tildes

Author	SHA1	Message	Date
Deimos	4cc100ab02	Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.	3 years ago
Deimos	282df2bf02	Block SemrushBot in nginx (it ignores robots.txt)	5 years ago
Deimos	1974d44de9	Redirect /donate to the page on the Docs site	5 years ago
Deimos	63b935927a	Add frame-src to CSP for Stripe The Stripe Checkout redirect was getting blocked by the Content Security Policy, and requires being allowed through frame-src like this.	5 years ago
Deimos	6819b1917e	Fix Content-Security-Policy header Apparently add_header inside a location block doesn't... you know, actually work. This should be reasonable, but I'd still rather only allow the Stripe JS on the single page where it's necessary.	5 years ago
Deimos	ee934105b7	Add new version of Stripe Checkout for donating	5 years ago
Deimos	730f0ea69a	Only apply nginx ratelimit in prod This is interfering with a few things in dev, including the debug toolbar (since all of its assets are served by the app).	5 years ago
Deimos	ce512c5f40	nginx: add rate-limit for requests to Pyramid This won't affect requests for static files or anything except ones that get proxied to the app. The current configuration is based on IP, and allows a rate of 4/sec, with an additional burst of 5 above the limit permitted, and burst requests allowed to go through immediately (nodelay). For more info: https://www.nginx.com/blog/rate-limiting-nginx/	6 years ago
Deimos	ad4e8254bb	Nginx: only do "no www." redirect in production This redirect being first in the file meant that if someone tried to access a dev version through any method except using "localhost" (such as via the IP address), no server block would be matched, which causes nginx to use the first one. That resulted in a 301 redirect to tildes.net, which definitely shouldn't happen for a dev version. This change both moves the redirect to the bottom, as well as only adding it if it's the "prod" environment, since it's not needed in the dev environment at all.	6 years ago
Deimos	2033fdbcde	Referrer-Policy: strict-origin-when-cross-origin Previously, this was set as "same-origin" which will only send a referrer to Tildes itself. This changes so that it will continue sending the full referrer to Tildes, but will send only the domain to external sites if they use HTTPS (and no referer to HTTP ones). This can be useful because there are often situations where an article author sees traffic coming from a site and will come to check it out and be able to participate in the discussion.	6 years ago
Deimos	2edc4ff67a	Salt: update states related to Prometheus Some of these states were built entirely around a single-server approach (Prometheus + monitoring being on the same server as the site), and the files have needed modifications to work with a separate monitoring server. This updates the states so that it should all happen as expected in all types of environments.	6 years ago
Deimos	e980ab3bda	Initial open-source release	6 years ago

1 Commits (240621df6ab94060069b637203017683b69db879)