simplify nginx configuration

This commit is contained in:
Emmanuel Garette 2022-08-19 20:30:13 +02:00
parent 42879ad5a1
commit 6ce90c4580
29 changed files with 222 additions and 139 deletions

View file

@ -14,7 +14,7 @@ for image in *; do
if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
MACHINES="$MACHINES$osname " MACHINES="$MACHINES$osname "
fi fi
echo echo
echo "Install machine $image" echo "Install machine $image"
./install_machine "$HOST_NAME" "$image" "$osname" ./install_machine "$HOST_NAME" "$image" "$osname"
fi fi
@ -23,5 +23,39 @@ for image in *; do
done done
machinectl enable $MACHINES machinectl enable $MACHINES
machinectl start $MACHINES machinectl start $MACHINES
STARTED=""
DEGRADED=""
found=true
idx=0
while [ $found = true ]; do
found=false
echo "tentative $idx"
for machine in $MACHINES; do
if ! echo $STARTED | grep -q " $machine "; then
status=$(machinectl -q shell $machine /usr/bin/systemctl is-system-running || true)
if echo "$status" | grep -q degraded; then
STARTED="$STARTED $machine "
DEGRADED="$DEGRADED $machine"
elif echo "$status" | grep -q running; then
STARTED="$STARTED $machine "
else
found=true
echo "status actuel de $machine : $status"
fi
fi
done
sleep 2
idx=$((idx+1))
if [ $idx = 60 ]; then
break
fi
done
retcode=0
for machine in $DEGRADED; do
echo
echo "========= $machine"
machinectl -q shell $machine /usr/bin/systemctl --state=failed --no-legend --no-pager
retcode=1
done
exit 0 exit $retcode

View file

@ -18,7 +18,7 @@
</service> </service>
<service name='dovecot-init'> <service name='dovecot-init'>
<override/> <override/>
<file>/etc/nginx/conf.d/autoconfig.conf</file> <file>/etc/nginx/default.d/autoconfig.conf</file>
</service> </service>
<service name='nginx'> <service name='nginx'>
<file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file> <file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
@ -90,8 +90,8 @@
<variable name="revprox_client_external_domainnames" redefine="True"/> <variable name="revprox_client_external_domainnames" redefine="True"/>
<variable name="revprox_client_web_address" redefine="True"/> <variable name="revprox_client_web_address" redefine="True"/>
</family> </family>
<variable name="nginx_default_https" redefine="True"> <variable name="nginx_root" redefine='True'>
<value>False</value> <value>/var/www/html</value>
</variable> </variable>
</family> </family>
</variables> </variables>

View file

@ -1,12 +1,2 @@
server { # To allow POST on static pages
listen 443 ssl; error_page 405 =200 $uri;
server_name %%domain_name_eth0;
ssl_client_certificate %%revprox_ca_file;
ssl_certificate %%revprox_cert_file;
ssl_certificate_key %%revprox_key_file;
root /var/www/html/;
# To allow POST on static pages
error_page 405 =200 $uri;
}

View file

@ -25,10 +25,10 @@
</services> </services>
<variables> <variables>
<family name="nginx"> <family name="nginx">
<variable name="oauth2_client_external_domain" type="domainname" hidden="True" supplier="OAuth2Client:external_domain"/>
<variable name="nginx_default_https" redefine="True"> <variable name="nginx_default_https" redefine="True">
<value>False</value> <value>False</value>
</variable> </variable>
<variable name="oauth2_client_external_domain" type="domainname" hidden="True" supplier="OAuth2Client:external_domain"/>
</family> </family>
<family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG"> <family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG">
<variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True"> <variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True">

View file

@ -1,7 +1,6 @@
%echo "#!/usr/bin/env perl" %echo "#!/usr/bin/env perl"
use HTTP::Tiny; use HTTP::Tiny;
use JSON qw(from_json to_json);
my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration'); my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');

View file

@ -5,5 +5,5 @@ depends:
- postgresql-client - postgresql-client
- relay-lmtp-client - relay-lmtp-client
- reverse-proxy-client - reverse-proxy-client
- nginx-common - nginx-https
- oauth2-client - oauth2-client

