server { listen 80 ; listen [::]:80 ; server_name gitlist.patrikx3.com; error_log /var/log/nginx/gitlist.patrikx3.com-error.log; access_log /var/log/nginx/gitlist.patrikx3.com-access.log combined; root /var/www/gitlist.patrikx3.com/public; location ~ /.well-known { auth_basic off; auth_pam off; allow all; root /var/www/acme-challenge; } location = /robots.txt { allow all; log_not_found off; access_log off; } return 301 https://$host$request_uri; } server { ssl on; listen 443 ssl http2; listen [::]:443 ssl http2; server_name gitlist.patrikx3.com; error_log /var/log/nginx/gitlist.patrikx3.com-error.log; access_log /var/log/nginx/gitlist.patrikx3.com-access.log combined; root /var/www/gitlist.patrikx3.com/public; ssl_certificate /root/acme/ssl/patrikx3.com/fullchain.cer; ssl_certificate_key /root/acme/ssl/patrikx3.com/patrikx3.com.key; # it uses the built in Linux security called PAM, # but you could use a # auth_basic on; # auth_basic_user_file /etc/nginx/.htpasswd; auth_pam "Restricted"; auth_pam_service_name "nginx"; limit_req zone=default_limit burst=1000; limit_conn default_limit_conn 100; location ~ /.well-known { auth_basic off; auth_pam off; allow all; root /var/www/acme-challenge; } location = /robots.txt { allow all; log_not_found off; access_log off; } set $x_frame_options_policy 'self'; add_header Strict-Transport-Security "max-age=31536000; " always; add_header X-Frame-Options "ALLOW-FROM gitlist.patrikx3.com"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "frame-ancestors $x_frame_options_policy"; index index.php; location / { autoindex on; set $redirect_url $uri; try_files $uri $uri/ /index.php$is_args$query_string; } location = /index.php { include snippets/fastcgi-php.conf; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_pass unix:/var/run/php/php7.3-fpm-git.sock; } # static repo files for cloning over https location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ { root /my/git/repos; } # requests that need to go to git-http-backend location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ { proxy_read_timeout 900; fastcgi_read_timeout 900; uwsgi_read_timeout 900; client_max_body_size 20G; root /my/git/repos; fastcgi_pass unix:/var/run/fcgiwrap-git.socket; fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; fastcgi_param PATH_INFO $uri; fastcgi_param GIT_PROJECT_ROOT $document_root; fastcgi_param GIT_HTTP_EXPORT_ALL ""; fastcgi_param REMOTE_USER $remote_user; include fastcgi_params; } }