-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhagrid-routes.conf
137 lines (115 loc) · 4.01 KB
/
hagrid-routes.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# this routing file is included in the hagrid http block
# it is assumed that hagrid runs on localhost:8080
# To protect against DOS, we limit the size of possible uploads.
client_max_body_size 1m;
client_body_buffer_size 128k;
# Change all HTTP 502 errors into 500, to avoid being "marked as dead" by GnuPG
# if we ever get a spurious 502 (e.g. during a restart of hagrid).
# See https://gitlab.com/sequoia-pgp/hagrid/issues/94
error_page 502 =500 /502;
location /502 {
return 500;
}
# for x-accel-redirect forwards
location /keys {
internal;
add_header 'Access-Control-Allow-Origin' '*';
}
location /vks/v1/upload {
proxy_pass http://127.0.0.1:8080;
}
location /vks/v1/request-verify {
proxy_pass http://127.0.0.1:8080;
}
location /vks/v1/ {
location ~ ^/vks/v1/by-email/([^/][^/])([^/][^/])([^/]*)$ {
add_header 'Access-Control-Allow-Origin' '*';
# we have some trouble with uri encoding here. just route through
# hagrid, for now.
proxy_pass http://127.0.0.1:8080;
# error_page 404 /errors/404-by-email.htm;
# default_type application/pgp-keys;
# add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
# try_files /keys/links/by-email/$1/$2/$3 =404;
}
location ~ ^/vks/v1/by-fingerprint/(?:0x)?([^/][^/])([^/][^/])(..*)$ {
error_page 404 /errors/404-by-fpr.htm;
default_type application/pgp-keys;
add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
add_header 'Access-Control-Allow-Origin' '*';
try_files /keys/links/by-fpr/$1/$2/$3 =404;
}
location ~ ^/vks/v1/by-keyid/(?:0x)?([^/][^/])([^/][^/])(.*)$ {
error_page 404 /errors/404-by-keyid.htm;
default_type application/pgp-keys;
add_header Content-Disposition 'attachment; filename="$1$2$3.asc"';
add_header 'Access-Control-Allow-Origin' '*';
try_files /keys/links/by-keyid/$1/$2/$3 =404;
}
add_header 'Access-Control-Allow-Origin' '*';
error_page 400 /errors/400-vks-invalid.htm;
return 400;
}
# Common HKP requests.
location /pks/lookup {
# sq keyserver get <KEYID>, gpg --receive-keys <KEYID>
if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{16})$") {
set_by_lua $keyid "return ngx.arg[1]:upper()" $1;
set $args "";
rewrite . /vks/v1/by-keyid/$keyid last;
}
# gpg --receive-keys <FINGERPRINT>
if ($args ~ "^op=get&options=mr&search=(?:0x)?([a-fA-F0-9]{40})$") {
set_by_lua $fingerprint "return ngx.arg[1]:upper()" $1;
set $args "";
rewrite . /vks/v1/by-fingerprint/$fingerprint last;
}
# gpg --locate-key <EMAIL>
if ($request_uri ~ "^/pks/lookup\?op=get&options=mr&search=([^&]{3,}%40[^&]+)") {
set_by_lua $email "return ngx.arg[1]:lower()" $1;
set $args "";
rewrite . /vks/v1/by-email/$email last;
}
# gpg --search '<[email protected]>'
# strip angle brackets - we don't need them, but they cause issues
# with the Rocket framework
# see https://gitlab.com/sequoia-pgp/hagrid/issues/94
if ($request_uri ~ "^/pks/lookup\?(.*search=)[^&<>]*\<(.+)\>(.*)") {
set $left $1;
set $middle $2;
set $right $3;
set $args "";
rewrite . /pks/lookup?$left$middle$right? break;
}
# forward to backend, which will like serve via x-accel-redirect
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://127.0.0.1:8080;
}
location /pks {
proxy_pass http://127.0.0.1:8080;
}
location /manage {
proxy_pass http://127.0.0.1:8080;
}
location /verify {
proxy_pass http://127.0.0.1:8080;
}
location /search {
proxy_pass http://127.0.0.1:8080;
}
location /upload {
proxy_pass http://127.0.0.1:8080;
}
location /debug {
proxy_pass http://127.0.0.1:8080;
}
# explicitly cache the home directory
location = / {
proxy_cache static_cache;
proxy_pass http://127.0.0.1:8080;
}
# cache "about" pages
location /about {
proxy_cache static_cache;
proxy_pass http://127.0.0.1:8080;
}