# this routing file is included in the hagrid http block # it is assumed that hagrid runs on localhost:8080 # To protect against DOS, we limit the size of possible uploads. client_max_body_size 1m; client_body_buffer_size 128k; limit_req_status 429; # Change all HTTP 502 errors into 500, to avoid being "marked as dead" by GnuPG # if we ever get a spurious 502 (e.g. during a restart of hagrid). # See https://gitlab.com/sequoia-pgp/hagrid/issues/94 error_page 502 =500 /502; location /502 { return 500; } # for x-accel-redirect forwards location /keys { internal; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; } location /vks/v1/upload { proxy_pass http://127.0.0.1:8080; } location /vks/v1/request-verify { proxy_pass http://127.0.0.1:8080; } location /vks { location ~ ^/vks/v1/by-fingerprint/(?:0x)?([^/][^/])([^/][^/])(..*)$ { limit_req zone=search_fpr_keyid burst=1000 nodelay; error_page 404 /errors-static/404-by-fpr.htm; default_type application/pgp-keys; add_header Content-Disposition 'attachment; filename="$1$2$3.asc"'; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; try_files /keys/links/by-fpr/$1/$2/$3 =404; } location ~ ^/vks/v1/by-keyid/(?:0x)?([^/][^/])([^/][^/])(.*)$ { limit_req zone=search_fpr_keyid burst=1000 nodelay; error_page 429 /errors-static/429-rate-limit-vks-fpr.htm; error_page 404 /errors-static/404-by-keyid.htm; default_type application/pgp-keys; add_header Content-Disposition 'attachment; filename="$1$2$3.asc"'; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; try_files /keys/links/by-keyid/$1/$2/$3 =404; } location /vks/v1/by-email/ { limit_req zone=search_email burst=50 nodelay; limit_req zone=search_email_loose burst=200 nodelay; error_page 429 /errors-static/429-rate-limit-vks-email.htm; set $args ""; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; proxy_pass http://127.0.0.1:8080; # we have some trouble with uri encoding here. just route through # hagrid, for now. # error_page 404 /errors-static/404-by-email.htm; # default_type application/pgp-keys; # add_header Content-Disposition 'attachment; filename="$1$2$3.asc"'; # try_files /keys/links/by-email/$1/$2/$3 =404; } add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; error_page 400 /errors-static/400-vks-invalid.htm; return 400; } # Common HKP requests. location /pks/lookup { if ($arg_op !~ "^index|get$") { error_page 400 /errors-static/400-pks-invalid.htm; return 400; } if ($arg_search = '') { error_page 400 /errors-static/400-pks-invalid.htm; return 400; } # rewrite this to a path we can match on (right below) # urldecode the search parameter set_by_lua $arg_search_decoded "return ngx.arg[1]:gsub(\"%%(%x%x)\", function(x) return string.char(tonumber(x, 16)) end)" $arg_search; # if the search argument contains angle brackets, strip everything around them set_by_lua $arg_search_decoded "return ngx.arg[1]:gsub(\"^.*<([^>]-)>.*$\", \"%1\")" $arg_search_decoded; rewrite . /pks/internal/$arg_op/$arg_search_decoded last; } # WKD requests location /.well-known/openpgpkey { location ~ "^/.well-known/openpgpkey/([^/]+)/hu/([^/][^/])([^/][^/])(.*)" { limit_req zone=search_email burst=50 nodelay; limit_req zone=search_email_loose burst=200 nodelay; error_page 429 /errors-static/429-rate-limit-vks-email.htm; error_page 404 /errors-static/404-wkd.htm; default_type application/octet-stream; add_header Content-Disposition 'attachment; filename="$2$3$4.asc"'; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; try_files /keys/links/wkd/$1/$2/$3/$4 =404; } location ~ "^/.well-known/openpgpkey/([^/]+)/policy$" { default_type text/plain; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; return 200 ''; } add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; error_page 400 /errors-static/400-wkd-invalid.htm; return 400; } location /pks/internal { internal; # search by key id # sq keyserver get , gpg --receive-keys location ~ "^/pks/internal/get/(?:0x)?([a-fA-F0-9]{16})$" { set_by_lua $keyid "return ngx.arg[1]:upper()" $1; rewrite . /vks/v1/by-keyid/$keyid last; } # search by fpr # gpg --receive-keys location ~ "^/pks/internal/get/(?:0x)?([a-fA-F0-9]{40})$" { set_by_lua $fingerprint "return ngx.arg[1]:upper()" $1; rewrite . /vks/v1/by-fingerprint/$fingerprint last; } # search by email # gpg --locate-key location ~ "^/pks/internal/get/(.+(?:%40|@).+)$" { set_by_lua $email "return ngx.arg[1]:lower()" $1; rewrite . /vks/v1/by-email/$email last; } # index by fingerprint # gpg --search-keys location ~ "^/pks/internal/index/(?:0x)?([a-fA-F0-9]{40})$" { limit_req zone=search_fpr_keyid burst=1000 nodelay; limit_req_status 429; error_page 429 /errors-static/429-rate-limit-pks-index.htm; set $args ""; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; proxy_pass http://127.0.0.1:8080; } # index by keyid # gpg --search-keys location ~ "^/pks/internal/index/(?:0x)?([a-fA-F0-9]{16})$" { limit_req zone=search_fpr_keyid burst=1000 nodelay; limit_req_status 429; error_page 429 /errors-static/429-rate-limit-pks-index.htm; set $args ""; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; proxy_pass http://127.0.0.1:8080; } # index by email # gpg --search-keys location ~ ^/pks/internal/index/(.+(?:%40|@).+)$ { limit_req zone=search_email burst=50 nodelay; limit_req zone=search_email_loose burst=200 nodelay; limit_req_status 429; error_page 429 /errors-static/429-rate-limit-pks-index.htm; set $args ""; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; proxy_pass http://127.0.0.1:8080; } add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; error_page 400 /errors-static/400-pks-invalid.htm; return 400; } location /errors-static { internal; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Cache-Control' 'no-cache' always; etag off; } location /errors { internal; proxy_pass http://127.0.0.1:8080; proxy_cache static_cache; } location /search { limit_req zone=search_email burst=50 nodelay; limit_req zone=search_email_loose burst=200 nodelay; error_page 429 /errors/429/rate-limit-web; proxy_pass http://127.0.0.1:8080; } location /pks { proxy_pass http://127.0.0.1:8080; } location /manage { proxy_pass http://127.0.0.1:8080; } location /verify { proxy_pass http://127.0.0.1:8080; } location /upload { proxy_pass http://127.0.0.1:8080; } location /debug { proxy_pass http://127.0.0.1:8080; } # explicitly cache the home directory location = / { proxy_cache static_cache; proxy_pass http://127.0.0.1:8080; } # cache "about" pages location = /atom.xml { proxy_cache static_cache; proxy_pass http://127.0.0.1:8080; } # cache "about" pages location /about { proxy_cache static_cache; proxy_pass http://127.0.0.1:8080; }