Serveurs NGINX

2021-11-16 20:06:50 +00:00 · 2021-11-16 20:06:50 +00:00 · 59dd1ddf02
parent 4aa05cb9b2
commit 59dd1ddf02
7 changed files with 311 additions and 9 deletions
--- a/virtuelles/dns.md
+++ b/virtuelles/dns.md
@ -52,4 +52,4 @@ Adresse ipv6 publique : 2001:910:1360::11c
 #### /etc/postfix/virtual

    @localhost admin@a-lec.org
-    @dns.libre-en-communs.org admin@a-lec.org
+    @dns.libre-en-communs.org admin@a-lec.org
--- a/virtuelles/gestion.md
+++ b/virtuelles/gestion.md
@ -1,4 +1,4 @@
-## Machine virtuelle Gestion
+## Machine virtuelle GESTION

 Cette machine est destinée à accueillir le logiciel de comptabilité et gestion des membres de l'association.

@ -53,3 +53,94 @@ Adresse ipv6 publique : 2001:910:1360::1ab

    @localhost admin@a-lec.org
    @gestion.a-lec.org admin@a-lec.org
+
+### Configuration serveur web (nginx)
+
+    server {
+      server_name coffre.a-lec.org;
+
+      set_real_ip_from  192.169.1.1;
+      real_ip_header proxy_protocol;
+
+      # Allow large attachments
+      client_max_body_size 128M;
+
+      location / {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+      }
+
+      location /notifications/hub {
+        proxy_pass http://127.0.0.1:3012;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+      }
+
+      location /notifications/hub/negotiate {
+        proxy_pass http://127.0.0.1:8000;
+      }
+
+       listen 443 ssl http2 proxy_protocol; # managed by Certbot
+       listen [::]:443 ssl http2; # managed by Certbot
+       ssl_certificate /etc/letsencrypt/live/coffre.a-lec.org/fullchain.pem; # managed by Certbot
+       ssl_certificate_key /etc/letsencrypt/live/coffre.a-lec.org/privkey.pem; # managed by Certbot
+       include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    }
+
+    server {
+        if ($host = coffre.a-lec.org) {
+            return 302 https://$host$request_uri;
+        } # managed by Certbot
+
+       server_name coffre.a-lec.org;
+
+        listen 80;
+        return 404; # managed by Certbot
+    }
+
+    server {
+
+        root /usr/share/garradin/www; # Remplacer par le chemin adéquat vers le dossier public de garradin (ici c'est le défaut du paquet Debian)
+
+        server_name gestion.a-lec.org; # Remplacer par votre nom de domaine
+        
+        set_real_ip_from  192.169.1.1;
+        real_ip_header proxy_protocol;
+
+        location / {
+            try_files $uri $uri/ /_route.php?$query_string;
+            index index.php /_route.php;
+        }
+
+        location ~ \.php {
+            try_files $uri $uri/ /_route.php?$query_string;
+            include fastcgi.conf;
+            #fastcgi_pass 127.0.0.1:9000; # Si vous utilisez PHP-FPM (ou autre) en mode TCP et non sur une socket
+            fastcgi_pass unix:/var/run/php/php7.4-garradin.sock; # Si vous utilisez PHP-FPM en mode socket        
+        }
+
+        listen 443 ssl proxy_protocol; # managed by Certbot
+        listen [::]:443 ssl;
+        ssl_certificate /etc/letsencrypt/live/gestion.a-lec.org/fullchain.pem; # managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/gestion.a-lec.org/privkey.pem; # managed by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    }
+
+    server {
+        if ($host = gestion.a-lec.org) {
+            return 302 https://$host$request_uri;
+        } # managed by Certbot
+
+        listen 80;
+        listen [::]:80;
+
+        server_name gestion.a-lec.org;
+        return 404; # managed by Certbot
+    }
--- a/virtuelles/git.md
+++ b/virtuelles/git.md
@ -1,4 +1,4 @@
-## Machine virtuelle Git
+## Machine virtuelle GIT

 Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité.

@ -53,3 +53,72 @@ Adresse ipv6 publique : 2001:910:1360::42

    @localhost admin@a-lec.org
    @git.a-lec.org admin@a-lec.org
+
+### Configuration serveur web (nginx)
+
+    # GITLAB
+
+    upstream gitlab-workhorse {
+      # On GitLab versions before 13.5, the location is
+      # `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
+      # accordingly.
+      server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
+    }
+
+    ## Redirects all HTTP traffic to the HTTPS host
+    server {
+      ## Either remove "default_server" from the listen line below,
+      ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
+      ## to be served if you visit any address that your server responds to, eg.
+      ## the ip address of the server (http://x.x.x.x/)
+      listen 0.0.0.0:80;
+      listen [::]:80 ipv6only=on default_server;
+      server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
+      server_tokens off; ## Don't show the nginx version number, a security best practice
+      return 302 https://git.a-lec.org$request_uri;
+      access_log  /var/log/nginx/gitlab_access.log;
+      error_log   /var/log/nginx/gitlab_error.log;
+    }
+
+    ## HTTPS host
+    server {
+      set_real_ip_from  192.169.1.1;
+      real_ip_header proxy_protocol;
+      listen 0.0.0.0:443 ssl proxy_protocol;
+      listen [::]:443 ipv6only=on ssl default_server;
+      server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
+      server_tokens off; ## Don't show the nginx version number, a security best practice
+      root /opt/gitlab/embedded/service/gitlab-rails/public;
+
+      ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem;
+      ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem;
+
+      ## [Optional] Enable HTTP Strict Transport Security
+      ## HSTS is a feature improving protection against MITM attacks
+      ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+
+      ## Individual nginx logs for this GitLab vhost
+      access_log  /var/log/nginx/gitlab_access.log;
+      error_log   /var/log/nginx/gitlab_error.log;
+
+      location / {
+        client_max_body_size 0;
+        gzip off;
+
+        ## https://github.com/gitlabhq/gitlabhq/issues/694
+        ## Some requests take more than 30 seconds.
+        proxy_read_timeout      300;
+        proxy_connect_timeout   300;
+        proxy_redirect          off;
+
+        proxy_http_version 1.1;
+
+        proxy_set_header    Host                $http_host;
+        proxy_set_header    X-Real-IP           $remote_addr;
+        proxy_set_header    X-Forwarded-Ssl     on;
+        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Forwarded-Proto   $scheme;
+        proxy_pass http://gitlab-workhorse;
+      }
+    }
--- a/virtuelles/mail.md
+++ b/virtuelles/mail.md
@ -1,4 +1,4 @@
-## Machine virtuelle Mail
+## Machine virtuelle MAIL

