mirror of
https://github.com/aarmea/fahrengit-451.git
synced 2026-03-22 08:58:15 +00:00
cf99cd50f2
Change written by Claude Sonnet 4.6: I need to set up a Git hosting service for personal projects where certain repositories need to be blocked using the locale corresponding to the user’s IP address. Here are my constraints: * The entire system will be running on a single VPS instance. I should be able to `docker compose up -d` the whole thing. * For each repository that this feature is enabled, I need to be able to set the blocked locales down to the state level, along with a custom HTTP status code and response body. * You may assume that the IP address of the request is where it actually came from — for this exercise, if the user uses a VPN to bypass the restriction, that is on them. * To simplify a reverse proxy setup, you may assume that all Git operations will happen over HTTPS. I will firewall off SSH access. * I will be using Let's Encrypt for HTTPS. Some suggestions from prior research: * nginx seems like a reasonable reverse proxy that supports all of the requirements, but you may use a different one if it is simpler to implement or maintain. * I can obtain a MaxMind API key to get a geo-IP lookup table. If you use this, you will need to add a service that automatically retrieves the table at a reasonable frequency. * Forgejo seems like a reasonable, lightweight Git service, but you may use a different one if you’re aware of one that actually supports these requirements out of the box. Write me a production-ready `docker-compose.yml` and supporting scripts or configuration scaffolding for me to implement this.
54 lines
2.5 KiB
Nginx Configuration File
54 lines
2.5 KiB
Nginx Configuration File
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
|
|
|
|
user nginx;
|
|
worker_processes auto;
|
|
|
|
error_log /var/log/nginx/error.log notice;
|
|
pid /var/run/nginx.pid;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
# ── Logging ───────────────────────────────────────────────────────────────
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" country=$geoip2_country iso=$geoip2_subdivision';
|
|
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
keepalive_timeout 65;
|
|
|
|
# ── GeoIP2 database ───────────────────────────────────────────────────────
|
|
# The GeoLite2-City database gives us country + subdivision (state/province)
|
|
geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
|
|
# ISO 3166-1 alpha-2 country code (e.g. "US")
|
|
$geoip2_country country iso_code;
|
|
# ISO 3166-2 subdivision code — country prefix stripped below
|
|
# Full value looks like "US-CA"; we expose just the subdivision part
|
|
$geoip2_subdivision subdivisions 0 iso_code;
|
|
}
|
|
|
|
# Compound key used in per-repo map blocks: "CC-SUBDIV" e.g. "US-CA"
|
|
# When the DB has no subdivision the variable is empty; the key becomes "CC-"
|
|
# which will not match any rule unless you explicitly add it.
|
|
map "$geoip2_country-$geoip2_subdivision" $geoip2_region_key {
|
|
default "";
|
|
include /etc/nginx/geoblock/repo_maps.conf;
|
|
}
|
|
|
|
# ── Per-repo block decision variables ─────────────────────────────────────
|
|
# Loaded from the rendered snippet produced by geoblock_watcher.
|
|
# Each repo gets a variable like $geoblock_<sanitised_repo_path>
|
|
# with value "" (allow) or "<status_code>:<body>" (block).
|
|
include /etc/nginx/geoblock/repo_vars.conf;
|
|
|
|
# ── Virtual hosts ─────────────────────────────────────────────────────────
|
|
include /etc/nginx/conf.d/*.conf;
|
|
}
|