infrastructure-documentation/drbd-nginx-lxc.md

## nftables

```sh
sudo nft list ruleset
```

## Host reverse proxy

The reverse proxy on a host forwards to the designated LXC container with
something like the following examples in
`/etc/nginx/sites-available/example.com`, where A.B.C.D is the
IP allocated to the LXC container running the web service.

And symlink:

```sh
ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com
```

The certificate is obtained once and automatically renewed with:

```
sudo apt-get install certbot python3-certbot-nginx
sudo certbot -n --agree-tos --email contact@forgejo.org -d example.com --nginx
```

When removing a configuration, the certificate can also be removed with:

```
sudo certbot delete --cert-name example.com
```

Forwarding TCP streams (useful for ssh) requires installing the module:

```sh
sudo apt-get install libnginx-mod-stream
```

Rate limiting crawlers is done by adding the following to `/etc/nginx/conf.d/limit.conf`:

```
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
# https://blog.nginx.org/blog/rate-limiting-nginx
map $http_user_agent $isbot_ua {
        default 0;
        ~*(GoogleBot|GoogleOther|bingbot|YandexBot) 1;
}
map $isbot_ua $limit_bot {
        0       "";
        1       $binary_remote_addr;
}
limit_req_zone $limit_bot zone=bots:10m rate=1r/m;
limit_req_status 429;
```

and the following in the location to be rate limited:

```
    location / {
        limit_req zone=bots burst=2 nodelay;
		...
```

## Host wakeup-on-logs

https://code.forgejo.org/infrastructure/wakeup-on-logs

### K8S wakeup-on-logs script

```
$ cat /etc/wakeup-on-logs/forgejo-v8
#!/bin/bash

set -x

self="${BASH_SOURCE[0]}"
name=$(basename $self)
# keep it lower than https://code.forgejo.org/infrastructure/wakeup-on-logs
# otherwise it will get killed by it
timeout=4m

function lxc_run() {
    lxc-attach $name -- sudo --user debian KUBECONFIG=/etc/rancher/k3s/k3s.yaml "$@" |& tee -a /var/log/$name.log
}

image=codeberg.org/forgejo-experimental/forgejo
major=${name##*v}
digest=$(skopeo inspect --format "{{.Digest}}" docker://$image:$major-rootless)
values=https://code.forgejo.org/infrastructure/k8s/raw/branch/main/forgejo-v$major/values.yml
lxc_run helm upgrade forgejo -f $values -f /home/debian/secrets.yml oci://code.forgejo.org/forgejo-helm/forgejo --atomic --wait --timeout $timeout --install --set image.digest=$digest
```

### Forgejo example

```
server {
    listen 80;
    listen [::]:80;

    server_name example.com;

    location / {
        proxy_pass http://A.B.C.D:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        client_max_body_size 2G;
    }
}
```

### GitLab example

```nginx
server {
    listen 80;
    listen [::]:80;

    server_name example.com;

    location / {
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Frame-Options SAMEORIGIN;

       client_body_timeout 60;
       client_max_body_size 200M;
       send_timeout 1200;
       lingering_timeout 5;

       proxy_buffering off;
       proxy_connect_timeout 90;
       proxy_send_timeout 300;
       proxy_read_timeout 600s;

       proxy_pass http://example.com;
       proxy_http_version 1.1;
    }
}
```

### Vanila example

```nginx
server {
    listen 80;
    listen [::]:80;

    server_name example.com;

    location / {
        proxy_pass http://A.B.C.D;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}
```

### 302 redirection

```nginx
server {
    listen 80;
    listen [::]:80;

    server_name example.com;
    return 302 https://other.example.com$request_uri;
}
```
split the README into separate files for clarity 2024-10-20 09:24:52 +00:00			`## nftables`

			```sh
			`sudo nft list ruleset`
			```

			`## Host reverse proxy`

			`The reverse proxy on a host forwards to the designated LXC container with`
			`something like the following examples in`
			`/etc/nginx/sites-available/example.com`, where A.B.C.D is the
			`IP allocated to the LXC container running the web service.`

