mirror of
git://git.savannah.gnu.org/guix/maintenance.git
synced 2023-12-14 03:33:04 +01:00
6c969b482e
* hydra/bayfront.scm (%hpc.guix.info-nginx-servers) (%guix-hpc.bordeaux.inria.fr-nginx-servers) (%logs.guix.gnu.org-nginx-servers) (%coordinator.bayfront.guix.gnu.org-nginx-servers) (%bayfront.guix.gnu.org-nginx-servers) (%bordeaux.guix.gnu.org-nginx-servers): Change 'ssl_protocols' nginx setting to "TLSv1.1 TLSv1.2 TLSv1.3". * hydra/lakeside.scm (%nginx-server-blocks): Likewise. * hydra/modules/sysadmin/nginx.scm (%tls-settings): Likewise. * hydra/nginx/hydra.gnu.org.conf: Likewise. * hydra/nginx/mirror.conf: Likewise.
135 lines
4.2 KiB
Text
135 lines
4.2 KiB
Text
# This is the /etc/nginx/nginx.conf file for hydra.gnu.org.
|
|
|
|
user www-data;
|
|
worker_processes 1;
|
|
|
|
error_log /var/log/nginx/error.log error;
|
|
pid /var/run/nginx.pid;
|
|
|
|
lock_file /var/lock/nginx.lock;
|
|
|
|
pcre_jit on;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
client_body_temp_path /var/lib/nginx/body;
|
|
proxy_temp_path /var/lib/nginx/proxy;
|
|
|
|
access_log /var/log/nginx/access.log;
|
|
|
|
sendfile on;
|
|
|
|
# Maximum chunk size to send. Partly this is a workaround
|
|
# for <http://bugs.gnu.org/19939>, but also the nginx docs
|
|
# mention that "Without the limit, one fast connection may
|
|
# seize the worker process entirely."
|
|
# <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
|
|
sendfile_max_chunk 1m;
|
|
|
|
keepalive_timeout 65;
|
|
|
|
# Use HTTP 1.1 to talk to the backend so we benefit from
|
|
# keep-alive connections and chunked transfer encoding. The
|
|
# latter allows us to make sure we do not cache partial downloads.
|
|
proxy_http_version 1.1;
|
|
|
|
# The 'inactive' parameter for caching is not very useful in our
|
|
# case: all that matters is that LRU sweeping happens when
|
|
# 'max_size' is hit.
|
|
|
|
# Since 'guix publish' has its own cache, allocate little room for
|
|
# nginx's own cache.
|
|
|
|
# cache for nar files
|
|
proxy_cache_path /var/cache/nginx/nar
|
|
levels=2
|
|
inactive=8d # inactive keys removed after 8d
|
|
keys_zone=nar:4m # nar cache meta data: ~32K keys
|
|
max_size=50g; # total cache data size max
|
|
|
|
# cache for static data
|
|
proxy_cache_path /var/cache/nginx/static
|
|
levels=1
|
|
inactive=10d # inactive keys removed after 10d
|
|
keys_zone=static:1m # nar cache meta data: ~8K keys
|
|
max_size=200m; # total cache data size max
|
|
|
|
# If Hydra cannot honor these delays, then something is wrong and
|
|
# we'd better drop the connection and return 504.
|
|
proxy_connect_timeout 7s;
|
|
proxy_read_timeout 10s;
|
|
proxy_send_timeout 10s;
|
|
|
|
# Cache timeouts for a little while to avoid increasing pressure.
|
|
proxy_cache_valid 504 30s;
|
|
|
|
server {
|
|
listen 80;
|
|
server_name hydra.gnu.org;
|
|
|
|
access_log /var/log/nginx/hydra.access.log;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# XXX Block several bots that seem to disregard our robots.txt,
|
|
# possibly because attempts to fetch robots.txt sometimes fails
|
|
# due to gateway timeout :-(
|
|
if ($http_user_agent ~ "AhrefsBot|Baiduspider|bingbot|SeznamBot|BehloolBot|ltx71.com|GoogleBot|Googlebot|Companybook-Crawler|DotBot|YandexBot|SemrushBot|PaperLiBot|TwitterBot") {
|
|
return 403;
|
|
break;
|
|
}
|
|
|
|
location = /login {
|
|
# Disallow unencrypted logins. Hydra's client-side JS code
|
|
# is dumb and simply says "Unknown server error" instead of
|
|
# following the redirection, though.
|
|
error_page 403 = https://hydra.gnu.org/login;
|
|
return 403;
|
|
break;
|
|
}
|
|
|
|
include hydra.gnu.org-locations.conf;
|
|
}
|
|
|
|
# HTTPS server.
|
|
server {
|
|
listen 443 ssl;
|
|
server_name hydra.gnu.org;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/hydra.gnu.org/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/hydra.gnu.org/privkey.pem;
|
|
|
|
# Make sure SSL is disabled.
|
|
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
|
|
|
# Disable weak cipher suites.
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Use our own DH parameters created with:
|
|
# openssl dhparam -out dhparams.pem 2048
|
|
# as suggested at <https://weakdh.org/sysadmin.html>.
|
|
ssl_dhparam /etc/dhparams.pem;
|
|
|
|
access_log /var/log/nginx/hydra.https.access.log;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
if ($http_user_agent ~ "AhrefsBot|Baiduspider|bingbot|SeznamBot|BehloolBot|ltx71.com|GoogleBot|Googlebot|Companybook-Crawler|DotBot|YandexBot|SemrushBot|PaperLiBot|TwitterBot") {
|
|
return 403;
|
|
break;
|
|
}
|
|
|
|
include hydra.gnu.org-locations.conf;
|
|
}
|
|
}
|