# this routing file is included in the hagrid http block # it is assumed that hagrid runs on localhost:8080 # To protect against DOS, we limit the size of possible uploads. client_max_body_size 1m; client_body_buffer_size 128k; # Change all HTTP 502 errors into 500, to avoid being "marked as dead" by GnuPG # if we ever get a spurious 502 (e.g. during a restart of hagrid). # See https://gitlab.com/sequoia-pgp/hagrid/issues/94 error_page 502 =500 /502; location /502 { return 500; } # for x-accel-redirect forwards location /keys { internal; add_header 'Access-Control-Allow-Origin' '*'; } location /vks/v1/upload { proxy_pass http://127.0.0.1:8080; } location /vks/v1/request-verify { proxy_pass http://127.0.0.1:8080; } location /vks/v1/ { location ~ ^/vks/v1/by-email/([^/][^/])([^/][^/])([^/]*)$ { add_header 'Access-Control-Allow-Origin' '*'; # we have some trouble with uri encoding here. just route through # hagrid, for now. proxy_pass http://127.0.0.1:8080; # error_page 404 /errors/404-by-email.htm; # default_type application/pgp-keys; # add_header Content-Disposition 'attachment; filename="$1$2$3.asc"'; # try_files /keys/links/by-email/$1/$2/$3 =404; } location ~ ^/vks/v1/by-fingerprint/(?:0x)?([^/][^/])([^/][^/])(..*)$ { error_page 404 /errors/404-by-fpr.htm; default_type application/pgp-keys; add_header Content-Disposition 'attachment; filename="$1$2$3.asc"'; add_header 'Access-Control-Allow-Origin' '*'; try_files /keys/links/by-fpr/$1/$2/$3 =404; } location ~ ^/vks/v1/by-keyid/(?:0x)?([^/][^/])([^/][^/])(.*)$ { error_page 404 /errors/404-by-keyid.htm; default_type application/pgp-keys; add_header Content-Disposition 'attachment; filename="$1$2$3.asc"'; add_header 'Access-Control-Allow-Origin' '*'; try_files /keys/links/by-keyid/$1/$2/$3 =404; } add_header 'Access-Control-Allow-Origin' '*'; error_page 400 /errors/400-vks-invalid.htm; return 400; } # Common HKP requests. location /pks/lookup { # sq keyserver get , gpg --receive-keys if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{16})$") { set_by_lua $keyid "return ngx.arg[1]:upper()" $1; set $args ""; rewrite . /vks/v1/by-keyid/$keyid last; } # gpg --receive-keys if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{40})$") { set_by_lua $fingerprint "return ngx.arg[1]:upper()" $1; set $args ""; rewrite . /vks/v1/by-fingerprint/$fingerprint last; } # gpg --locate-key if ($request_uri ~ "^/pks/lookup\?op=get&options=mr&search=([^&]{3,}%40[^&]+)") { set_by_lua $email "return ngx.arg[1]:lower()" $1; set $args ""; rewrite . /vks/v1/by-email/$email last; } # gpg --search '' # strip angle brackets - we don't need them, but they cause issues # with the Rocket framework # see https://gitlab.com/sequoia-pgp/hagrid/issues/94 if ($request_uri ~ "^/pks/lookup\?(.*search=)[^&<>]*\<(.+)\>(.*)") { set $left $1; set $middle $2; set $right $3; set $args ""; rewrite . /pks/lookup?$left$middle$right? break; } # forward to backend, which will like serve via x-accel-redirect add_header 'Access-Control-Allow-Origin' '*'; proxy_pass http://127.0.0.1:8080; } location /pks { proxy_pass http://127.0.0.1:8080; } location /manage { proxy_pass http://127.0.0.1:8080; } location /verify { proxy_pass http://127.0.0.1:8080; } location /search { proxy_pass http://127.0.0.1:8080; } location /upload { proxy_pass http://127.0.0.1:8080; } location /debug { proxy_pass http://127.0.0.1:8080; } # explicitly cache the home directory location = / { proxy_cache static_cache; proxy_pass http://127.0.0.1:8080; } # cache "about" pages location /about { proxy_cache static_cache; proxy_pass http://127.0.0.1:8080; }