			`And symlink:`

			```sh
			`ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com`
			```

			`The certificate is obtained once and automatically renewed with:`

			```
			`sudo apt-get install certbot python3-certbot-nginx`
			`sudo certbot -n --agree-tos --email contact@forgejo.org -d example.com --nginx`
			```

			`When removing a configuration, the certificate can also be removed with:`

			```
			`sudo certbot delete --cert-name example.com`
			```

			`Forwarding TCP streams (useful for ssh) requires installing the module:`

			```sh
			`sudo apt-get install libnginx-mod-stream`
			```

			Rate limiting crawlers is done by adding the following to `/etc/nginx/conf.d/limit.conf`:

			```
			`# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html`
			`# https://blog.nginx.org/blog/rate-limiting-nginx`
			`map $http_user_agent $isbot_ua {`
			`default 0;`
			`~*(GoogleBot\|GoogleOther\|bingbot\|YandexBot) 1;`
			`}`
			`map $isbot_ua $limit_bot {`
			`0 "";`
			`1 $binary_remote_addr;`
			`}`
			`limit_req_zone $limit_bot zone=bots:10m rate=1r/m;`
			`limit_req_status 429;`
			```

			`and the following in the location to be rate limited:`

			```
			`location / {`
			`limit_req zone=bots burst=2 nodelay;`
			`...`
			```

			`## Host wakeup-on-logs`

			`https://code.forgejo.org/infrastructure/wakeup-on-logs`

			`### K8S wakeup-on-logs script`

			```
			`$ cat /etc/wakeup-on-logs/forgejo-v8`
			`#!/bin/bash`

			`set -x`

			`self="${BASH_SOURCE[0]}"`
			`name=$(basename $self)`
			`# keep it lower than https://code.forgejo.org/infrastructure/wakeup-on-logs`
			`# otherwise it will get killed by it`
			`timeout=4m`

			`function lxc_run() {`
			`lxc-attach $name -- sudo --user debian KUBECONFIG=/etc/rancher/k3s/k3s.yaml "$@" \|& tee -a /var/log/$name.log`
			`}`

			`image=codeberg.org/forgejo-experimental/forgejo`
			`major=${name##*v}`
			`digest=$(skopeo inspect --format "{{.Digest}}" docker://$image:$major-rootless)`
			`values=https://code.forgejo.org/infrastructure/k8s/raw/branch/main/forgejo-v$major/values.yml`
			`lxc_run helm upgrade forgejo -f $values -f /home/debian/secrets.yml oci://code.forgejo.org/forgejo-helm/forgejo --atomic --wait --timeout $timeout --install --set image.digest=$digest`
			```

			`### Forgejo example`

			```
			`server {`
			`listen 80;`
			`listen [::]:80;`

			`server_name example.com;`

			`location / {`
			`proxy_pass http://A.B.C.D:8080;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto https;`
			`client_max_body_size 2G;`
			`}`
			`}`
			```

			`### GitLab example`

			```nginx
			`server {`
			`listen 80;`
			`listen [::]:80;`

			`server_name example.com;`

			`location / {`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Frame-Options SAMEORIGIN;`

			`client_body_timeout 60;`
			`client_max_body_size 200M;`
			`send_timeout 1200;`
			`lingering_timeout 5;`

			`proxy_buffering off;`
			`proxy_connect_timeout 90;`
			`proxy_send_timeout 300;`
			`proxy_read_timeout 600s;`

			`proxy_pass http://example.com;`
			`proxy_http_version 1.1;`
			`}`
			`}`
			```

			`### Vanila example`

			```nginx
			`server {`
			`listen 80;`
			`listen [::]:80;`

			`server_name example.com;`

			`location / {`
			`proxy_pass http://A.B.C.D;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto https;`
			`}`
			`}`
			```

			`### 302 redirection`

			```nginx
			`server {`
			`listen 80;`
			`listen [::]:80;`

			`server_name example.com;`
			`return 302 https://other.example.com$request_uri;`
			`}`
			```