mirror of
https://github.com/ENSL/ensl.org.git
synced 2025-03-12 22:01:40 +00:00
Updates for server move
- Support gathers.ensl.org - Fix paths for certs - Reduce SSL strictness
This commit is contained in:
Ari Timonen
parent
5fef8aba65
commit
7600e58673
4 changed files with 69 additions and 8 deletions
|
|
@ -18,6 +18,9 @@ module Ensl
|
|||
# Custom error pages
|
||||
config.exceptions_app = self.routes
|
||||
|
||||
# Secret key
|
||||
config.require_master_key = false
|
||||
|
||||
# Load Rails 5
|
||||
# config.load_defaults 5.0
|
||||
|
||||
|
|
|
|||
|
|
@ -43,4 +43,8 @@ Rails.application.configure do
|
|||
# Specifies the header that your server uses for sending files
|
||||
# config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
|
||||
config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
|
||||
|
||||
# Secret key
|
||||
config.require_master_key = false
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -7,14 +7,19 @@ upstream ensl_production {
|
|||
# server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
|
||||
}
|
||||
|
||||
upstream gathers {
|
||||
# server unix:/srv/ensl/puma.production.sock fail_timeout=0;
|
||||
server ensl_gather_production:6500;
|
||||
}
|
||||
|
||||
# root-level -> www redirect
|
||||
server {
|
||||
listen *:$PRODUCTION_PORT;
|
||||
listen *:$PRODUCTION_PORT_SSL ssl;
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_certificate /etc/ssl/ensl/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/ensl/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||
|
||||
server_name $PRODUCTION_ROOT_DOMAIN;
|
||||
root $PRODUCTION_NGINX_PUBLIC;
|
||||
|
|
@ -39,8 +44,8 @@ server {
|
|||
root $PRODUCTION_NGINX_PUBLIC;
|
||||
index index.html index.htm index.php;
|
||||
|
||||
ssl_certificate /etc/ssl/ensl/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/ensl/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||
|
||||
# ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
# ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
|
||||
|
|
@ -49,8 +54,8 @@ server {
|
|||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
# add_header Strict-Transport-Security max-age=15768000;
|
||||
|
||||
# Fixme: add logs as volume
|
||||
|
|
@ -87,3 +92,52 @@ server {
|
|||
|
||||
try_files $uri/index.html $uri @puma;
|
||||
}
|
||||
|
||||
|
||||
# HTTP -> HTTPS redirect
|
||||
server {
|
||||
listen *:80;
|
||||
server_name gathers.ensl.org;
|
||||
return 301 https://gathers.ensl.org$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen *:443 ssl;
|
||||
server_name gathers.ensl.org;
|
||||
root /srv/ensl/gathers/public;
|
||||
index index.html index.htm index.php;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
add_header Strict-Transport-Security max-age=0;
|
||||
|
||||
access_log /var/log/nginx/ensl.gathers.access.log;
|
||||
error_log /var/log/nginx/ensl.gathers.error.log;
|
||||
|
||||
rewrite_log on;
|
||||
client_max_body_size 20M;
|
||||
keepalive_timeout 10;
|
||||
|
||||
location ~ /.well-known {
|
||||
allow all;
|
||||
autoindex on;
|
||||
}
|
||||
location ^~ /assets/ {
|
||||
gzip_static on;
|
||||
expires max;
|
||||
add_header Cache-Control public;
|
||||
}
|
||||
location @gathers {
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_pass http://gathers;
|
||||
}
|
||||
|
||||
try_files $uri/index.html $uri @gathers;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -46,8 +46,8 @@ server {
|
|||
# auth_basic "Staging Area";
|
||||
# auth_basic_user_file "/etc/nginx/conf.d/.htpasswd_staging";
|
||||
|
||||
ssl_certificate /etc/ssl/ensl/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/ensl/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||
|
||||
# ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
# ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
|
||||
|
|
|
|||
Loading…
Reference in a new issue