blob: fdd5f531b43220a084d43e46463ea903b0ea613d (
plain) (
tree)
|
|
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
$(if [ "$git_public_fqdn" != "$fqdn" ]; then
cat <<EOF
ssl_certificate ${acme_cert_dir}/nginx.crt;
ssl_certificate_key ${acme_cert_dir}/nginx.key;
ssl_trusted_certificate ${acme_cert_dir}/nginx.ca.crt;
EOF
else
cat <<EOF
ssl_certificate ${git_https_cert};
ssl_certificate_key ${git_https_key};
EOF
fi)
auth_gss_keytab ${git_keytab};
auth_gss_allow_basic_fallback ${git_basic_auth};
add_header Strict-Transport-Security "max-age=63072000" always;
root ${cgit_webroot};
try_files \$uri @cgit;
location ~ '^.+/(HEAD|info/refs|objects/(info/[^/]+|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))|git-(upload|receive)-pack)$' {
auth_gss on;
satisfy any;
$(printf ' deny %s;\n' $kerberized_cidrs)
allow all;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/local/libexec/gitolite/gitolite-shell;
fastcgi_param PATH_INFO \$uri;
fastcgi_param GIT_HTTP_EXPORT_ALL '';
fastcgi_param GIT_PROJECT_ROOT ${gitolite_home}/repositories;
fastcgi_param GITOLITE_HTTP_HOME ${gitolite_home};
fastcgi_param PATH /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin;
fastcgi_pass unix:${gitolite_fcgiwrap_socket};
}
location @cgit {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME ${cgit_webroot}/cgit.cgi;
fastcgi_param SCRIPT_NAME '';
fastcgi_param PATH_INFO \$uri;
fastcgi_pass unix:${cgit_fcgiwrap_socket};
}
}
|
