Gitea without SSH passthrough

2020-11-25 21:33:30 +00:00
parent 64b8830cbf
commit 8bf189c3d5
3 changed files with 107 additions and 8 deletions
--- a/nginx.conf
+++ b/nginx.conf
@@ -26,14 +26,51 @@ http {
    set_real_ip_from  172.16.0.0/12;
    set_real_ip_from  192.168.0.0/16;
    real_ip_header    X-Real-IP;
+    
+    # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+    # scheme used to connect to this server
+    map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+        default $http_x_forwarded_proto;
+        ''      $scheme;
+    }
+
+    # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+    # server port the client connected to
+    map $http_x_forwarded_port $proxy_x_forwarded_port {
+        default $http_x_forwarded_port;
+        ''      $server_port;
+    }
+
+    # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+    # Connection header that may have been passed to this server
+    map $http_upgrade $proxy_connection {
+        default upgrade;
+        '' close;
+    }
+
+    # Set appropriate X-Forwarded-Ssl header
+    map $scheme $proxy_x_forwarded_ssl {
+        default off;
+        https on;
+    }
+
+    # HTTP 1.1 support
+    proxy_http_version 1.1;
+    proxy_buffering off;
+    proxy_set_header Host $http_host;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+    proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+    proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+    # Mitigate httpoxy attack (see README for details)
+    proxy_set_header Proxy "";

-    # Connect to service services
    upstream monica-handler {
        server monica:9000;
    }
-    upstream nextcloud-handler {
-        server nextcloud:9000;
-    }

    server {
        listen 443 ssl http2;
@@ -167,6 +204,9 @@ http {
        }
    }

+    upstream nextcloud-handler {
+        server nextcloud:9000;
+    }

    server {
        listen 443 ssl http2;
@@ -299,4 +339,24 @@ http {
            access_log off;
        }
    }
+
+    upstream gitea-handler {
+        server gitea:3000;
+    }
+
+    server {
+        listen 443 ssl http2;
+
+        ssl_certificate /etc/nginx/certs/labs.scarif.local.crt;
+        ssl_certificate_key /etc/nginx/certs/labs.scarif.local.key;
+
+        gzip_types text/plain text/css application/json application/x-javascript
+                   text/xml application/xml application/xml+rss text/javascript;
+
+        server_name labs.scarif.local;
+
+        location / {
+            proxy_pass http://gitea-handler;
+        }
+    }
 }