-Subproject commit 358ee61dbcf66af8c5f48fc9c3e5f2a97576926e
+Subproject commit 982cf378c7b8f9da0a0cb68a81842794e71fb8d0
+++ /dev/null
-listen 443;
-include /etc/nginx/conf.d/ssl.conf;
-ssl_certificate /etc/nginx/x509.d/lhc-stats-tls/crt.pem;
-ssl_certificate_key /etc/nginx/x509.d/lhc-stats-tls/key.pem;
-
-location = /index.php {
- ## Relay all index.php requests to fastcgi.
- include /etc/nginx/conf.d/fastcgi.conf;
- add_header X-Piwik-Cache $upstream_cache_status;
- expires epoch;
- fastcgi_cache microcache;
- fastcgi_cache_bypass $lhc_stats_no_cache;
- fastcgi_cache_use_stale error timeout invalid_header updating http_500;
- fastcgi_cache_valid 200 301 5m;
- fastcgi_cache_valid 302 3m;
- fastcgi_cache_valid 404 1m;
- fastcgi_ignore_headers Cache-Control Expires;
- fastcgi_index index.php;
- fastcgi_no_cache $lhc_stats_no_cache;
- fastcgi_param REDIRECT_STATUS 200;
-
- fastcgi_pass php_fpm_lhc_stats;
- }
-
-# vim: ft=sh
+++ /dev/null
-hint="run before: remote/runit-configure nginx -- $site"
-assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
-
-sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/stats.heureux-cyclage.org/crt+ca.pem \
- /etc/nginx/x509.d/"$site"/crt.pem
-
-sudo rmdir ~www-data/"$site" || true
-sudo ln -fns "${site%-tls}" ~www-data/"$site"
-
+++ /dev/null
-../lhc-stats/site.conf
\ No newline at end of file
+++ /dev/null
-stats.heureux-cyclage.org
+++ /dev/null
-upstream php_fpm_lhc_stats {
- server unix:/run/php5/fpm/lhc_stats;
- }
-
-map $request_method $lhc_stats_no_cache {
- # NOTE: if non GET/HEAD, don't cache.
- default 1;
- HEAD 0;
- GET 0;
- }
-map $arg_module $lhc_stats_no_cache {
- ## When we go through installation
- ## or when we're on the dashboard for specific tasks.
- Installation 1; # when invoking the installation module.
- ~[^\&]*(?:Dashboard|Live|Goals|Admin|Manager) 1; # some tasks
- }
-map $arg_action $lhc_stats_no_cache {
- ## The first installation steps don't invoke the installation module.
- systemCheck 1;
- databaseSetup 1;
- }
-map $http_cookie $lhc_stats_no_cache {
- ## Testing for the session cookie being present.
- ## If there is then no caching is to be done.
- ~PIWIK_SESSID 1; # Piwik session cookie
- }
-
-# vim: ft=sh
+++ /dev/null
-listen 80;
-
-location = /index.php {
- return 302 "https://$http_host/index.php";
- }
+++ /dev/null
-pool=lhc_stats
-sudo adduser php_"$pool" www-"$site"
-sudo adduser www-"$site"-tls www-"$site"
-"$tool"/local/mysql-user-create php_"$pool"
-"$tool"/local/mysql-database-create php_"$pool"
+++ /dev/null
-server_name stats.heureux-cyclage.org;
-
-client_body_buffer_size 8k;
-client_max_body_size 10m;
-
-if ($bad_bot) {
- return 444;
- }
-#if ($bad_referer) {
-# return 444;
-# }
-
-#location ~ /\. {
-# access_log off;
-# deny all;
-# log_not_found off;
-# }
-location ~* ^.+\.(?:css|gif|jpe?g|js|png|swf)$ {
- ## Defining the valid referers.
- ## Disallow any usage of piwik assets if referer is non valid.
- valid_referers none blocked
- server_names
- .cyclocoop.org
- .heureux-cyclage.org
- .ptitvelo.net
- .velosenville.org
- .wiklou.org;
- if ($invalid_referer) {
- return 444;
- }
-
- expires max;
- # NOTE: Static files use the OS buffer cache.
- open_file_cache max=500 inactive=120s;
- open_file_cache_errors off;
- open_file_cache_min_uses 2;
- open_file_cache_valid 45s;
- tcp_nodelay off;
- }
-location = /favicon.ico {
- ## Support for favicon. Return a 204 (No Content) if the favicon doesn't exist.
- try_files /favicon.ico =204;
- }
-location / {
- ## Try all locations and relay to index.php as a fallback.
- try_files $uri /index.php?$query_string;
- }
-location = /piwik.php {
- ## Relay all piwik.php requests to fastcgi.
