.com/fullchain.cer;
    ssl_certificate_key /root/acme/ssl/patrikx3.com/patrikx3.com.key;

    auth_pam "Restricted";
    auth_pam_service_name "nginx";

	limit_req zone=default_limit burst=1000;
	limit_conn default_limit_conn 100;

	location = /config.ini {
		deny all;
		return 404;
	}

    location ~ /.well-known {
        auth_basic off;
        auth_pam off;
        allow all;
        root /var/www/acme-challenge;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    set $x_frame_options_policy 'self';
    add_header Strict-Transport-Security "max-age=31536000; " always;
    add_header X-Frame-Options "ALLOW-FROM gitlist.patrikx3.com";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "frame-ancestors $x_frame_options_policy";


	index index.php;

	location / {
		autoindex on;
		set $redirect_url $uri;
		try_files $uri $uri/ /index.php$is_args$query_string;
	}

	location = /index.php {
		include snippets/fastcgi-php.conf;
		fastcgi_param SCRIPT_FILENAME $request_filename;
		fastcgi_pass unix:/var/run/php/php7.3-fpm-git.sock;
	}

	# static repo files for cloning over https
	location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ {
		root /my/git/repos;
	}

	# requests that need to go to git-http-backend
	location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
		proxy_read_timeout 900;
		fastcgi_read_timeout 900;
		uwsgi_read_timeout 900;

		client_max_body_size 20G;
		root /my/git/repos;
		fastcgi_pass unix:/var/run/fcgiwrap-git.socket;
		fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
		fastcgi_param PATH_INFO $uri;
		fastcgi_param GIT_PROJECT_ROOT $document_root;
		fastcgi_param GIT_HTTP_EXPORT_ALL "";
		fastcgi_param REMOTE_USER $remote_user;
		include fastcgi_params;
	}
}