albert/fahrengit-451
1
0
Fork 0
mirror of https://github.com/aarmea/fahrengit-451.git synced 2026-03-22 08:58:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
fahrengit-451/nginx/templates/git.conf.template
Albert Armea c515981236 Fix nginx template substitution
2026-03-21 20:06:57 +00:00

57 lines
2.5 KiB
Text
Raw Blame History

# HTTP → HTTPS redirect + ACME challenge
server {
listen 80;
listen [::]:80;
server_name ${DOMAIN};
# Let's Encrypt webroot challenge
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS — main entry point
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name ${DOMAIN};
# ── TLS ───────────────────────────────────────────────────────────────────
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# ── Security headers ──────────────────────────────────────────────────────
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
# ── Geo-block check ───────────────────────────────────────────────────────
# The watcher renders a location block per repo that checks the per-repo
# variable and returns the configured status + body when blocked.
include /etc/nginx/geoblock/repo_locations.conf;
# ── Proxy to Forgejo ──────────────────────────────────────────────────────
location / {
proxy_pass http://forgejo:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Git push/pull can involve large objects
client_max_body_size 512m;
proxy_request_buffering off;
proxy_buffering off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
Reference in a new issue View git blame Copy permalink