## nftables ```sh sudo nft list ruleset ``` ## Host reverse proxy The reverse proxy on a host forwards to the designated LXC container with something like the following examples in `/etc/nginx/sites-available/example.com`, where A.B.C.D is the IP allocated to the LXC container running the web service. And symlink: ```sh ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com ``` The certificate is obtained once and automatically renewed with: ``` sudo apt-get install certbot python3-certbot-nginx sudo certbot -n --agree-tos --email contact@forgejo.org -d example.com --nginx ``` When removing a configuration, the certificate can also be removed with: ``` sudo certbot delete --cert-name example.com ``` Forwarding TCP streams (useful for ssh) requires installing the module: ```sh sudo apt-get install libnginx-mod-stream ``` Rate limiting crawlers is done by adding the following to `/etc/nginx/conf.d/limit.conf`: ``` # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # https://blog.nginx.org/blog/rate-limiting-nginx map $http_user_agent $isbot_ua { default 0; ~*(GoogleBot|GoogleOther|bingbot|YandexBot) 1; } map $isbot_ua $limit_bot { 0 ""; 1 $binary_remote_addr; } limit_req_zone $limit_bot zone=bots:10m rate=1r/m; limit_req_status 429; ``` and the following in the location to be rate limited: ``` location / { limit_req zone=bots burst=2 nodelay; ... ``` ## Host wakeup-on-logs https://code.forgejo.org/infrastructure/wakeup-on-logs ### K8S wakeup-on-logs script ``` $ cat /etc/wakeup-on-logs/forgejo-v8 #!/bin/bash set -x self="${BASH_SOURCE[0]}" name=$(basename $self) # keep it lower than https://code.forgejo.org/infrastructure/wakeup-on-logs # otherwise it will get killed by it timeout=4m function lxc_run() { lxc-attach $name -- sudo --user debian KUBECONFIG=/etc/rancher/k3s/k3s.yaml "$@" |& tee -a /var/log/$name.log } image=codeberg.org/forgejo-experimental/forgejo major=${name##*v} digest=$(skopeo inspect --format "{{.Digest}}" docker://$image:$major-rootless) values=https://code.forgejo.org/infrastructure/k8s/raw/branch/main/forgejo-v$major/values.yml lxc_run helm upgrade forgejo -f $values -f /home/debian/secrets.yml oci://code.forgejo.org/forgejo-helm/forgejo --atomic --wait --timeout $timeout --install --set image.digest=$digest ``` ### Forgejo example ``` server { listen 80; listen [::]:80; server_name example.com; location / { proxy_pass http://A.B.C.D:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; client_max_body_size 2G; } } ``` ### GitLab example ```nginx server { listen 80; listen [::]:80; server_name example.com; location / { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; client_body_timeout 60; client_max_body_size 200M; send_timeout 1200; lingering_timeout 5; proxy_buffering off; proxy_connect_timeout 90; proxy_send_timeout 300; proxy_read_timeout 600s; proxy_pass http://example.com; proxy_http_version 1.1; } } ``` ### Vanila example ```nginx server { listen 80; listen [::]:80; server_name example.com; location / { proxy_pass http://A.B.C.D; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } ``` ### 302 redirection ```nginx server { listen 80; listen [::]:80; server_name example.com; return 302 https://other.example.com$request_uri; } ```