mirror of
https://gitlab.com/hagrid-keyserver/hagrid.git
synced 2023-02-13 20:55:02 -05:00
276 lines
9.1 KiB
Text
276 lines
9.1 KiB
Text
# this routing file is included in the hagrid http block
|
|
# it is assumed that hagrid runs on localhost:8080
|
|
|
|
# To protect against DOS, we limit the size of possible uploads.
|
|
client_max_body_size 1m;
|
|
client_body_buffer_size 128k;
|
|
|
|
limit_req_status 429;
|
|
|
|
# Change all HTTP 502 errors into 500, to avoid being "marked as dead" by GnuPG
|
|
# if we ever get a spurious 502 (e.g. during a restart of hagrid).
|
|
# See https://gitlab.com/sequoia-pgp/hagrid/issues/94
|
|
error_page 502 =500 /502;
|
|
location /502 {
|
|
return 500;
|
|
}
|
|
|
|
# for x-accel-redirect forwards
|
|
location /keys {
|
|
internal;
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
}
|
|
|
|
location /vks/v1/upload {
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
location /vks/v1/request-verify {
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
location /vks {
|
|
location ~ ^/vks/v1/by-fingerprint/(?:0x)?([^/][^/])([^/][^/])(..*)$ {
|
|
limit_req zone=search_fpr_keyid burst=30;
|
|
|
|
error_page 404 /errors-static/404-by-fpr.htm;
|
|
default_type application/pgp-keys;
|
|
add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
try_files /keys/links/by-fpr/$1/$2/$3 =404;
|
|
}
|
|
|
|
location ~ ^/vks/v1/by-keyid/(?:0x)?([^/][^/])([^/][^/])(.*)$ {
|
|
limit_req zone=search_fpr_keyid burst=30;
|
|
error_page 429 /errors-static/429-rate-limit-vks-fpr.htm;
|
|
|
|
error_page 404 /errors-static/404-by-keyid.htm;
|
|
default_type application/pgp-keys;
|
|
add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
try_files /keys/links/by-keyid/$1/$2/$3 =404;
|
|
}
|
|
|
|
location /vks/v1/by-email/ {
|
|
limit_req zone=search_email burst=50 nodelay;
|
|
error_page 429 /errors-static/429-rate-limit-vks-email.htm;
|
|
|
|
set $args "";
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
proxy_pass http://127.0.0.1:8080;
|
|
|
|
# we have some trouble with uri encoding here. just route through
|
|
# hagrid, for now.
|
|
# error_page 404 /errors-static/404-by-email.htm;
|
|
# default_type application/pgp-keys;
|
|
# add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
|
|
# try_files /keys/links/by-email/$1/$2/$3 =404;
|
|
}
|
|
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
error_page 400 /errors-static/400-vks-invalid.htm;
|
|
return 400;
|
|
}
|
|
|
|
# Common HKP requests.
|
|
location /pks/lookup {
|
|
if ($arg_op !~ "^index|get$") {
|
|
error_page 400 /errors-static/400-pks-invalid.htm;
|
|
return 400;
|
|
}
|
|
if ($arg_search = '') {
|
|
error_page 400 /errors-static/400-pks-invalid.htm;
|
|
return 400;
|
|
}
|
|
|
|
# rewrite this to a path we can match on (right below)
|
|
# urldecode the search parameter
|
|
set_by_lua $arg_search_decoded "return ngx.arg[1]:gsub(\"%%(%x%x)\", function(x) return string.char(tonumber(x, 16)) end)" $arg_search;
|
|
# if the search argument contains angle brackets, strip everything around them
|
|
set_by_lua $arg_search_decoded "return ngx.arg[1]:gsub(\"^.*<([^>]-)>.*$\", \"%1\")" $arg_search_decoded;
|
|
rewrite . /pks/internal/$arg_op/$arg_search_decoded last;
|
|
}
|
|
|
|
# WKD requests
|
|
location /.well-known/openpgpkey {
|
|
location ~ "^/.well-known/openpgpkey/([^/]+)/hu/([^/][^/])([^/][^/])(.*)" {
|
|
limit_req zone=search_email burst=50 nodelay;
|
|
error_page 429 /errors-static/429-rate-limit-vks-email.htm;
|
|
|
|
error_page 404 /errors-static/404-wkd.htm;
|
|
default_type application/pgp-keys;
|
|
add_header Content-Disposition 'attachment; filename="$2$3$4.asc"';
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
try_files /keys/links/wkd/$1/$2/$3/$4 =404;
|
|
}
|
|
|
|
location ~ "^/.well-known/openpgpkey/([^/]+)/policy$" {
|
|
default_type text/plain;
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
return 200 '';
|
|
}
|
|
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
