From 23e1ddab65e4312f2a3088e7eddedf1d38ed9ae5 Mon Sep 17 00:00:00 2001 From: Ludovic CHEVALIER Date: Thu, 19 Mar 2015 16:27:58 +0100 Subject: [PATCH] Ajout : site www.heureux-cyclage.org --- sec | 2 +- srv/ateliers/etc/etckeeper/... | 1 + srv/ateliers/etc/nginx/... | 1 + srv/ateliers/etc/nginx/.gitignore | 1 + srv/ateliers/etc/nginx/conf.d/... | 1 + srv/ateliers/etc/nginx/conf.d/fastcgi.conf | 35 +++++ srv/ateliers/etc/nginx/conf.d/ssl-pfs.conf | 19 +++ srv/ateliers/etc/nginx/conf.d/ssl.conf | 6 + srv/ateliers/etc/nginx/nginx | 1 + srv/ateliers/etc/nginx/nginx.conf | 133 ++++++++++++++++++ srv/ateliers/etc/nginx/org/... | 1 + .../etc/nginx/org/heureux-cyclage/... | 1 + .../etc/nginx/org/heureux-cyclage/crt.pem | 1 + .../etc/nginx/org/heureux-cyclage/install | 16 +++ .../etc/nginx/org/heureux-cyclage/key.pem.gpg | 1 + .../etc/nginx/org/heureux-cyclage/www/... | 1 + .../org/heureux-cyclage/www/common.conf.m4 | 29 ++++ .../etc/nginx/org/heureux-cyclage/www/install | 1 + .../org/heureux-cyclage/www/server.conf.m4 | 15 ++ srv/ateliers/gpg | 1 + srv/ateliers/install | 1 + srv/ateliers/sys/nginx/... | 1 + srv/ateliers/sys/nginx/home | 1 + srv/ateliers/sys/nginx/org/... | 1 + .../sys/nginx/org/heureux-cyclage/... | 1 + .../sys/nginx/org/heureux-cyclage/www/... | 1 + .../sys/nginx/org/heureux-cyclage/www/home | 1 + .../sys/nginx/org/heureux-cyclage/www/user | 1 + srv/ateliers/sys/nginx/user | 1 + 29 files changed, 275 insertions(+), 1 deletion(-) create mode 120000 srv/ateliers/etc/etckeeper/... create mode 120000 srv/ateliers/etc/nginx/... create mode 100644 srv/ateliers/etc/nginx/.gitignore create mode 120000 srv/ateliers/etc/nginx/conf.d/... create mode 100644 srv/ateliers/etc/nginx/conf.d/fastcgi.conf create mode 100644 srv/ateliers/etc/nginx/conf.d/ssl-pfs.conf create mode 100644 srv/ateliers/etc/nginx/conf.d/ssl.conf create mode 120000 srv/ateliers/etc/nginx/nginx create mode 100644 srv/ateliers/etc/nginx/nginx.conf create mode 120000 srv/ateliers/etc/nginx/org/... create mode 120000 srv/ateliers/etc/nginx/org/heureux-cyclage/... create mode 120000 srv/ateliers/etc/nginx/org/heureux-cyclage/crt.pem create mode 100644 srv/ateliers/etc/nginx/org/heureux-cyclage/install create mode 120000 srv/ateliers/etc/nginx/org/heureux-cyclage/key.pem.gpg create mode 120000 srv/ateliers/etc/nginx/org/heureux-cyclage/www/... create mode 100644 srv/ateliers/etc/nginx/org/heureux-cyclage/www/common.conf.m4 create mode 120000 srv/ateliers/etc/nginx/org/heureux-cyclage/www/install create mode 100644 srv/ateliers/etc/nginx/org/heureux-cyclage/www/server.conf.m4 create mode 120000 srv/ateliers/gpg create mode 120000 srv/ateliers/install create mode 120000 srv/ateliers/sys/nginx/... create mode 100644 srv/ateliers/sys/nginx/home create mode 120000 srv/ateliers/sys/nginx/org/... create mode 120000 srv/ateliers/sys/nginx/org/heureux-cyclage/... create mode 120000 srv/ateliers/sys/nginx/org/heureux-cyclage/www/... create mode 100644 srv/ateliers/sys/nginx/org/heureux-cyclage/www/home create mode 100644 srv/ateliers/sys/nginx/org/heureux-cyclage/www/user create mode 100644 srv/ateliers/sys/nginx/user diff --git a/sec b/sec index 6ec1edd..8bee1fc 160000 --- a/sec +++ b/sec @@ -1 +1 @@ -Subproject commit 6ec1edd76fd359bbea6b14a602de741681c06bcf +Subproject commit 8bee1fc23cc2030fe352c59024aba0c0f99873b0 diff --git a/srv/ateliers/etc/etckeeper/... b/srv/ateliers/etc/etckeeper/... new file mode 120000 index 0000000..951b30d --- /dev/null +++ b/srv/ateliers/etc/etckeeper/... @@ -0,0 +1 @@ +../... \ No newline at end of file diff --git a/srv/ateliers/etc/nginx/... b/srv/ateliers/etc/nginx/... new file mode 120000 index 0000000..951b30d --- /dev/null +++ b/srv/ateliers/etc/nginx/... @@ -0,0 +1 @@ +../... \ No newline at end of file diff --git a/srv/ateliers/etc/nginx/.gitignore b/srv/ateliers/etc/nginx/.gitignore new file mode 100644 index 0000000..010b5cf --- /dev/null +++ b/srv/ateliers/etc/nginx/.gitignore @@ -0,0 +1 @@ +**/key.pem diff --git a/srv/ateliers/etc/nginx/conf.d/... b/srv/ateliers/etc/nginx/conf.d/... new file mode 120000 index 0000000..951b30d --- /dev/null +++ b/srv/ateliers/etc/nginx/conf.d/... @@ -0,0 +1 @@ +../... \ No newline at end of file diff --git a/srv/ateliers/etc/nginx/conf.d/fastcgi.conf b/srv/ateliers/etc/nginx/conf.d/fastcgi.conf new file mode 100644 index 0000000..c33cebc --- /dev/null +++ b/srv/ateliers/etc/nginx/conf.d/fastcgi.conf @@ -0,0 +1,35 @@ +## DOC: http://wiki.nginx.org/HttpFastcgiModule +fastcgi_buffer_size 128k; +fastcgi_buffers 256 4k; +fastcgi_busy_buffers_size 256k; +fastcgi_connect_timeout 60; +fastcgi_ignore_client_abort off; +fastcgi_intercept_errors on; +fastcgi_max_temp_file_size 2M; +fastcgi_param CONTENT_LENGTH $content_length; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param HTTPS $https; +fastcgi_param PATH_INFO $fastcgi_path_info; +#fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param REMOTE_USER $remote_user; +fastcgi_param REQUEST_URI $request_uri; +#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param SCRIPT_FILENAME $request_filename; +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_NAME $server_name; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; +fastcgi_read_timeout 180; +fastcgi_send_timeout 180; +fastcgi_temp_file_write_size 256k; + +# vim: ft=sh diff --git a/srv/ateliers/etc/nginx/conf.d/ssl-pfs.conf b/srv/ateliers/etc/nginx/conf.d/ssl-pfs.conf new file mode 100644 index 0000000..28a4499 --- /dev/null +++ b/srv/ateliers/etc/nginx/conf.d/ssl-pfs.conf @@ -0,0 +1,19 @@ +# DOC: http://wiki.nginx.org/HttpSslModule +# DOC: https://wiki.mozilla.org/Security/Server_Side_TLS +# DOC: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html +# DOC: https://www.openssl.org/docs/apps/ciphers.html +keepalive_timeout 70; +add_header Strict-Transport-Security "max-age=31536000;"; +add_header X-Frame-Options DENY; +ssl on; +ssl_ciphers ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:kEDH+AESGCM:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4; + # NOTE: prioritizes algorithms that provide Perfect Forward Secrecy. +ssl_dhparam /etc/nginx/dhparam.4096.pem; +ssl_prefer_server_ciphers on; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; +ssl_stapling on; +ssl_stapling_verify on; + +# vim: ft=sh diff --git a/srv/ateliers/etc/nginx/conf.d/ssl.conf b/srv/ateliers/etc/nginx/conf.d/ssl.conf new file mode 100644 index 0000000..aa0baa1 --- /dev/null +++ b/srv/ateliers/etc/nginx/conf.d/ssl.conf @@ -0,0 +1,6 @@ +# DOC: http://wiki.nginx.org/HttpSslModule +keepalive_timeout 70; +ssl on; +ssl_ciphers HIGH:!ADH:!MD5; +ssl_prefer_server_ciphers on; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; diff --git a/srv/ateliers/etc/nginx/nginx b/srv/ateliers/etc/nginx/nginx new file mode 120000 index 0000000..ed62c3a --- /dev/null +++ b/srv/ateliers/etc/nginx/nginx @@ -0,0 +1 @@ +.../lib/tool/admin/etc/nginx/ \ No newline at end of file diff --git a/srv/ateliers/etc/nginx/nginx.conf b/srv/ateliers/etc/nginx/nginx.conf