2 files changed, 81 insertions, 0 deletions

diff --git a/files/usr/local/etc/nginx/fastcgi_params.git_server b/files/usr/local/etc/nginx/fastcgi_params.git_server
new file mode 100644
index 0000000..49201e8
--- /dev/null
+++ b/files/usr/local/etc/nginx/fastcgi_params.git_server
@@ -0,0 +1,32 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+# Intentionally omitted here for cgit:
+#   SCRIPT_FILENAM0E
+#   SCRIPT_NAME
+#   PATH_INFO
+#   PATH_TRANSLATED
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $host;
+fastcgi_param  REMOTE_USER        $remote_user if_not_empty;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
+
+# Protect against HTTPoxy vuln
+fastcgi_param  HTTP_PROXY         "";
diff --git a/files/usr/local/etc/nginx/vhosts.conf.git_server b/files/usr/local/etc/nginx/vhosts.conf.git_server
new file mode 100644
index 0000000..fdd5f53
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.git_server
@@ -0,0 +1,49 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+$(if [ "$git_public_fqdn" != "$fqdn" ]; then
+    cat <<EOF
+  ssl_certificate         ${acme_cert_dir}/nginx.crt;
+  ssl_certificate_key     ${acme_cert_dir}/nginx.key;
+  ssl_trusted_certificate ${acme_cert_dir}/nginx.ca.crt;
+EOF
+  else
+    cat <<EOF
+  ssl_certificate      ${git_https_cert};
+  ssl_certificate_key  ${git_https_key};
+EOF
+fi)
+
+  auth_gss_keytab ${git_keytab};
+  auth_gss_allow_basic_fallback ${git_basic_auth};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  root ${cgit_webroot};
+  try_files \$uri @cgit;
+
+  location ~ '^.+/(HEAD|info/refs|objects/(info/[^/]+|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))|git-(upload|receive)-pack)$' {
+    auth_gss on;
+    satisfy any;
+$(printf '    deny %s;\n' $kerberized_cidrs)
+    allow all;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME /usr/local/libexec/gitolite/gitolite-shell;
+    fastcgi_param PATH_INFO \$uri;
+    fastcgi_param GIT_HTTP_EXPORT_ALL '';
+    fastcgi_param GIT_PROJECT_ROOT ${gitolite_home}/repositories;
+    fastcgi_param GITOLITE_HTTP_HOME ${gitolite_home};
+    fastcgi_param PATH /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin;
+    fastcgi_pass unix:${gitolite_fcgiwrap_socket};
+  }
+
+  location @cgit {
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME ${cgit_webroot}/cgit.cgi;
+    fastcgi_param SCRIPT_NAME '';
+    fastcgi_param PATH_INFO \$uri;
+    fastcgi_pass unix:${cgit_fcgiwrap_socket};
+  }
+}