git » gofer » next » tree

[next] / config / gofer.yaml

# gofer configuration file

# Address for the control/debug server.
# DO NOT EXPOSE THIS TO THE INTERNET, it is dangerous and will leak a lot of
# information.
control_addr: "127.0.0.1:8081"

# Request logging.
reqlog:
  # Name of the log; just an id used to refer to it on the server entries
  # below.
  "requests.log":
    # Path to the log file.
    file: "/var/log/gofer/requests.log"

    # How many entries to hold in memory. Defaults to 0 (synchronous logging).
    bufsize: 16

    # Log format.
    # Known formats: <common>, <combined>, <combinedvh>, <lighttpd>, <gofer>
    # (that is the default).
    #format: "<gofer>"


# IP rate limiting.
ratelimit:
  # Name of the IP rate limit arena; just an id used to refer to it on the
  # server entries below.
  "rl-arena1":
    # Rate to enforce.
    # Format is "requests/period". For example, "50/1s" will allow 50
    # requests every second.
    rate: "50/1s"

    # How many IPs to hold in memory, to keep the memory usage bounded.
    # Setting this to 1000 will increase memory usage by ~128 KiB.
    # Default: 1000.
    #size: 1000

    # By default, IPv6 addresses get limited at /64, /56 and /48
    # simultaneously; and the rate for /64 is the one given above, for /56 is
    # 4x the /64 rate, and /48 is 8x the /64 rate.
    # This is an imperfect heuristic to account for the fact that IPv6 is
    # allocated to end users in different block sizes, and it is not possible
    # to tell them apart.
    # You can configure custom rates for each one as follows:
    #rate64: "50/1s"
    #rate56: "200/500ms"
    #rate48: "400/250ms"


# HTTP servers.
# Map of address: configuration.
http:
  # Address to listen on.
  # systemd socket passing is supported, use "&name" to indicate that you've
  # set up a systemd socket unit with "FileDescriptorName=name".
  # Examples: ":80", "127.0.0.1:8080", "&http".
  ":80":
    # Routes indicate how to handle each request based on its path.
    # The path have the semantics of http.ServeMux.
    routes:
      # Path: action.
      "/":
        # Serve the directory at the given path.
        dir: "/srv/www/"

        # Other possible actions follow. Only one per path.

        # Serve a single file.
        #file: "/srv/files/file"

        # Proxy requests.
        #proxy: "http://localhost:8080/api/"

        # Redirect to a different URL.
        #redirect: "https://wikipedia.org"

        # Redirect with a regexp-based rewrite.
        # Regexps are matched in order, and the first match is used.
        # They are matched against the full path, and the replacement is a URL
        # template that can refer to submatches as $1, $2, etc.
        # By default, a 307 (temporary redirect) is used. You can change it by
        # setting the "status" field.
        # Anything that does not match will return a 404.
        #redirect_re:
        #  - from: "^/foo/(.*)"
        #    to: "https://bar.com/$1"
        #  - from: "^/baz/(.*)"
        #    to: "https://qux.com/$1"
        #    status: 301

        # Execute a CGI.
        #cgi: ["/usr/share/gitweb/gitweb.cgi"]

        # Return a specific status.
        #status: 404

        # Options for the "dir" type.
        diropts:
          # Enable listing when index.html is not present?
          listing:
            "/": false
            "/pub/": true

          # Exclude files matching these regular expressions. They won't appear
          # in listings, and won't be served to users (404 will be returned
          # instead).
          #exclude: [".*\\.secret", ".*/config"]

    # Enforce authentication on these paths. The target is the file containing
    # the user and passwords.
    #auth:
    #  "/private": "/srv/auth/web-users.yaml"

    # Set a header on replies.
    #setheader:
    #  "/":
    #    "My-Header": "my header value"

    # Enable IP rate limiting. The target is a rate limit arena name, which
    # should match an entry in the top-level ratelimit configuration (see
    # above).
    ratelimit:
     "/": "rl-arena1"

    # Enable request logging. The target is a log name, which should match an
    # entry in the top-level reqlog configuration (see above).
    reqlog:
      "/": "requests.log"


# HTTPS servers.
https:
  ":443":
    # Automatically get TLS certificates.
    # Using this implies acceptance of LetsEncrypt's terms of service (or the
    # selected CA).
    autocerts:
      # Hosts to get certificates for.
      hosts: ["mysite.com", "www.mysite.com"]

      # Where to cache the certificates.
      # Default: $HOME/.cache/golang-autocert.
      #cachedir: "/var/cache/gofer/autocerts"

      # Contact email address. The CA can use this to notify about problems.
      # Optional.
      #email: "me@myhost.com"

      # ACME directory URL to use.
      # Default: LetsEncrypt's.
      #acmeurl: "https://acme-v02.api.letsencrypt.org/directory"

    # Location of the certificates, for TLS.
    # Use this instead of `autocerts` if you get the certificates externally.
    # If you set this, `autocerts` is ignored.
    #certs: "/etc/letsencrypt/live/"

    # The rest of the fields are the same as for http above.
    routes:
      "/":
        dir: "/srv/www/"
      "/local/":
        proxy: "http://localhost:8099/"
      "www.mysite.com/":
        redirect: "https://mysite.com/"


# Raw socket proxying.
raw:
  ":995":
    # If this is present, we will listen on a TLS socket; otherwise it will be
    # a plain socket.
    certs: "/etc/letsencrypt/live/"

    # Address to proxy to.
    to: "127.0.0.1:1995"

    # If this is true, then we will use TLS to connect to the backend.
    to_tls: true