 Cette machine est destinée à accueillir le serveur d'envoi, réception et consultation de courriel de l'association.

@ -46,3 +46,52 @@ Adresse ipv6 publique : 2001:910:1360::148

 ### Configuration MTA

+*(à compléter)*
+
+### Configuration serveur web (nginx)
+
+    server {
+            set_real_ip_from  192.169.1.1;
+            real_ip_header proxy_protocol;
+
+        listen 443 ssl proxy_protocol;
+        listen [::]:443 ssl;
+
+        ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+        # Add index.php to the list if you are using PHP
+        root /var/www/html/roundcube;
+
+        server_name mail.a-lec.org;
+
+        client_max_body_size 100M;
+
+        # Add index.php to the list if you are using PHP
+            index index.html index.htm index.php;
+
+
+        location / {
+            # First attempt to serve request as file, then
+            # as directory, then fall back to displaying a 404.
+            try_files $uri $uri/ /index.php?q=$uri&$args;
+        }
+
+        # pass PHP scripts to FastCGI server
+        #
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+        #    # With php-fpm (or other unix sockets):
+            fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+        #    # With php-cgi (or other tcp sockets):
+        #    fastcgi_pass 127.0.0.1:9000;
+                 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+             include fastcgi_params;
+        }
+
+        location ^~ /data {
+            deny all;
+        }
+    }
--- a/virtuelles/toot.md
+++ b/virtuelles/toot.md
@ -1,4 +1,4 @@
-## Machine virtuelle Toot
+## Machine virtuelle TOOT

 Cette machine est destinée à accueillir l'instance Mastodon de l'association.

@ -67,4 +67,97 @@ Instance publique
 #### /etc/postfix/virtual

    @localhost admin@a-lec.org
-    @toot.a-lec.org admin@a-lec.org
+    @toot.a-lec.org admin@a-lec.org
+
+### Configuration serveur web (nginx)
+
+    map $http_upgrade $connection_upgrade {
+      default upgrade;
+      ''      close;
+    }
+
+    server {
+      listen 80;
+      listen [::]:80;
+      server_name toot.a-lec.org;
+      return 302 https://$host$request_uri;
+    }
+
+    server {
+      listen 443 ssl proxy_protocol default_server;
+      listen [::]:443 ssl http2 default_server;
+      server_name toot.a-lec.org;
+
+      set_real_ip_from  192.169.1.1;
+      real_ip_header proxy_protocol;
+
+      ssl_certificate /etc/letsencrypt/live/toot.a-lec.org/fullchain.pem;
+      ssl_certificate_key /etc/letsencrypt/live/toot.a-lec.org/privkey.pem;
+      ssl_protocols TLSv1.2;
+      ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+      ssl_prefer_server_ciphers on;
+      ssl_session_cache shared:SSL:10m;
+
+      keepalive_timeout    70;
+      sendfile             on;
+      client_max_body_size 0;
+
+      root /home/mastodon/live/public;
+
+      gzip on;
+      gzip_disable "msie6";
+      gzip_vary on;
+      gzip_proxied any;
+      gzip_comp_level 6;
+      gzip_buffers 16 8k;
+      gzip_http_version 1.1;
+      gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+      add_header Strict-Transport-Security "max-age=31536000";
+
+      location / {
+        try_files $uri @proxy;
+      }
+
+      location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
+        add_header Cache-Control "public, max-age=31536000, immutable";
+        try_files $uri @proxy;
+      }
+
+      location @proxy {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header Proxy "";
+        proxy_pass_header Server;
+
+        proxy_pass http://127.0.0.1:3000;
+        proxy_buffering off;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        tcp_nodelay on;
+      }
+
+      location /api/v1/streaming {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header Proxy "";
+
+        proxy_pass http://127.0.0.1:4000;
+        proxy_buffering off;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        tcp_nodelay on;
+      }
+
+      error_page 500 501 502 503 504 /500.html;
+    }
--- a/virtuelles/tootest.md
+++ b/virtuelles/tootest.md
@ -1,4 +1,4 @@
-## Machine virtuelle Tootest
+## Machine virtuelle TOOTEST

 Cette machine est destinée à accueillir l'instance Mastodon de test.

@ -67,4 +67,4 @@ Instance publique
 #### /etc/postfix/virtual

    @localhost admin@a-lec.org
-    @tootest.a-lec.org admin@a-lec.org
+    @tootest.a-lec.org admin@a-lec.org
--- a/virtuelles/www.md
+++ b/virtuelles/www.md
@ -1,4 +1,4 @@
-## Machine virtuelle Www
+## Machine virtuelle WWW

 Cette machine est destinée à accueillir le site web de l'association