-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathgithub.com.conf.template
89 lines (76 loc) · 3.17 KB
/
github.com.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Proxy git's smart http protocol to only certain organisations on github.com.
#
# https://git-scm.com/docs/http-protocol
server {
server_name github-proxy.opensafely.org;
root /var/www/html/;
listen ${PORT};
# We `git fetch` commits from a persistant bare repo, which over time can
# mean sending a lot of local state up to github as part of fetching. So
# this needs to be larger than you'd think
client_max_body_size 256K;
# no buffering
proxy_buffering off;
proxy_request_buffering off;
chunked_transfer_encoding on;
# github returns some large CSP headers
# we suspect that headers are *always* buffered, regardless of above
proxy_buffer_size 16k;
proxy_busy_buffers_size 16k; # must be >= to proxy_buffer_size
# We need a resolver configured so we can dynamically look up domains when
# redirecting. We make it an env var so that we can switch it out in prod
# for the Digital Ocean resolver
resolver ${RESOLVER};
# only the allowed orgs (currently opensafely, opensafely-core, and
# opensafely-actions) can be accessed
# basic git metadata operations
# location regex cannot match on query parameters
location ~ ^/(${ORGS})/[^/]+/info/refs {
limit_except GET { deny all; }
if ($args !~ "service=git-upload-pack") { return 403; }
proxy_pass https://github.com;
proxy_redirect default;
}
# git clone requires a POST, sadly so we allow it to the specific url
# we are protected somewhat by the client_max_body_size limit
location ~ ^/(${ORGS})/[^/]+/git-upload-pack {
limit_except POST { deny all; }
proxy_pass https://github.com;
proxy_redirect default;
# ensure Host header and SNI domain match
proxy_ssl_server_name on;
}
# allow ssh keys to be retreived for a user
location ~ ^/[^/]+\.keys {
limit_except GET { deny all; }
proxy_pass https://github.com;
proxy_redirect default;
# ensure Host header and SNI domain match
proxy_ssl_server_name on;
}
# allow release artifacts to be downloaded from specified repo only
location ~ ^/opensafely-core/backend-server/releases/download {
limit_except GET { deny all; }
proxy_pass https://github.com;
proxy_redirect default;
# ensure Host header and SNI domain match
proxy_ssl_server_name on;
# `releases/download` redirects to an S3 bucket, which is not accessible from
# backends. So handle redirects to S3 here in the proxy rather than
# passing back to the client
proxy_intercept_errors on;
error_page 301 302 307 = @handle_redirect;
}
location @handle_redirect {
# set saves the initial response's Location: header
set $redirect '$upstream_http_location';
# proxy the AWS location back to the client
proxy_pass $redirect;
# ensure Host header and SNI domain match
proxy_ssl_server_name on;
}
location / {
add_header 'Content-Type' 'text/plain; charset=UTF-8' always;
return 403 'This proxy only supports fetching commits from specific github organisations.';
}
}