View file

@ -11,7 +11,7 @@
<service name="postorius" target="multi-user" engine="creole"> <service name="postorius" target="multi-user" engine="creole">
<file engine="none">/etc/postorius/gunicorn_config.py</file> <file engine="none">/etc/postorius/gunicorn_config.py</file>
<file engine="none" source="sysuser-postorius.conf">/sysusers.d/0postorius.conf</file> <file engine="none" source="sysuser-postorius.conf">/sysusers.d/0postorius.conf</file>
<file source="config-nginx.conf">/etc/nginx/conf.d/postorius.conf</file> <file source="config-nginx.conf">/etc/nginx/default.d/postorius.conf</file>
<file source="postorius-settings.py">/etc/mailman3.d/postorius.py</file> <file source="postorius-settings.py">/etc/mailman3.d/postorius.py</file>
</service> </service>
<service name="postgresqlclient" target="multi-user" engine="creole"> <service name="postgresqlclient" target="multi-user" engine="creole">
@ -47,6 +47,11 @@
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/> <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
</family> </family>
</family> </family>
<family name="nginx">
<variable name="nginx_root" redefine="True">
<value>/usr/share/webapps/postorius</value>
</variable>
</family>
<family name="postgresql"> <family name="postgresql">
<variable name="pg_client_key_owner" redefine="True"> <variable name="pg_client_key_owner" redefine="True">
<value>mailman</value> <value>mailman</value>

View file

@ -1,42 +1,31 @@
server { charset utf-8;
listen 443 ssl; client_max_body_size 75M;
server_name %%domain_name_eth0; location /mailman/postorius_static {
alias /usr/lib/python3.10/site-packages/postorius/static;
ssl_client_certificate %%revprox_ca_file; }
ssl_certificate %%revprox_cert_file; #FIXME user-profile seems to be in hyperkitty redirect in existing page
ssl_certificate_key %%revprox_key_file; location /mailman/user-profile {
proxy_pass http://127.0.0.1:8002/postorius/users;
charset utf-8; proxy_set_header Host $http_host;
client_max_body_size 75M; proxy_set_header X-Real-IP $remote_addr;
root /usr/share/webapps/postorius; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
location /mailman/postorius_static { proxy_set_header X-Forwarded-Server $host;
alias /usr/lib/python3.10/site-packages/postorius/static; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
} proxy_set_header X-Forwarded-Proto $scheme;
#FIXME user-profile seems to be in hyperkitty redirect in existing page }
location /mailman/user-profile { %for %%location in ['accounts', 'admin', 'postorius']
proxy_pass http://127.0.0.1:8002/postorius/users; location /mailman/%%location {
proxy_set_header Host $http_host; proxy_pass http://127.0.0.1:8002/%%location;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
} proxy_set_header X-Forwarded-Proto $scheme;
%for %%location in ['accounts', 'admin', 'postorius'] }
location /mailman/%%location { %end for
proxy_pass http://127.0.0.1:8002/%%location; location /mailman {
proxy_set_header Host $http_host; rewrite ^(/mailman/.*)$ /mailman/postorius/ permanent;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
%end for
location /mailman {
rewrite ^(/mailman/.*)$ /mailman/postorius/ permanent;
}
} }

View file

@ -13,6 +13,7 @@
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file> <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
<file filelist="nginx_default_https" mode="600">/etc/pki/tls/certs/nginx.crt</file> <file filelist="nginx_default_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
<file filelist="nginx_default_https" mode="600">/etc/pki/tls/private/nginx.key</file> <file filelist="nginx_default_https" mode="600">/etc/pki/tls/private/nginx.key</file>
<file>/tests/nginx-common.yml</file>
</service> </service>
</services> </services>
<variables> <variables>

View file

@ -0,0 +1,13 @@
address: %%ip_eth0
nginx_default_http: %slurp
%if %%getVar('nginx_default_http', False) and not %%getVar('revprox_client_external_domainnames', None)
true
%else
false
%end if
nginx_default_https: %slurp
%if %%getVar('nginx_default_https', False) and not %%getVar('revprox_client_external_domainnames', None)
true
%else
false
%end if

View file

@ -76,14 +76,24 @@ http {
%if %%nginx_default_https %if %%nginx_default_https
server { server {
listen 443 ssl http2; listen 443 ssl http2;
server_name %%domain_name_eth0; %if %%getVar('revprox_client_external_domainnames', None)
%for %%domain in %%revprox_client_external_domainnames
server_name %%domain;
%end for
%else
server_name _;
%end if
root %%nginx_root; root %%nginx_root;
# ssl_certificate "/etc/pki/nginx/server.crt"; # ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key"; # ssl_certificate_key "/etc/pki/nginx/private/server.key";
ssl_certificate /etc/pki/tls/certs/nginx.crt; ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/private/nginx.key; ssl_certificate_key /etc/pki/tls/private/nginx.key;
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt; %if %%getVar('revprox_client_external_domainnames', None)
ssl_client_certificate %%revprox_ca_file;
%else
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_HTTP.crt;
%end if
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m; ssl_session_timeout 10m;
@ -105,5 +115,7 @@ http {
%else %else
include /etc/nginx/sites-enabled/*; include /etc/nginx/sites-enabled/*;
%end if %end if
%if not %%getVar('revprox_client_external_domainnames', None)
include /etc/nginx/sites-enabled/*;
%end if
} }

