From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 8N9fFogRwGL0NgEAbAwnHQ (envelope-from ) for ; Sat, 02 Jul 2022 11:36:08 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 4KI5FogRwGJZowAAauVa8A (envelope-from ) for ; Sat, 02 Jul 2022 11:36:08 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BF7FF1D847 for ; Sat, 2 Jul 2022 11:36:07 +0200 (CEST) Received: from localhost ([::1]:52440 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o7ZXq-0003ww-Gh for larch@yhetil.org; Sat, 02 Jul 2022 05:36:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35528) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o7ZXX-0003w4-4H for help-guix@gnu.org; Sat, 02 Jul 2022 05:35:47 -0400 Received: from relay.yourmailgateway.de ([188.68.63.161]:59177) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o7ZXU-0006QI-Qj for help-guix@gnu.org; Sat, 02 Jul 2022 05:35:46 -0400 Received: from mors-relay-8201.netcup.net (localhost [127.0.0.1]) by mors-relay-8201.netcup.net (Postfix) with ESMTPS id 4LZn4F0sLkz3qlq; Sat, 2 Jul 2022 11:35:41 +0200 (CEST) Received: from policy02-mors.netcup.net (unknown [46.38.225.53]) by mors-relay-8201.netcup.net (Postfix) with ESMTPS id 4LZn4F0SsQz3qlF; Sat, 2 Jul 2022 11:35:41 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at policy02-mors.netcup.net Received: from mxe217.netcup.net (unknown [10.243.12.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by policy02-mors.netcup.net (Postfix) with ESMTPS id 4LZn4D25T7z8sZN; Sat, 2 Jul 2022 11:35:40 +0200 (CEST) Received: from florianrock64 (ip5b40552a.dynamic.kabel-deutschland.de [91.64.85.42]) by mxe217.netcup.net (Postfix) with ESMTPSA id B5EB29E7F6; Sat, 2 Jul 2022 11:35:38 +0200 (CEST) From: "pelzflorian (Florian Pelz)" To: Simon Streit Cc: help-guix@gnu.org Subject: Re: Set up cgit with git-http-backend properly References: Date: Sat, 02 Jul 2022 11:35:37 +0200 In-Reply-To: pelzflorian@pelzflorian.de's message of "(unknown date)" Message-ID: <87wncvdfh2.fsf@pelzflorian.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-NC-CID: VWhTlGS/IOoyCiuJ61tnwPwmPCXn3LHrc3lgM9LzRH7gWGvefDp9nvMB Received-SPF: none client-ip=188.68.63.161; envelope-from=pelzflorian@pelzflorian.de; helo=relay.yourmailgateway.de X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1656754567; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=QWIl94WKnh+AHngP82xzhAbnIYcB0XBESPgxBD5b/r8=; b=UeUkZEnN4mF+1HcdRlLUySpCUFKyhdSmRkK787e5/jELk8s08VHMs5GDe2iOeADinlruql cTZWcoBHHYz+oMllZCfHCFcj/QyrTkhcbSENM65KvdIDMeAl8pwy7BlYsJ+gj3Gz/0SQSo z65B7uYBlw03VLHVkMyG2ZSWHsZL7G65em6V+ALYI5hTWwtZtb2ulLtCUjoPmRogJqherC YBWotO6eun6EVuVRx/irCi0CfBSvvwgFHP/BuGn3mNP7hC/K5fCOAB5HPBXqnny5apB1Rq yCv6dnuZmufmE/nVKLFsZkNp+5g0GfylJcMbC9pI4M25ecew2EMj8LcRDI9AHg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1656754567; a=rsa-sha256; cv=none; b=Nzrg4REfWXfBbGpUPzzVJmq7aElcy8syj3TgOTD+iyGmvOAg/JXA9yzKep4HYAgdb8Z2kX 8vbjCOVmHjNquCVfh53LIo3rMJyMbs9DruDyC170/qqViCWLHKqGgTJsmRJ7zEkIzAq7kf W441OWozFA5Az3GD4xOXdawuA37L7Ufy015eumTcKWbq/c4Rb4J7jZhvXu7jFcg8b1MqEb XozQoL71TD2MYY2NkFpw6kzitzrcaQlUJZRks683TIzRZEzUWq5I0kn6HDREbDUh8IKIm1 iTR9RJJj/1fU1yZfa0hnyWiBGoOGpIbN/qBCByFR8LJZpykY630+eQTWjb2zfg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -4.55 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: BF7FF1D847 X-Spam-Score: -4.55 X-Migadu-Scanner: scn0.migadu.com X-TUID: u75mnnht57Qx Hi Simon, what did you base your setup on? Simon Streit writes: > (locations > (list > (git-http-nginx-location-configuration > (git-http-configuration (uri-path "/"))) The guix repo has in file gnu/tests/version-control.scm the setting (locations (list (git-http-nginx-location-configuration (git-http-configuration (export-all? #t) (uri-path "/git"))))) with uri-path "/git". I think you want "/" though because you have its own