May 1, 2025 update

2025-05-01 21:19:17 -07:00
parent a2cdf26594
commit b33d54d723
261 changed files with 2451 additions and 12859 deletions
--- a/jails/config/pkgp/nginx.conf
+++ b/jails/config/pkgp/nginx.conf
@ -42,9 +42,20 @@ http {
        }
    }

+# https://ssl-config.mozilla.org/#server=nginx&version=1.27.3&config=modern&openssl=3.1.0&guideline=5.7
+
    server {
-        listen          *:443 ssl http2;
-        listen          [::]:443 ssl http2;
+        listen          *:443 quic reuseport;
+        listen          [::]:443 quic reuseport;
+        listen          *:443 ssl;
+        listen          [::]:443 ssl;
+
+        ssl_early_data on;
+        quic_retry on;
+
+        http3           on;
+        http3_hq        on;
+        http2           on;
        server_name     pkgp.ahlawat.com;
        root            /usr/local/share/poudriere/html;

@ -67,14 +78,20 @@ http {
        ssl_stapling_verify on;

        # verify chain of trust of OCSP response using Root CA and Intermediate certs
-        ssl_trusted_certificate /mnt/certs/fullchain.pem;
+        ssl_trusted_certificate /mnt/certs/cacert.pem;
+
+        # async 'resolver' is important for proper operation of OCSP stapling
+        resolver 192.168.0.5;
+

        location /data {
+            add_header Alt-Svc 'h3=":443"; ma=86400';
            alias       /mnt/poudriere/data/logs/bulk;
            autoindex   on;
        }

        location /packages {
+            add_header Alt-Svc 'h3=":443"; ma=86400';
            root        /mnt/poudriere/data;
            autoindex   on;
        }
@ -130,7 +147,7 @@ http {
            listen      [::]:8001;
            server_name localhost;
            location / {
-                proxy_pass       http://pkg0.tuk.FreeBSD.org;
+                proxy_pass       http://pkg0.pao.FreeBSD.org;
            }
        }

@ -187,7 +204,6 @@ http {
            server localhost:8011;
            server localhost:8012;
            server localhost:8013;
-            server localhost:8014;
        }

        server {
@ -216,13 +232,5 @@ http {
                proxy_pass       http://update5.FreeBSD.org;
            }
        }
-        server {
-            listen      *:8014;
-            listen      [::]:8014;
-            server_name localhost;
-            location / {
-                proxy_pass       http://update4.FreeBSD.org;
-            }
-        }

 }