53 lines
1.3 KiB
Plaintext
53 lines
1.3 KiB
Plaintext
server {
|
|
include sourcehut.conf;
|
|
include port80.conf;
|
|
server_name hg.sr.ht;
|
|
}
|
|
|
|
server {
|
|
include sourcehut.conf;
|
|
include port443.conf;
|
|
include hg-ssl.conf;
|
|
server_name hg.sr.ht;
|
|
|
|
client_max_body_size 100M;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:5010;
|
|
include headers.conf;
|
|
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'; frame-ancestors 'none'" always;
|
|
include web.conf;
|
|
}
|
|
|
|
location /query {
|
|
proxy_pass http://127.0.0.1:5110;
|
|
include graphql.conf;
|
|
}
|
|
|
|
location /static {
|
|
root /usr/lib/$python/site-packages/hgsrht;
|
|
expires 30d;
|
|
}
|
|
|
|
# Let clients reach pull bundles. We don't really need to lock this down even for
|
|
# private repos because the bundles are named after the revision hashes... so someone
|
|
# would need to guess a SHA value to download anything.
|
|
location ~ ^/[~^][a-z0-9_]+/[a-zA-Z0-9_.-]+/\.hg/bundles/.*$ {
|
|
root /var/lib/mercurial;
|
|
}
|
|
|
|
# http(s) cloning auth.
|
|
location = /authorize {
|
|
proxy_pass http://127.0.0.1:5010;
|
|
proxy_pass_request_body off;
|
|
proxy_set_header Content-Length "";
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
}
|
|
|
|
# http(s) cloning download access.
|
|
location ~ ^/[~^][a-z0-9_]+/[a-zA-Z0-9_.-]+/\.hg.*$ {
|
|
auth_request /authorize;
|
|
root /var/lib/mercurial;
|
|
}
|
|
}
|