View file

@ -0,0 +1,50 @@
from yaml import load, SafeLoader
from os import environ
from pytest import raises
import warnings
import socket
from requests import get
from requests.exceptions import SSLError
def req(url, ip, verify=True):
# Monkey patch to force IPv4 resolution
old_getaddrinfo = socket.getaddrinfo
def new_getaddrinfo(*args, **kwargs):
ret = old_getaddrinfo(*args, **kwargs)
dns = list(ret[0])
dns[-1] = (ip, dns[-1][1])
return [dns]
socket.getaddrinfo = new_getaddrinfo
if not verify:
with warnings.catch_warnings():
warnings.simplefilter("ignore")
ret = get(url, verify=verify)
else:
ret = get(url, verify=verify)
ret_code = ret.status_code
content = ret.content
socket.getaddrinfo = old_getaddrinfo
return ret_code, content.decode()
def test_revprox():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/nginx-common.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
# test unknown domain
url = 'google.fr'
protocols = []
if data['nginx_default_http']:
protocols.append('http')
if data['nginx_default_https']:
protocols.append('https')
# test certificate
with raises(SSLError):
# not certificat problem for https://{url}
req(f'https://{url}', data['address'])
for protocol in protocols:
ret_code, content = req(f'{protocol}://{url}', data['address'], verify=False)
assert ret_code == 200, f'{protocol}://{url} do not returns code 200 but {ret_code}'
assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'{protocol}://{url} do not returns default fedora page'

View file

@ -1,22 +1,16 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10"> <rougail version="0.10">
<services>
<service name='nginx'>
<file filelist="nginx_default_risotto">/etc/nginx/default.d/risotto.conf</file>
</service>
</services>
<variables> <variables>
<family name="nginx"> <family name="nginx">
<variable name="nginx_default_https" redefine="True"> <variable name="nginx_default_http" redefine="True" hidden="True">
<value>False</value>
</variable>
<variable name="nginx_default_https" redefine="True" hidden="True">
<value>True</value> <value>True</value>
</variable> </variable>
<variable name="php_fpm_user" redefine="True" exists="True"> <variable name="php_fpm_user" redefine="True" exists="True">
<value>nginx</value> <value>nginx</value>
</variable> </variable>
<variable name="nginx_root_directory" type="filename"/>
<variable name="nginx_locations" type="filename" multi="True" mandatory="True">
<value>/</value>
</variable>
</family> </family>
<family name="redis" description="Redis"> <family name="redis" description="Redis">
<variable name="redis_client_key_owner" redefine="True" exists="True"> <variable name="redis_client_key_owner" redefine="True" exists="True">
@ -29,11 +23,4 @@
</variable> </variable>
</family> </family>
</variables> </variables>
<constraints>
<condition name="disabled_if_in" source="nginx_root_directory">
<param type="nil"/>
<target type="filelist">nginx_default_risotto</target>
<target type="variable">nginx_locations</target>
</condition>
</constraints>
</rougail> </rougail>

View file

@ -0,0 +1,8 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name='nginx'>
<file>/etc/pki/ca-trust/source/anchors/ca_HTTP.crt</file>
</service>
</services>
</rougail>

View file

@ -4,7 +4,7 @@
<service name='nginx'> <service name='nginx'>
<override engine="creole"/> <override engine="creole"/>
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file> <file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
<file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file> <file source="revprox-nginx.conf">/etc/nginx/sites-enabled/risotto.conf</file>
<file source="certificate.crt" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_certificate_filename</file> <file source="certificate.crt" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_certificate_filename</file>
<file source="private.key" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_private_key_filename</file> <file source="private.key" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_private_key_filename</file>
<file>/tests/reverse-proxy.yml</file> <file>/tests/reverse-proxy.yml</file>
@ -22,6 +22,9 @@
<variable name="nginx_default_http" redefine="True"> <variable name="nginx_default_http" redefine="True">
<value>True</value> <value>True</value>
</variable> </variable>
<variable name="nginx_default_https" redefine="True">
<value>True</value>
</variable>
</family> </family>
</variables> </variables>
</rougail> </rougail>

View file

@ -0,0 +1,3 @@
%for %%idx in %%range(%%len(%%zones_list))
%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="HTTP", hide=%%hide_secret)
%end for

View file

@ -0,0 +1,2 @@
%%get_certificate(%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', type="server", hide=%%hide_secret)
%%get_chain(%%nginx_default, 'HTTP', hide=%%hide_secret)

