From 59dd1ddf025edf88d58646aeaa679740ca9606c4 Mon Sep 17 00:00:00 2001 From: Adrien Bourmault Date: Tue, 16 Nov 2021 20:06:50 +0000 Subject: [PATCH] Serveurs NGINX --- Machines virtuelles/dns.md | 2 +- Machines virtuelles/gestion.md | 93 +++++++++++++++++++++++++++++++- Machines virtuelles/git.md | 71 ++++++++++++++++++++++++- Machines virtuelles/mail.md | 51 +++++++++++++++++- Machines virtuelles/toot.md | 97 +++++++++++++++++++++++++++++++++- Machines virtuelles/tootest.md | 4 +- Machines virtuelles/www.md | 2 +- 7 files changed, 311 insertions(+), 9 deletions(-) diff --git a/Machines virtuelles/dns.md b/Machines virtuelles/dns.md index 83498fa..575db0b 100644 --- a/Machines virtuelles/dns.md +++ b/Machines virtuelles/dns.md @@ -52,4 +52,4 @@ Adresse ipv6 publique : 2001:910:1360::11c #### /etc/postfix/virtual @localhost admin@a-lec.org - @dns.libre-en-communs.org admin@a-lec.org \ No newline at end of file + @dns.libre-en-communs.org admin@a-lec.org diff --git a/Machines virtuelles/gestion.md b/Machines virtuelles/gestion.md index a8109a5..0d2d30d 100644 --- a/Machines virtuelles/gestion.md +++ b/Machines virtuelles/gestion.md @@ -1,4 +1,4 @@ -## Machine virtuelle Gestion +## Machine virtuelle GESTION Cette machine est destinée à accueillir le logiciel de comptabilité et gestion des membres de l'association. @@ -53,3 +53,94 @@ Adresse ipv6 publique : 2001:910:1360::1ab @localhost admin@a-lec.org @gestion.a-lec.org admin@a-lec.org + +### Configuration serveur web (nginx) + + server { + server_name coffre.a-lec.org; + + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + + # Allow large attachments + client_max_body_size 128M; + + location / { + proxy_pass http://127.0.0.1:8000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /notifications/hub { + proxy_pass http://127.0.0.1:3012; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /notifications/hub/negotiate { + proxy_pass http://127.0.0.1:8000; + } + + listen 443 ssl http2 proxy_protocol; # managed by Certbot + listen [::]:443 ssl http2; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/coffre.a-lec.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/coffre.a-lec.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + } + + server { + if ($host = coffre.a-lec.org) { + return 302 https://$host$request_uri; + } # managed by Certbot + + server_name coffre.a-lec.org; + + listen 80; + return 404; # managed by Certbot + } + + server { + + root /usr/share/garradin/www; # Remplacer par le chemin adéquat vers le dossier public de garradin (ici c'est le défaut du paquet Debian) + + server_name gestion.a-lec.org; # Remplacer par votre nom de domaine + + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + + location / { + try_files $uri $uri/ /_route.php?$query_string; + index index.php /_route.php; + } + + location ~ \.php { + try_files $uri $uri/ /_route.php?$query_string; + include fastcgi.conf; + #fastcgi_pass 127.0.0.1:9000; # Si vous utilisez PHP-FPM (ou autre) en mode TCP et non sur une socket + fastcgi_pass unix:/var/run/php/php7.4-garradin.sock; # Si vous utilisez PHP-FPM en mode socket + } + + listen 443 ssl proxy_protocol; # managed by Certbot + listen [::]:443 ssl; + ssl_certificate /etc/letsencrypt/live/gestion.a-lec.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/gestion.a-lec.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + } + + server { + if ($host = gestion.a-lec.org) { + return 302 https://$host$request_uri; + } # managed by Certbot + + listen 80; + listen [::]:80; + + server_name gestion.a-lec.org; + return 404; # managed by Certbot + } diff --git a/Machines virtuelles/git.md b/Machines virtuelles/git.md index 10f54a9..1ac6838 100644 --- a/Machines virtuelles/git.md +++ b/Machines virtuelles/git.md @@ -1,4 +1,4 @@ -## Machine virtuelle Git +## Machine virtuelle GIT Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité. @@ -53,3 +53,72 @@ Adresse ipv6 publique : 2001:910:1360::42 @localhost admin@a-lec.org @git.a-lec.org admin@a-lec.org + +### Configuration serveur web (nginx) + + # GITLAB + + upstream gitlab-workhorse { + # On GitLab versions before 13.5, the location is + # `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line + # accordingly. + server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0; + } + + ## Redirects all HTTP traffic to the HTTPS host + server { + ## Either remove "default_server" from the listen line below, + ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab + ## to be served if you visit any address that your server responds to, eg. + ## the ip address of the server (http://x.x.x.x/) + listen 0.0.0.0:80; + listen [::]:80 ipv6only=on default_server; + server_name git.a-lec.org; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + return 302 https://git.a-lec.org$request_uri; + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + } + + ## HTTPS host + server { + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + listen 0.0.0.0:443 ssl proxy_protocol; + listen [::]:443 ipv6only=on ssl default_server; + server_name git.a-lec.org; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + root /opt/gitlab/embedded/service/gitlab-rails/public; + + ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem; + + ## [Optional] Enable HTTP Strict Transport Security + ## HSTS is a feature improving protection against MITM attacks + ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + ## Individual nginx logs for this GitLab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://gitlab-workhorse; + } + } diff --git a/Machines virtuelles/mail.md b/Machines virtuelles/mail.md index b36cad7..722e513 100644 --- a/Machines virtuelles/mail.md +++ b/Machines virtuelles/mail.md @@ -1,4 +1,4 @@ -## Machine virtuelle Mail +## Machine virtuelle MAIL Cette machine est destinée à accueillir le serveur d'envoi, réception et consultation de courriel de l'association. @@ -46,3 +46,52 @@ Adresse ipv6 publique : 2001:910:1360::148 ### Configuration MTA +*(à compléter)* + +### Configuration serveur web (nginx) + + server { + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + + listen 443 ssl proxy_protocol; + listen [::]:443 ssl; + + ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + # Add index.php to the list if you are using PHP + root /var/www/html/roundcube; + + server_name mail.a-lec.org; + + client_max_body_size 100M; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.php; + + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ /index.php?q=$uri&$args; + } + + # pass PHP scripts to FastCGI server + # + location ~ \.php$ { + include snippets/fastcgi-php.conf; + # # With php-fpm (or other unix sockets): + fastcgi_pass unix:/run/php/php7.4-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + + location ^~ /data { + deny all; + } + } diff --git a/Machines virtuelles/toot.md b/Machines virtuelles/toot.md index 49f7332..4329194 100644 --- a/Machines virtuelles/toot.md +++ b/Machines virtuelles/toot.md @@ -1,4 +1,4 @@ -## Machine virtuelle Toot +## Machine virtuelle TOOT Cette machine est destinée à accueillir l'instance Mastodon de l'association. @@ -67,4 +67,97 @@ Instance publique #### /etc/postfix/virtual @localhost admin@a-lec.org - @toot.a-lec.org admin@a-lec.org \ No newline at end of file + @toot.a-lec.org admin@a-lec.org + +### Configuration serveur web (nginx) + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 80; + listen [::]:80; + server_name toot.a-lec.org; + return 302 https://$host$request_uri; + } + + server { + listen 443 ssl proxy_protocol default_server; + listen [::]:443 ssl http2 default_server; + server_name toot.a-lec.org; + + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + + ssl_certificate /etc/letsencrypt/live/toot.a-lec.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/toot.a-lec.org/privkey.pem; + ssl_protocols TLSv1.2; + ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + keepalive_timeout 70; + sendfile on; + client_max_body_size 0; + + root /home/mastodon/live/public; + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + add_header Strict-Transport-Security "max-age=31536000"; + + location / { + try_files $uri @proxy; + } + + location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { + add_header Cache-Control "public, max-age=31536000, immutable"; + try_files $uri @proxy; + } + + location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_pass http://127.0.0.1:3000; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } + + location /api/v1/streaming { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + + proxy_pass http://127.0.0.1:4000; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } + + error_page 500 501 502 503 504 /500.html; + } diff --git a/Machines virtuelles/tootest.md b/Machines virtuelles/tootest.md index c805b8b..f98f103 100644 --- a/Machines virtuelles/tootest.md +++ b/Machines virtuelles/tootest.md @@ -1,4 +1,4 @@ -## Machine virtuelle Tootest +## Machine virtuelle TOOTEST Cette machine est destinée à accueillir l'instance Mastodon de test. @@ -67,4 +67,4 @@ Instance publique #### /etc/postfix/virtual @localhost admin@a-lec.org - @tootest.a-lec.org admin@a-lec.org \ No newline at end of file + @tootest.a-lec.org admin@a-lec.org diff --git a/Machines virtuelles/www.md b/Machines virtuelles/www.md index 03a4fcf..4a68fd8 100644 --- a/Machines virtuelles/www.md +++ b/Machines virtuelles/www.md @@ -1,4 +1,4 @@ -## Machine virtuelle Www +## Machine virtuelle WWW Cette machine est destinée à accueillir le site web de l'association