Serveurs NGINX

This commit is contained in:
Adrien Bourmault 2021-11-16 20:06:50 +00:00
parent 4aa05cb9b2
commit 59dd1ddf02
7 changed files with 311 additions and 9 deletions

View File

@ -52,4 +52,4 @@ Adresse ipv6 publique : 2001:910:1360::11c
#### /etc/postfix/virtual #### /etc/postfix/virtual
@localhost admin@a-lec.org @localhost admin@a-lec.org
@dns.libre-en-communs.org admin@a-lec.org @dns.libre-en-communs.org admin@a-lec.org

View File

@ -1,4 +1,4 @@
## Machine virtuelle Gestion ## Machine virtuelle GESTION
Cette machine est destinée à accueillir le logiciel de comptabilité et gestion des membres de l'association. Cette machine est destinée à accueillir le logiciel de comptabilité et gestion des membres de l'association.
@ -53,3 +53,94 @@ Adresse ipv6 publique : 2001:910:1360::1ab
@localhost admin@a-lec.org @localhost admin@a-lec.org
@gestion.a-lec.org admin@a-lec.org @gestion.a-lec.org admin@a-lec.org
### Configuration serveur web (nginx)
server {
server_name coffre.a-lec.org;
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
# Allow large attachments
client_max_body_size 128M;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://127.0.0.1:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://127.0.0.1:8000;
}
listen 443 ssl http2 proxy_protocol; # managed by Certbot
listen [::]:443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/coffre.a-lec.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/coffre.a-lec.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = coffre.a-lec.org) {
return 302 https://$host$request_uri;
} # managed by Certbot
server_name coffre.a-lec.org;
listen 80;
return 404; # managed by Certbot
}
server {
root /usr/share/garradin/www; # Remplacer par le chemin adéquat vers le dossier public de garradin (ici c'est le défaut du paquet Debian)
server_name gestion.a-lec.org; # Remplacer par votre nom de domaine
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
location / {
try_files $uri $uri/ /_route.php?$query_string;
index index.php /_route.php;
}
location ~ \.php {
try_files $uri $uri/ /_route.php?$query_string;
include fastcgi.conf;
#fastcgi_pass 127.0.0.1:9000; # Si vous utilisez PHP-FPM (ou autre) en mode TCP et non sur une socket
fastcgi_pass unix:/var/run/php/php7.4-garradin.sock; # Si vous utilisez PHP-FPM en mode socket
}
listen 443 ssl proxy_protocol; # managed by Certbot
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/gestion.a-lec.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/gestion.a-lec.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = gestion.a-lec.org) {
return 302 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name gestion.a-lec.org;
return 404; # managed by Certbot
}

View File

@ -1,4 +1,4 @@
## Machine virtuelle Git ## Machine virtuelle GIT
Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité. Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité.
@ -53,3 +53,72 @@ Adresse ipv6 publique : 2001:910:1360::42
@localhost admin@a-lec.org @localhost admin@a-lec.org
@git.a-lec.org admin@a-lec.org @git.a-lec.org admin@a-lec.org
### Configuration serveur web (nginx)
# GITLAB
upstream gitlab-workhorse {
# On GitLab versions before 13.5, the location is
# `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
# accordingly.
server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
}
## Redirects all HTTP traffic to the HTTPS host
server {
## Either remove "default_server" from the listen line below,
## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
## to be served if you visit any address that your server responds to, eg.
## the ip address of the server (http://x.x.x.x/)
listen 0.0.0.0:80;
listen [::]:80 ipv6only=on default_server;
server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
return 302 https://git.a-lec.org$request_uri;
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
}
## HTTPS host
server {
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
listen 0.0.0.0:443 ssl proxy_protocol;
listen [::]:443 ipv6only=on ssl default_server;
server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
root /opt/gitlab/embedded/service/gitlab-rails/public;
ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem;
## [Optional] Enable HTTP Strict Transport Security
## HSTS is a feature improving protection against MITM attacks
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
}

View File

@ -1,4 +1,4 @@
## Machine virtuelle Mail ## Machine virtuelle MAIL
Cette machine est destinée à accueillir le serveur d'envoi, réception et consultation de courriel de l'association. Cette machine est destinée à accueillir le serveur d'envoi, réception et consultation de courriel de l'association.
@ -46,3 +46,52 @@ Adresse ipv6 publique : 2001:910:1360::148
### Configuration MTA ### Configuration MTA
*(à compléter)*
### Configuration serveur web (nginx)
server {
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
listen 443 ssl proxy_protocol;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# Add index.php to the list if you are using PHP
root /var/www/html/roundcube;
server_name mail.a-lec.org;
client_max_body_size 100M;
# Add index.php to the list if you are using PHP
index index.html index.htm index.php;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.php?q=$uri&$args;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# # With php-fpm (or other unix sockets):
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ^~ /data {
deny all;
}
}

View File

@ -1,4 +1,4 @@
## Machine virtuelle Toot ## Machine virtuelle TOOT
Cette machine est destinée à accueillir l'instance Mastodon de l'association. Cette machine est destinée à accueillir l'instance Mastodon de l'association.
@ -67,4 +67,97 @@ Instance publique
#### /etc/postfix/virtual #### /etc/postfix/virtual
@localhost admin@a-lec.org @localhost admin@a-lec.org
@toot.a-lec.org admin@a-lec.org @toot.a-lec.org admin@a-lec.org
### Configuration serveur web (nginx)
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name toot.a-lec.org;
return 302 https://$host$request_uri;
}
server {
listen 443 ssl proxy_protocol default_server;
listen [::]:443 ssl http2 default_server;
server_name toot.a-lec.org;
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
ssl_certificate /etc/letsencrypt/live/toot.a-lec.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/toot.a-lec.org/privkey.pem;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
keepalive_timeout 70;
sendfile on;
client_max_body_size 0;
root /home/mastodon/live/public;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
add_header Strict-Transport-Security "max-age=31536000";
location / {
try_files $uri @proxy;
}
location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
add_header Cache-Control "public, max-age=31536000, immutable";
try_files $uri @proxy;
}
location @proxy {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_pass http://127.0.0.1:3000;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
location /api/v1/streaming {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass http://127.0.0.1:4000;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
error_page 500 501 502 503 504 /500.html;
}

View File

@ -1,4 +1,4 @@
## Machine virtuelle Tootest ## Machine virtuelle TOOTEST
Cette machine est destinée à accueillir l'instance Mastodon de test. Cette machine est destinée à accueillir l'instance Mastodon de test.
@ -67,4 +67,4 @@ Instance publique
#### /etc/postfix/virtual #### /etc/postfix/virtual
@localhost admin@a-lec.org @localhost admin@a-lec.org
@tootest.a-lec.org admin@a-lec.org @tootest.a-lec.org admin@a-lec.org

View File

@ -1,4 +1,4 @@
## Machine virtuelle Www ## Machine virtuelle WWW
Cette machine est destinée à accueillir le site web de l'association Cette machine est destinée à accueillir le site web de l'association