## Machine virtuelle WWW Cette machine est destinée à accueillir le site web de l'association ### Matériel virtuel CPU : 1 RAM : 1000 Mio Stockage de masse : 50 Gio ### Logiciel Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` Mail Transfer Agent : `postfix` Serveur http : `nginx` Gestionnaire FastCGI : `php-fpm` version 7.4 ### Caractéristiques notables Domaine : www.a-lec.org Adresse ipv4 publique : 80.67.179.96 Adresse ipv4 interne : 192.169.100.188 Adresse ipv6 publique : 2001:910:1360::1ca #### Configuration réseau ##### /etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug enp1s0 iface enp1s0 inet dhcp iface enp1s0 inet6 static address 2001:910:1360::1ca/128 gateway 2001:910:1360:: ##### /etc/host.allow sshd: 192.169.1.0/24, [2001:910:1360::]/48 ##### /etc/host/deny sshd: ALL ### Configuration MTA #### /etc/postfix/transport a-lec.org : * discard: #### /etc/postfix/virtual @localhost admin@a-lec.org @www.a-lec.org admin@a-lec.org ### Configuration du serveur web (nginx) server { set_real_ip_from 192.169.1.1; real_ip_header proxy_protocol; # SSL configuration # listen 443 ssl proxy_protocol default_server; listen [::]:443 ssl default_server; root /var/www/html; ssl_certificate /etc/letsencrypt/live/www.a-lec.org/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/www.a-lec.org/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot # Add index.php to the list if you are using PHP index index.html index.htm index.php; server_name www.a-lec.org; location /.well-known/host-meta { default_type 'application/xrd+xml'; add_header Access-Control-Allow-Origin '*' always; } location /.well-known/host-meta.json { default_type 'application/jrd+json'; add_header Access-Control-Allow-Origin '*' always; } location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ $uri.html $uri/index.php?q=$uri&$args =404; } ssi on; ssi_last_modified on; # pass PHP scripts to FastCGI server location ~ \.php$ { include snippets/fastcgi-php.conf; # With php-fpm (or other unix sockets): fastcgi_pass unix:/run/php/php7.4-fpm.sock; # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } server { listen 80; listen [::]:80; server_name www.a-lec.org; return 302 https://www.a-lec.org$request_uri; } server { listen 80; listen [::]:80; server_name a-lec.org; return 302 https://www.a-lec.org$request_uri; } server { listen 443 ssl proxy_protocol; listen [::]:443 ssl; server_name a-lec.org; return 302 https://www.a-lec.org$request_uri; ssl_certificate /etc/letsencrypt/live/a-lec.org-0001/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/a-lec.org-0001/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot }