xaizek / rocketgit (License: AGPLv3+) (since 2018-12-09)
Light and fast Git hosting solution suitable to serve both as a hub or as a personal code storage with its tickets, pull requests, API and much more.
Clone URLs: https://code.reversed.top/user/xaizek/rocketgit ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit
v0.0 v0.1 v0.10 v0.11 v0.12 v0.13 v0.14 v0.15 v0.17 v0.18 v0.19 v0.2 v0.20 v0.21 v0.22 v0.23 v0.24 v0.25 v0.27 v0.28 v0.29 v0.31 v0.32 v0.33 v0.34 v0.35 v0.36 v0.38 v0.39 v0.40 v0.41 v0.42 v0.43 v0.44 v0.45 v0.46 v0.47 v0.48 v0.49 v0.50 v0.51 v0.52 v0.53 v0.54 v0.55 v0.56 v0.57 v0.58 v0.60 v0.61 v0.62 v0.63 v0.64 v0.65 v0.66 v0.67 v0.68 v0.69 v0.70 local master
<root> / samples / nginx.conf (0a57d7e9ec1fc34b236fa3dd5bf4eaa407ef74e1) (4,173B) (mode 100644) [raw]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 
#upstream rg-php-fpm {
#        server unix:/run/php-fpm/rocketgit.sock;
#}

# HTTP server
server {
	listen 80 backlog=128 rcvbuf=64k;
	listen [::]:80 backlog=128 rcvbuf=64k;
	server_name rg.domain.tld # add here, space separated, more names;
	server_tokens off;
	root /usr/share/rocketgit/root;

	# TODO - is ok in this context?
	client_max_body_size 1000m;
	# more than that is written into a file first
	client_body_buffer_size 128k;

	# timeouts
	client_body_timeout 10;
	client_header_timeout 10;
	keepalive_timeout 10;
	send_timeout 10;

	# Security (ClickJacking)
        add_header X-Frame-Options DENY;

	access_log /var/log/nginx/rg-access.log;
	error_log /var/log/nginx/rg-error.log;

	if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$) { return 444; }

	# Force the use of only one name even if we have more aliases.
	# Before un-commenting it, change SERVERNAME and PORT to real values
	#if ($host != SERVERNAME) {
	#	rewrite  ^/?(.*)$  http://SERVERNAME:PORT/$1  permanent;
	#}

	location ~ ^/(favicon\.ico|themes/.*|robots\.txt|\.well-known/.*)$ {
		expires 1d;
	}

	location / {
		gzip off;

		# To be able to know that the client closed the connection
		# TODO: equivalent for apache?
		fastcgi_ignore_client_abort off;

		# To allow streaming of the response data to client
		fastcgi_buffering off;

		# TODO
		fastcgi_keep_conn	on;

		include /etc/nginx/fastcgi_params;
		fastcgi_param SCRIPT_FILENAME	$document_root/index.php$fastcgi_script_name;

		fastcgi_pass unix:/run/php-fpm/rocketgit.sock;
	}
}

# HTTPS server
server {
	listen 443 ssl backlog=128 rcvbuf=64k;
	listen [::]:443 ssl backlog=128 rcvbuf=64k;
	server_name rg.domain.tld # add here, space separated, more names;
	server_tokens off;
	root /usr/share/rocketgit/root;

	# TODO - is ok in this context?
	client_max_body_size 1000m;
	# more than that is written into a file first
	client_body_buffer_size 128k;

	# timeouts
	client_body_timeout 10;
	client_header_timeout 10;
	keepalive_timeout 10;
	send_timeout 10;

	# Security (ClickJacking)
        add_header X-Frame-Options DENY;
	add_header Strict-Transport-Security "max-age=31536000";

	access_log /var/log/nginx/rg-ssl-access.log;
	error_log /var/log/nginx/rg-ssl-error.log;

	if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$) { return 444; }

	# Force the use of only one name even if we have more aliases.
	# Before un-commenting it, change SERVERNAME and PORT to real values
	#if ($host != SERVERNAME) {
	#	rewrite  ^/?(.*)$  http://SERVERNAME:PORT/$1  permanent;
	#}

	location ~ ^/(favicon\.ico|themes/.*|robots\.txt|\.well-known/.*)$ {
		expires 1d;
	}

	location / {
		gzip off;

		# To be able to know that the client closed the connection
		# TODO: equivalent for apache?
		fastcgi_ignore_client_abort off;

		# To allow streaming of the response data to client
		fastcgi_buffering off;

		# TODO
		fastcgi_keep_conn	on;

		include /etc/nginx/fastcgi_params;
		fastcgi_param SCRIPT_FILENAME	$document_root/index.php$fastcgi_script_name;

		fastcgi_pass unix:/run/php-fpm/rocketgit.sock;
	}

	ssl_certificate /etc/pki/tls/certs/localhost.crt;
	ssl_certificate_key /etc/pki/tls/private/localhost.key;
	ssl_prefer_server_ciphers on;
	# Specify the cyphers to get an A+ on Qualys (ssllabs.com); recommended
	# https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm
	ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
	ssl_protocols TLSv1.2;
	ssl_session_cache shared:SSL:1m;
	ssl_session_timeout 5m;

	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
	# To generate pin-sha256 string: openssl s_client -servername <server> -connect <server>:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
	# add_header Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains; report-uri=\"https://www.example.org/hpkp-report\""
	# add_header Public-Key-Pins-Report-Only ... # to not block users!

}
Hints
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):
git clone https://code.reversed.top/user/xaizek/rocketgit

Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a pull request:
... clone the repository ...
... make some changes and some commits ...
git push origin master