Unify configs, enhance SSL security

triton.fet.at/git.conf

@@ -2,21 +2,25 @@
 server {
     listen 80;
     server_name www.git.triton.fet.at git.triton.fet.at;
+
+    location /.well-known {
+        root /srv/welcome;
+        allow all;
+    }
     location /{
         return 301 https://$host$request_uri;
     }
-    location /.well-known {
-        root /srv/welcome;
-	allow all;
-    }
-
 }
+
 server {
-    listen  443 ssl;
-    #    listen 80;
+    listen 443 ssl http2;
     server_name www.git.triton.fet.at git.triton.fet.at;
+
     ssl_certificate /etc/letsencrypt/live/triton.fet.at/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/triton.fet.at/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/triton.fet.at/chain.pem;
+
+    include snippets/ssl.conf;
 
 #    satisfy any;
 #    allow 192.168.95.0/24;
@@ -25,54 +29,66 @@ server {
 #    
 #    auth_ldap "FET Login";
 #    auth_ldap_servers fet;   
+    access_log  logs/git.triton.access.log;
 
-    location /.well-known {
-        root /srv/welcome;
-	allow all;
-    }
     location = / {
-        return 302 https://$host/http/;
-        }
-    
+        return 302 https://$host/git/;
+    }
     location /http {
-        auth_ldap "FET Login";
-        auth_ldap_servers fet;   
-        root /srv/git/;
+        include snippets/ldap.conf;
+        root /mnt/git_repo/;
         index index.html;
     }
+    location /static {
+        alias /srv/gitweb/static;
+    allow all;
+    }
+    location /git/static {
+        alias /srv/gitweb/static;
+    allow all;
+    }
+    location /git {
+        include snippets/ldap.conf;
+
+    fastcgi_pass unix:/var/run/fcgiwrap.socket;
+    fastcgi_param SCRIPT_FILENAME /srv/gitweb/gitweb.cgi;
+#   fastcgi_param GIT_HTTP_EXPORT_ALL "";
+    fastcgi_param GIT_PROJECT_ROOT /mnt/git_repo;
+    fastcgi_param PATH_INFO $uri;
+    fastcgi_param REMOTE_USER $remote_user;
+    include fastcgi_params;
+    }
     location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ {
-            satisfy any;
-            allow 192.168.95.0/24;
-            allow 127.0.0.1;
-            deny all;
+        satisfy any;
+        allow 192.168.95.0/24;
+        allow 127.0.0.1;
+        deny all;
             
-        auth_ldap "FET Login";
-       auth_ldap_servers fet;   
-       root /srv/git/git/;
+        include snippets/ldap.conf;
+        root /mnt/git_repo/;
     }
     location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
 #            satisfy any;
 #            allow 192.168.95.0/24;
 #            allow 127.0.0.1;
 #            deny all;
-        auth_ldap "FET Login";
-        auth_ldap_servers fet;   
+        include snippets/ldap.conf;
 
-        root /srv/git/git/;
+        root /mnt/git_repo/git/;
         #        if ($remote_user = '') {
-        #            set $my_remote_user "nobody";
+        #            set $remote_user "nobody";
         #        }
         #       if ($remote_user ~* '')
         #        {  set $my_remote_user $remote_user;
         #        }
-	client_max_body_size 0;
-	fastcgi_pass unix:/var/run/fcgiwrap.socket;
-	fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
-	fastcgi_param GIT_HTTP_EXPORT_ALL "";
-	fastcgi_param GIT_PROJECT_ROOT /srv/git;
-	fastcgi_param PATH_INFO $uri;
-	fastcgi_param REMOTE_USER $remote_user;
-	include fastcgi_params;
-
+    client_max_body_size 0;
+    fastcgi_pass unix:/var/run/fcgiwrap.socket;
+    fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+    fastcgi_param GIT_HTTP_EXPORT_ALL "";
+    fastcgi_param GIT_PROJECT_ROOT /mnt/git_repo;
+    fastcgi_param PATH_INFO $uri;
+    fastcgi_param REMOTE_USER $remote_user;
+    include fastcgi_params;
     }
 }
+