#upstream rg-php-fpm {
# server unix:/run/php-fpm/rocketgit.sock;
#}
# HTTP server
server {
listen 80 backlog=128 rcvbuf=64k;
listen [::]:80 backlog=128 rcvbuf=64k;
server_name rg.domain.tld # add here, space separated, more names;
server_tokens off;
root /usr/share/rocketgit/root;
# TODO - is ok in this context?
client_max_body_size 1000m;
# more than that is written into a file first
client_body_buffer_size 128k;
# timeouts
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 10;
send_timeout 10;
# Security (ClickJacking)
add_header X-Frame-Options DENY;
access_log /var/log/nginx/rg-access.log;
error_log /var/log/nginx/rg-error.log;
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$) { return 444; }
# Force the use of only one name even if we have more aliases.
# Before un-commenting it, change SERVERNAME and PORT to real values
#if ($host != SERVERNAME) {
# rewrite ^/?(.*)$ http://SERVERNAME:PORT/$1 permanent;
#}
location ~ ^/(favicon\.ico|themes/.*|robots\.txt|\.well-known/.*)$ {
expires 1d;
}
location / {
gzip off;
# To be able to know that the client closed the connection
# TODO: equivalent for apache?
fastcgi_ignore_client_abort off;
# To allow streaming of the response data to client
fastcgi_buffering off;
# TODO
fastcgi_keep_conn on;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/index.php$fastcgi_script_name;
fastcgi_pass unix:/run/php-fpm/rocketgit.sock;
}
}
# HTTPS server
server {
listen 443 ssl backlog=128 rcvbuf=64k;
listen [::]:443 ssl backlog=128 rcvbuf=64k;
server_name rg.domain.tld # add here, space separated, more names;
server_tokens off;
root /usr/share/rocketgit/root;
# TODO - is ok in this context?
client_max_body_size 1000m;
# more than that is written into a file first
client_body_buffer_size 128k;
# timeouts
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 10;
send_timeout 10;
# Security (ClickJacking)
add_header X-Frame-Options DENY;
add_header Strict-Transport-Security "max-age=31536000";
access_log /var/log/nginx/rg-ssl-access.log;
error_log /var/log/nginx/rg-ssl-error.log;
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$) { return 444; }
# Force the use of only one name even if we have more aliases.
# Before un-commenting it, change SERVERNAME and PORT to real values
#if ($host != SERVERNAME) {
# rewrite ^/?(.*)$ http://SERVERNAME:PORT/$1 permanent;
#}
location ~ ^/(favicon\.ico|themes/.*|robots\.txt|\.well-known/.*)$ {
expires 1d;
}
location / {
gzip off;
# To be able to know that the client closed the connection
# TODO: equivalent for apache?
fastcgi_ignore_client_abort off;
# To allow streaming of the response data to client
fastcgi_buffering off;
# TODO
fastcgi_keep_conn on;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/index.php$fastcgi_script_name;
fastcgi_pass unix:/run/php-fpm/rocketgit.sock;
}
ssl_certificate /etc/pki/tls/certs/localhost.crt;
ssl_certificate_key /etc/pki/tls/private/localhost.key;
ssl_prefer_server_ciphers on;
# Specify the cyphers to get an A+ on Qualys (ssllabs.com); recommended
# https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_protocols TLSv1.2;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
# To generate pin-sha256 string: openssl s_client -servername <server> -connect <server>:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# add_header Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains; report-uri=\"https://www.example.org/hpkp-report\""
# add_header Public-Key-Pins-Report-Only ... # to not block users!
}
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"
Clone this repository using HTTP(S):
git clone https://code.reversed.top/user/xaizek/rocketgit
Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a
pull request:
... clone the repository ...
... make some changes and some commits ...
git push origin master