Permalink
Browse files

nginx config for enforcing permissions

  • Loading branch information...
dwrensha committed Apr 8, 2015
1 parent f76db95 commit 7f510ec82a935a9f94ebcf9651983d0bbadcf82a
Showing with 40 additions and 7 deletions.
  1. +32 −6 etc/nginx/nginx.conf
  2. +8 −1 sandstorm-pkgdef.capnp
@@ -18,19 +18,45 @@ http {

keepalive_timeout 65;

map $http_x_sandstorm_permissions $write_permission {
default no;
~(.+,)*write(,.+)* yes;
}

map $http_x_sandstorm_permissions $read_permission {
default no;
~(.+,)*read(,.+)* yes;
}

map $request_filename,$arg_service $is_write_request {
default no;
~.*,git-receive-pack yes;
~/git-receive-pack.*,.* yes;
}

map $is_write_request,$write_permission $allow_git_request {
default $read_permission;
yes,yes yes;
yes,no no;
}

server {
listen 10000;

root /srv/http/gitweb;

location ~ /repo.git(/.*) {
client_max_body_size 1000M;
location ~ /repo.git(?<path_info>/.*) {

fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
if ($allow_git_request = no) {
return 403;
}

client_max_body_size 1000M;
include fastcgi_params;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param GIT_PROJECT_ROOT /var/repo.git;
fastcgi_param PATH_INFO $1;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param GIT_PROJECT_ROOT /var/repo.git;
fastcgi_param PATH_INFO $path_info;
fastcgi_pass 127.0.0.1:9000;
}

@@ -33,7 +33,14 @@ const pkgdef :Spk.PackageDefinition = (

fileList = "sandstorm-files.list",

alwaysInclude = []
alwaysInclude = [],

bridgeConfig = (
viewInfo = (
permissions = [(name = "read"), (name = "write")],
roles = []
)
)
);

const commandEnvironment : List(Util.KeyValue) =

0 comments on commit 7f510ec

Please sign in to comment.