domain. Or maybe you want "". When I still had a server, I had been using: (nginx-configuration ;; Do not use gzip compression to avoid the BREACH attack on ;; TLSv1.2. It could frustrate HTTPS. (server-blocks (let ((server-names '("mailbaby.de" "www.mailbaby.de"))) (list (nginx-server-configuration (server-name server-names) (listen '("443 ssl http2" "[::]:443 ssl http2")) (root "/var/www") (ssl-certificate "\ /etc/letsencrypt/live/mailbaby.de/fullchain.pem") (ssl-certificate-key "\ /etc/letsencrypt/live/mailbaby.de/privkey.pem") (locations (list (nginx-location-configuration (uri "/cgit/") ;for cgit css (body `(("root " ,#~#$(file-append cgit "/share") ";")))) (nginx-location-configuration (uri "/git/") (body `(("include " ,#~#$(file-append nginx "/share/nginx/conf/fastcgi_params") ";") ("fastcgi_param SCRIPT_FILENAME " ,#~#$(file-append cgit "/lib/cgit/cgit.cgi") ";") "fastcgi_param PATH_INFO $uri;" "fastcgi_param QUERY_STRING $args;" "fastcgi_param HTTP_HOST $server_name;" "fastcgi_param HTTPS on;" "fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;"))))) ;; Rewriting of old URLs to new URLs is not yet necessary. (raw-content (list ;; TLS settings; remember to keep them up to date ;; with https://geekflare.com/ssl-test-certificate/ "ssl_prefer_server_ciphers on;" "ssl_protocols TLSv1.2 TLSv1.3;" "ssl_dhparam /etc/dhparam;" "resolver ns01.domainssaubillig.de ipv6=3Doff;" "ssl_stapling on;" "ssl_stapling_verify on;" "ssl_trusted_certificate \ /etc/letsencrypt/live/mailbaby.de/chain.pem;" "add_header Strict-Transport-Security \ \"max-age=3D31536000; includeSubDomains\" always;" "ssl_buffer_size 4k;" "ssl_session_tickets on;" "ssl_session_timeout 4h;" ;; Ciphers according to: ;; https://www.cloudinsidr.com/content/tls-1-3-and-tls-1-2-cip= her-suites-demystified-how-to-pick-your-ciphers-wisely/ "ssl_ciphers \ TLS_CHACHA20_POLY1304_SHA256:\ TLS_AES_256_GCM_SHA384:\ ECDHE-ECDSA-CHACHA20-POLY1305:\ ECDHE-ECDSA-AES256-SHA384:\ ECDHE-RSA-CHACHA20-POLY1305:\ DHE-RSA-AES256-GCM-SHA384:\ ECDHE-RSA-AES256-GCM-SHA384;" ;; Adjust anti-DoS settings when HTTP errors occur. ;; See documentation for ngx_http_core_module. "client_body_timeout 15s;" "client_header_timeout 15s;" "client_max_body_size 4096k;" "keepalive_timeout 65;")))))) (extra-content "ssl_session_cache shared:SSL:40m;")) [=E2=80=A6] (define fcgiwrap-home-activation #~(let ((out "/var/run/fcgiwrap") (user (getpwnam "nginx")) (group (getgrnam "nginx"))) (mkdir-p out) (chown out (passwd:uid user) (group:gid group)) (chmod out #o775))) (define fcgiwrap-home-service (simple-service 'make-fcgiwrap-home activation-service-type fcgiwrap-home-activation)) (define git-group-permissions-activation #~(let ((dir "/var/lib/gitolite")) (if (file-exists? dir) (chmod dir #o755) (format #t "WARNING: ~a does not exist yet; reconfigure again!"))= )) (define git-services (list (service cgit-service-type (cgit-configuration (repository-directory "/var/lib/gitolite/repositories") (repositories (list (repository-cgit-configuration (url "git/gitolite-admin") (desc "Git configuration.") (path "/var/lib/gitolite/repositories/gitolite-admin.git")) (repository-cgit-configuration (url "git/machine-mailbaby-de") (desc "Guix System config.") (path "/var/lib/gitolite/repositories/machine-mailbaby-de.git")) (repository-cgit-configuration (url "git/mirror-of-gene-network") (desc "Mirror of Efraim Flashner's Guix channel.") (path "/var/lib/gitolite/repositories/mirror-of-gene-network.git"))= )) (enable-git-config? #t) (enable-index-owner? #f) (css "/cgit/cgit.css") (logo "/cgit/cgit.png"))) (simple-service 'git-group-permissions activation-service-type git-group-permissions-activation))) Particularly note the (locations). I think I had copied it and adapted it from many places. Can=E2=80=99t remember. Regards, Florian