new file mode 100644 index 0000000..94c1ffe --- /dev/null +++ b/srv/ateliers/etc/nginx/nginx.conf @@ -0,0 +1,133 @@ +# DOC: http://blog.martinfjordvald.com/2010/07/nginx-primer/ +events { + multi_accept on; + use epoll; + worker_connections 1024; + } +http { + log_format main + '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + log_format piwik + '{"ip": "$remote_addr",' + '"host": "$host",' + '"path": "$request_uri",' + '"status": "$status",' + '"referrer": "$http_referer",' + '"user_agent": "$http_user_agent",' + '"length": $bytes_sent,' + '"generation_time_milli": $request_time,' + '"date": "$time_iso8601"}'; + access_log /var/log/nginx/access.log main buffer=32k; + client_body_buffer_size 4K; + # NOTE: % getconf PAGESIZE + # 4096 + client_body_temp_path /run/shm/cache/nginx/client_body 1 2; + client_body_timeout 60; + client_header_buffer_size 1k; + client_header_timeout 60; + client_max_body_size 20m; + default_type application/octet-stream; + error_log /var/log/nginx/error.log warn; + error_page 403 = 404; + fastcgi_cache_key "$request_method $scheme://$http_host$request_uri"; + fastcgi_cache_path /run/shm/cache/nginx/fastcgi + inactive=10m + keys_zone=microcache:2M + levels=1:2 + loader_files=100000 + loader_sleep=1 + loader_threshold=2592000000 + max_size=64M; + fastcgi_temp_path /run/shm/tmp/nginx/ 1 2; + gzip on; + gzip_buffers 16 8k; + gzip_comp_level 6; + gzip_disable "MSIE [1-6]\."; + gzip_http_version 1.1; + gzip_min_length 1024; + gzip_proxied any; + gzip_static on; + gzip_vary on; + gzip_types + application/javascript + application/json + application/rss+xml + application/vnd.ms-fontobject + application/x-font-ttf + application/x-javascript + application/xml + application/xml+rss + font/opentype + font/truetype + image/svg+xml + text/css + text/javascript + text/plain + text/x-component + text/xml; + include /etc/nginx/mime.types; + keepalive_timeout 20; + large_client_header_buffers 4 8k; + map_hash_bucket_size 128; + open_file_cache max=200000 inactive=20s; + open_file_cache_errors on; + open_file_cache_min_uses 2; + open_file_cache_valid 30s; + open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m; + proxy_cache_use_stale updating; + proxy_temp_path /run/shm/cache/nginx/proxy_temp 1 2; + reset_timedout_connection on; + send_timeout 60; + # NOTE: if the client stops reading data, free up the stale client connection after this much time. + sendfile on; + server_names_hash_bucket_size 128; + server_tokens off; + ssl_session_cache shared:SSL:10m; + tcp_nodelay on; + # NOTE: don't buffer data-sends (disable Nagle algorithm). + # Good for sending frequent small bursts of data in real time. + tcp_nopush on; + # NOTE: causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. + # This is useful for prepending headers before calling sendfile, + # or for throughput optimization. + types_hash_max_size 2048; + map $http_user_agent $bad_bot { + # NOTE: user agents that are to be blocked. + default 0; + libwww-perl 1; + ~(?i)(httrack|htmlparser|libwww) 1; + } + #map $http_referer $bad_referer { + # # NOTE: referrers that are to be blocked. + # default 0; + # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1; + # } + geo $not_local { + default 1; + 127.0.0.1 0; + } + include /etc/nginx/site.d/*/http.conf; + include /etc/nginx/*/*/server.conf; + include /etc/nginx/*/*/*/server.conf; + server { + listen 80 default_server; + server_name _; + return 302 $scheme://heureux-cyclage.org$request_uri; + } + server { + listen 443 default_server; + server_name _; + include /etc/nginx/conf.d/ssl.conf; + ssl_certificate /etc/nginx/org/heureux-cyclage/crt.pem; + ssl_certificate_key /etc/nginx/org/heureux-cyclage/key.pem; + return 302 $scheme://heureux-cyclage.org$request_uri; + } + } +pid /run/nginx.pid; +user www-data; +worker_processes 2; + +# vim: ft=sh diff --git a/srv/ateliers/etc/nginx/org/... b/srv/ateliers/etc/nginx/org/... new file mode 120000 index 0000000..951b30d --- /dev/null +++ b/srv/ateliers/etc/nginx/org/... @@ -0,0 +1 @@ +../... \ No newline at end of file diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/... b/srv/ateliers/etc/nginx/org/heureux-cyclage/... new file mode 120000 index 0000000..951b30d --- /dev/null +++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/... @@ -0,0 +1 @@ +../... \ No newline at end of file diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/crt.pem b/srv/ateliers/etc/nginx/org/heureux-cyclage/crt.pem new file mode 120000 index 0000000..39abec2 --- /dev/null +++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/crt.pem @@ -0,0 +1 @@ +.../var/x509/org/heureux-cyclage/crt+chain.pem \ No newline at end of file diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/install b/srv/ateliers/etc/nginx/org/heureux-cyclage/install new file mode 100644 index 0000000..2dd49b2 --- /dev/null +++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/install @@ -0,0 +1,16 @@ +#!/bin/sh -eu +# SYNTAX: $path +# DESCRIPTION: install + +# ACTION: initialize from ./ + test -L "$0" && tool="$(readlink -e "$0")" || tool=$0 + tool=$(readlink -e "${tool%/*}"/...) + . "$tool"/lib/install.sh +# ACTION install ./etc/nginx/org/heureux-cyclage/ + content=$("$tool"/cat etc/nginx/org/heureux-cyclage/key.pem) + "$tool"/ssh-sudo install -m 400 -o root -g root /dev/stdin \ + /etc/nginx/org/heureux-cyclage/key.pem <<-EOF + $content + EOF + install_etc_nginx_org_heureux_cyclage_key_pem=ignore \ + "$tool"/install etc/nginx/org/heureux-cyclage diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/key.pem.gpg b/srv/ateliers/etc/nginx/org/heureux-cyclage/key.pem.gpg new file mode 120000 index 0000000..b7a9efe --- /dev/null +++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/key.pem.gpg @@ -0,0 +1 @@ +.../var/x509/org/heureux-cyclage/key.pem.gpg \ No newline at end of file diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/www/... b/srv/ateliers/etc/nginx/org/heureux-cyclage/www/... new file mode 120000 index 0000000..951b30d --- /dev/null +++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/www/... @@ -0,0 +1 @@ +../... \ No newline at end of file diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/www/common.conf.m4 b/srv/ateliers/etc/nginx/org/heureux-cyclage/www/common.conf.m4 new file mode 100644 index 0000000..89f972e --- /dev/null +++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/www/common.conf.m4 @@ -0,0 +1,29 @@ +server_name + www.heureux-cyclage.org + heureux-cyclage.org; +root /home/www/data/lhc-www/www; +index index.php; + +client_body_buffer_size 8k; +client_max_body_size 10m; + +location ~^/(tmp|config)/{ + return 403; +} +location ~ \.html$ { + log_not_found off; +} +location ~ \.php$ { + include /etc/nginx/conf.d/fastcgi.conf; + fastcgi_index index.php ; + fastcgi_param REDIRECT_STATUS 200; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + fastcgi_pass unix:/run/php5/fpm/lhc_www; +} +error_page 404 = @spip; + +location @spip { + rewrite ^/(.*)(\.html)?$ /spip.php?url_propre=$1&$args last; +} +# vim: ft=sh diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/www/install b/srv/ateliers/etc/nginx/org/heureux-cyclage/www/install new file mode 120000 index 0000000..135b97d --- /dev/null +++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/www/install @@ -0,0 +1 @@ +.../lib/tool/admin/etc/nginx/$site/install \ No newline at end of file diff --git a/srv/ateliers/etc/nginx/org/heureux-cyclage/www/server.conf.m4 b/srv/ateliers/etc/nginx/org/heureux-cyclage/www/server.conf.m4 new file mode 100644 index 0000000..45f349c --- /dev/null +++ b/srv/ateliers/etc/nginx/org/heureux-cyclage/www/server.conf.m4 @@ -0,0 +1,15 @@ +define(`DOMAIN',`org/heureux-cyclage')dnl +define(`SITE',`DOMAIN/www')dnl +server { + listen 80; + include /etc/nginx/SITE/common.conf; + + return 301 http://www.heureux-cyclage.org$request_uri; + } +server { + listen 443; + include /etc/nginx/SITE/common.conf; + include /etc/nginx/conf.d/ssl-pfs.conf; + ssl_certificate /etc/nginx/DOMAIN/crt.pem; + ssl_certificate_key /etc/nginx/DOMAIN/key.pem; +} diff --git a/srv/ateliers/gpg b/srv/ateliers/gpg new file mode 120000 index 0000000..c65a17e --- /dev/null +++ b/srv/ateliers/gpg @@ -0,0 +1 @@ +.../lib/tool/admin/gpg \ No newline at end of file diff --git a/srv/ateliers/install b/srv/ateliers/install new file mode 120000 index 0000000..12017c7 --- /dev/null +++ b/srv/ateliers/install @@ -0,0 +1 @@ +.../lib/tool/admin/install \ No newline at end of file diff --git a/srv/ateliers/sys/nginx/... b/srv/ateliers/sys/nginx/... new file mode 120000 index 0000000..951b30d --- /dev/null +++ b/srv/ateliers/sys/nginx/... @@ -0,0 +1 @@ +../... \ No newline at end of file diff --git a/srv/ateliers/sys/nginx/home b/srv/ateliers/sys/nginx/home new file mode 100644 index 0000000..728f03d --- /dev/null +++ b/srv/ateliers/sys/nginx/home @@ -0,0 +1 @@ +/home/www/data \ No newline at end of file diff --git a/srv/ateliers/sys/nginx/org/... b/srv/ateliers/sys/nginx/org/... new file mode 120000 index 0000000..951b30d --- /dev/null +++ b/srv/ateliers/sys/nginx/org/... @@ -0,0 +1 @@ +../... \ No newline at end of file diff --git a/srv/ateliers/sys/nginx/org/heureux-cyclage/... b/srv/ateliers/sys/nginx/org/heureux-cyclage/... new file mode 120000 index 0000000..951b30d --- /dev/null +++ b/srv/ateliers/sys/nginx/org/heureux-cyclage/... @@ -0,0 +1 @@ +../... \ No newline at end of file diff --git a/srv/ateliers/sys/nginx/org/heureux-cyclage/www/... b/srv/ateliers/sys/nginx/org/heureux-cyclage/www/... new file mode 120000 index 0000000..951b30d --- /dev/null +++ b/srv/ateliers/sys/nginx/org/heureux-cyclage/www/... @@ -0,0 +1 @@ +../... \ No newline at end of file diff --git a/srv/ateliers/sys/nginx/org/heureux-cyclage/www/home b/srv/ateliers/sys/nginx/org/heureux-cyclage/www/home new file mode 100644 index 0000000..f27e275 --- /dev/null +++ b/srv/ateliers/sys/nginx/org/heureux-cyclage/www/home @@ -0,0 +1 @@ +/home/www/data/lhc-www \ No newline at end of file diff --git a/srv/ateliers/sys/nginx/org/heureux-cyclage/www/user b/srv/ateliers/sys/nginx/org/heureux-cyclage/www/user new file mode 100644 index 0000000..753f07e --- /dev/null +++ b/srv/ateliers/sys/nginx/org/heureux-cyclage/www/user @@ -0,0 +1 @@ +www-lhc-www \ No newline at end of file diff --git a/srv/ateliers/sys/nginx/user b/srv/ateliers/sys/nginx/user new file mode 100644 index 0000000..5a4fbef --- /dev/null +++ b/srv/ateliers/sys/nginx/user @@ -0,0 +1 @@ +www-data \ No newline at end of file -- 2.20.1