- include /etc/nginx/conf.d/fastcgi.conf;
- add_header X-Piwik-Long-Cache $upstream_cache_status;
- expires epoch;
- fastcgi_cache microcache;
- fastcgi_cache_bypass $lhc_stats_no_cache;
- fastcgi_cache_use_stale error timeout invalid_header updating http_500;
- fastcgi_cache_valid 200 301 2h;
- fastcgi_cache_valid 302 30m;
- fastcgi_cache_valid 404 10m;
- fastcgi_ignore_headers Cache-Control Expires;
- fastcgi_no_cache $lhc_stats_no_cache;
- fastcgi_param REDIRECT_STATUS 200;
-
- fastcgi_pass php_fpm_lhc_stats;
- }
-location ~* ^.+\.php$ {
- ## Any other attempt to access PHP files redirects to the root.
- return 302 /;
- }
-location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
- ## Redirect to the root if attempting to access a txt file.
- return 302 /;
- }
-location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml)$ {
- ## Disallow access to several helper files.
- return 404;
- }
-location = /robots.txt {
- ## No crawling of this site for bots that obey robots.txt.
- return 200 "User-agent: *\nDisallow: /\n";
- }
-
-# vim: ft=sh
+++ /dev/null
-../heureux-cyclage.org
\ No newline at end of file
+++ /dev/null
- SERVICE = stats
- RANDFILE = var/sec/x509/openssl.rand
- oid_section = extra_oids
-[ extra_oids ]
- # NOTE: pour une éventuelle validation étendue (Extended Validation (EV))
- jurisdictionOfIncorporationLocalityName = 1.3.6.1.4.1.311.60.2.1.1
- jurisdictionOfIncorporationStateOrProvinceName = 1.3.6.1.4.1.311.60.2.1.2
- jurisdictionOfIncorporationCountryName = 1.3.6.1.4.1.311.60.2.1.3
-[ req ]
- prompt = no
- distinguished_name = distinguished_name
- string_mask = pkix
- #x509_extensions = root_extensions
- #req_extensions = extension
- #attributes = req_attributes
-[ distinguished_name ]
- countryName = $ENV::x509_country
- stateOrProvinceName = $ENV::x509_state_or_province
- localityName = $ENV::x509_state_or_province
- 0.organizationName = $ENV::x509_organization
- organizationalUnitName = Service de statistiques
- commonName = $SERVICE.$ENV::x509_host
- businessCategory = $ENV::x509_business_category
- jurisdictionOfIncorporationLocalityName = $ENV::x509_state_or_province
- jurisdictionOfIncorporationStateOrProvinceName = $ENV::x509_state_or_province
- jurisdictionOfIncorporationCountryName = $ENV::x509_country
-[ extensions ]
- basicConstraints = critical,CA:FALSE,pathlen:0
- keyUsage = keyEncipherment
- subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host
- subjectKeyIdentifier = hash
- issuerAltName = issuer:copy
- authorityKeyIdentifier = keyid:always,issuer:always
- authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/crt.pem
- crlDistributionPoints = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
- certificatePolicies = @certificate_policies
-[ self_signed_extensions ]
- basicConstraints = critical,CA:TRUE,pathlen:0
- keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment
- subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host
- subjectKeyIdentifier = hash
- issuerAltName = issuer:copy
- authorityKeyIdentifier = keyid:always,issuer:always
- authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
- crlDistributionPoints = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
-[ user_extensions ]
- basicConstraints = critical,CA:FALSE,pathlen:0
- keyUsage = digitalSignature,keyEncipherment
- subjectAltName = email:$ENV::user@$ENV::x509_host
- subjectKeyIdentifier = hash
- issuerAltName = issuer:copy
- authorityKeyIdentifier = keyid:always,issuer:always
- authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
-[ certificate_policies ]
- policyIdentifier = 1.2.250.1.42
- CPS.1 = https://www.$ENV::x509_host/x509/cps
-[ ca ]
- private_key = var/sec/x509/$ENV::x509/key.pem
- dir = var/pub/x509/$ENV::x509
- crl_dir = $dir
- crlnumber = $dir/crl.num
- crl = $dir/crl.pem
- database = $dir/idx.txt
-[ self_signed_ca ]
- private_key = var/sec/x509/$ENV::x509/key.pem
- dir = var/pub/x509/$ENV::x509
- crl_dir = $dir
- crlnumber = $dir/crl.self-signed.num
- crl = $dir/crl.self-signed.pem
- database = $dir/idx.self-signed.txt
+++ /dev/null
- SERVICE = stats
- HOME = .
- RANDFILE = var/sec/x509/openssl.rand
-[ req ]
- prompt = no
- distinguished_name = user_distinguished_name
- string_mask = pkix
-[ user_distinguished_name ]
- countryName = $ENV::x509_country
- stateOrProvinceName = $ENV::x509_state_or_province
- #localityName =
- 0.organizationName = $ENV::x509_organization
- organizationalUnitName = Certificat utilisateurice du service de statistiques
- commonName = $ENV::user