error_page 400 /errors-static/400-wkd-invalid.htm;
|
|
return 400;
|
|
}
|
|
|
|
location /pks/internal {
|
|
internal;
|
|
|
|
# search by key id
|
|
# sq keyserver get <KEYID>, gpg --receive-keys <KEYID>
|
|
location ~ "^/pks/internal/get/(?:0x)?([a-fA-F0-9]{16})$" {
|
|
set_by_lua $keyid "return ngx.arg[1]:upper()" $1;
|
|
rewrite . /vks/v1/by-keyid/$keyid last;
|
|
}
|
|
|
|
# search by fpr
|
|
# gpg --receive-keys <FINGERPRINT>
|
|
location ~ "^/pks/internal/get/(?:0x)?([a-fA-F0-9]{40})$" {
|
|
set_by_lua $fingerprint "return ngx.arg[1]:upper()" $1;
|
|
rewrite . /vks/v1/by-fingerprint/$fingerprint last;
|
|
}
|
|
|
|
# search by email
|
|
# gpg --locate-key <EMAIL>
|
|
location ~ "^/pks/internal/get/(.+(?:%40|@).+)$" {
|
|
set_by_lua $email "return ngx.arg[1]:lower()" $1;
|
|
rewrite . /vks/v1/by-email/$email last;
|
|
}
|
|
|
|
# index by fingerprint
|
|
# gpg --search-keys <FINGEPRINT>
|
|
location ~ "^/pks/internal/index/(?:0x)?([a-fA-F0-9]{40})$" {
|
|
limit_req zone=search_fpr_keyid burst=30;
|
|
limit_req_status 429;
|
|
error_page 429 /errors-static/429-rate-limit-pks-index.htm;
|
|
|
|
set $args "";
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
# index by keyid
|
|
# gpg --search-keys <KEYID>
|
|
location ~ "^/pks/internal/index/(?:0x)?([a-fA-F0-9]{16})$" {
|
|
limit_req zone=search_fpr_keyid burst=30;
|
|
limit_req_status 429;
|
|
error_page 429 /errors-static/429-rate-limit-pks-index.htm;
|
|
|
|
set $args "";
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
# index by email
|
|
# gpg --search-keys <QUERY>
|
|
location ~ ^/pks/internal/index/(.+(?:%40|@).+)$ {
|
|
limit_req zone=search_email burst=50 nodelay;
|
|
limit_req_status 429;
|
|
error_page 429 /errors-static/429-rate-limit-pks-index.htm;
|
|
|
|
set $args "";
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
error_page 400 /errors-static/400-pks-invalid.htm;
|
|
return 400;
|
|
}
|
|
|
|
location /errors-static {
|
|
internal;
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Cache-Control' 'no-cache' always;
|
|
etag off;
|
|
}
|
|
|
|
location /errors {
|
|
internal;
|
|
proxy_pass http://127.0.0.1:8080;
|
|
proxy_cache static_cache;
|
|
}
|
|
|
|
location /search {
|
|
limit_req zone=search_email burst=50 nodelay;
|
|
error_page 429 /errors/429/rate-limit-web;
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
location ~ "^/([A-Za-z0-9._-]+)@([A-Za-z0-9._-]+)$" {
|
|
limit_req zone=search_email burst=50 nodelay;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
|
# add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; report-uri https://keysopenpgporg.report-uri.com/r/d/csp/enforce" always;
|
|
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src https:; img-src 'self' https://www.gravatar.com; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; report-uri https://keysopenpgporg.report-uri.com/r/d/csp/enforce" always;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header Expect-CT 'max-age=31536000, report-uri="https://keysopenpgporg.report-uri.com/r/d/ct/reportOnly"' always;
|
|
error_page 429 /errors/429/rate-limit-web;
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
location /pks {
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
location /manage {
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
location /verify {
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
location /upload {
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
location /debug {
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
# explicitly cache the home directory
|
|
location = / {
|
|
proxy_cache static_cache;
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
# cache "about" pages
|
|
location = /atom.xml {
|
|
proxy_cache static_cache;
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
|
|
# cache "about" pages
|
|
location /about {
|
|
proxy_cache static_cache;
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|