150 lines
4.0 KiB
Markdown
150 lines
4.0 KiB
Markdown
## Machine virtuelle WWW
|
|
|
|
Cette machine est destinée à accueillir le site web de l'association
|
|
|
|
### Matériel virtuel
|
|
|
|
CPU : 1
|
|
RAM : 1000 Mio
|
|
Stockage de masse : 50 Gio
|
|
|
|
### Logiciel
|
|
|
|
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
|
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
|
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
|
Mail Transfer Agent : `postfix`
|
|
Serveur http : `nginx`
|
|
Gestionnaire FastCGI : `php-fpm` version 7.4
|
|
|
|
### Caractéristiques notables
|
|
|
|
Domaine : www.a-lec.org
|
|
Adresse ipv4 publique : 80.67.179.96
|
|
Adresse ipv4 interne : 192.169.100.188
|
|
Adresse ipv6 publique : 2001:910:1360::1ca
|
|
|
|
#### Configuration réseau
|
|
|
|
##### /etc/network/interfaces
|
|
|
|
# The loopback network interface
|
|
auto lo
|
|
iface lo inet loopback
|
|
|
|
# The primary network interface
|
|
allow-hotplug enp1s0
|
|
iface enp1s0 inet dhcp
|
|
iface enp1s0 inet6 static
|
|
address 2001:910:1360::1ca/128
|
|
gateway 2001:910:1360::
|
|
|
|
##### /etc/host.allow
|
|
|
|
sshd: 192.169.1.0/24, [2001:910:1360::]/48
|
|
|
|
##### /etc/host/deny
|
|
|
|
sshd: ALL
|
|
|
|
### Configuration MTA
|
|
|
|
#### /etc/postfix/transport
|
|
|
|
a-lec.org :
|
|
* discard:
|
|
|
|
#### /etc/postfix/virtual
|
|
|
|
@localhost admin@a-lec.org
|
|
@www.a-lec.org admin@a-lec.org
|
|
|
|
### Configuration du serveur web (nginx)
|
|
|
|
server {
|
|
set_real_ip_from 192.169.1.1;
|
|
real_ip_header proxy_protocol;
|
|
|
|
# SSL configuration
|
|
#
|
|
listen 443 ssl proxy_protocol default_server;
|
|
listen [::]:443 ssl default_server;
|
|
|
|
root /var/www/html;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/www.a-lec.org/fullchain.pem; # managed by Certbot
|
|
ssl_certificate_key /etc/letsencrypt/live/www.a-lec.org/privkey.pem; # managed by Certbot
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
|
|
|
|
# Add index.php to the list if you are using PHP
|
|
index index.html index.htm index.php;
|
|
|
|
server_name www.a-lec.org;
|
|
|
|
location /.well-known/host-meta {
|
|
default_type 'application/xrd+xml';
|
|
add_header Access-Control-Allow-Origin '*' always;
|
|
}
|
|
|
|
location /.well-known/host-meta.json {
|
|
default_type 'application/jrd+json';
|
|
add_header Access-Control-Allow-Origin '*' always;
|
|
}
|
|
|
|
location / {
|
|
# First attempt to serve request as file, then
|
|
# as directory, then fall back to displaying a 404.
|
|
try_files $uri $uri/ $uri.html $uri/index.php?q=$uri&$args =404;
|
|
}
|
|
|
|
ssi on;
|
|
ssi_last_modified on;
|
|
|
|
# pass PHP scripts to FastCGI server
|
|
|
|
location ~ \.php$ {
|
|
include snippets/fastcgi-php.conf;
|
|
# With php-fpm (or other unix sockets):
|
|
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
|
|
# With php-cgi (or other tcp sockets):
|
|
# fastcgi_pass 127.0.0.1:9000;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
include fastcgi_params;
|
|
}
|
|
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
|
|
server_name www.a-lec.org;
|
|
|
|
return 302 https://www.a-lec.org$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
|
|
server_name a-lec.org;
|
|
|
|
return 302 https://www.a-lec.org$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl proxy_protocol;
|
|
listen [::]:443 ssl;
|
|
|
|
server_name a-lec.org;
|
|
|
|
return 302 https://www.a-lec.org$request_uri;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/a-lec.org-0001/fullchain.pem; # managed by Certbot
|
|
ssl_certificate_key /etc/letsencrypt/live/a-lec.org-0001/privkey.pem; # managed by Certbot
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
}
|