View file

@ -0,0 +1 @@
%%get_private_key(%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', type='server', hide=%%hide_secret)

View file

@ -41,7 +41,7 @@ server {
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Destination $dest; proxy_set_header Destination $dest;
%end if %end if
proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt; proxy_ssl_trusted_certificate %%revprox_ca_file;
proxy_ssl_verify on; proxy_ssl_verify on;
proxy_ssl_verify_depth 2; proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on; proxy_ssl_session_reuse on;

View file

@ -32,19 +32,8 @@ def test_revprox():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/reverse-proxy.yml' conf_file = f'{environ["MACHINE_TEST_DIR"]}/reverse-proxy.yml'
with open(conf_file) as yaml: with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader) data = load(yaml, Loader=SafeLoader)
# test unknown domain
url = 'google.fr'
ret_code, content = req(f'https://{url}', data['address'], verify=False)
assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'https://{url} returns default fedora page'
# test certificate
try:
req(f'https://{url}', data['address'])
raise Exception(f'not certificat problem for https://{url}')
except SSLError:
pass
# test known domains # test known domains
for url in data['urls']: for url in data['urls']:
ret_code, content = req(f'https://{url}', data['address']) ret_code, content = req(f'https://{url}', data['address'])
assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}' assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
assert "<title>Test Page for the HTTP Server on Fedora</title>" not in content, f'https://{url} returns default fedora page' assert "<title>Test Page for the HTTP Server on Fedora</title>" not in content, f'https://{url} do returns default fedora page'

View file

@ -7,5 +7,5 @@ depends:
- relay-mail-client - relay-mail-client
- reverse-proxy-client - reverse-proxy-client
- redis-client - redis-client
- nginx-common - nginx-https
- oauth2-client - oauth2-client

View file

@ -6,7 +6,8 @@
<file engine="none" source="sysuser-peertube.conf">/sysusers.d/0peertube.conf</file> <file engine="none" source="sysuser-peertube.conf">/sysusers.d/0peertube.conf</file>
<file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file> <file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file>
<file>/etc/peertube/production.yaml</file> <file>/etc/peertube/production.yaml</file>
<file source="nginx.peertube.conf">/etc/nginx/conf.d/peertube.conf</file> <file source="nginx.peertube.conf">/etc/nginx/default.d/peertube.conf</file>
<file source="nginx.peertube.conf.d.conf">/etc/nginx/conf.d/peertube.conf</file>
</service> </service>
</services> </services>
<variables> <variables>
@ -45,6 +46,9 @@
</family> </family>
</family> </family>
<family name="nginx"> <family name="nginx">
<variable name="nginx_root" redefine='True'>
<value>/usr/share/peertube</value>
</variable>
<family name="revprox_client"> <family name="revprox_client">
<variable name="revprox_client_location" redefine="True"> <variable name="revprox_client_location" redefine="True">
<value>/</value> <value>/</value>

View file

@ -16,15 +16,14 @@
# GNUNUX location / { return 301 https://$host$request_uri; } # GNUNUX location / { return 301 https://$host$request_uri; }
# GNUNUX } # GNUNUX }
upstream %%domain_name_eth0 { # GNUNUX upstream %%domain_name_eth0 {
# GNUNUX server ${PEERTUBE_HOST}; # GNUNUX server ${PEERTUBE_HOST};
server localhost:9000; # GNUNUX }
}
server { # GNUNUX server {
listen 443 ssl http2; # GNUNUX listen 443 ssl http2;
listen [::]:443 ssl http2; # GNUNUX listen [::]:443 ssl http2;
server_name %%domain_name_eth0; # GNUNUX server_name %%domain_name_eth0;
# GNUNUX access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m # GNUNUX access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
# GNUNUX error_log /var/log/nginx/peertube.error.log; # GNUNUX error_log /var/log/nginx/peertube.error.log;
@ -35,11 +34,6 @@ server {
## ##
# GNUNUX ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem; # GNUNUX ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
# GNUNUX ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem; # GNUNUX ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
#>GNUNUX
ssl_client_certificate %%revprox_ca_file;
ssl_certificate %%revprox_cert_file;
ssl_certificate_key %%revprox_key_file;
#<GNUNUX
# GNUNUX location ^~ '/.well-known/acme-challenge' { # GNUNUX location ^~ '/.well-known/acme-challenge' {
# GNUNUX default_type "text/plain"; # GNUNUX default_type "text/plain";
@ -51,14 +45,14 @@ server {
# based on Mozilla Guideline v5.6 # based on Mozilla Guideline v5.6
## ##
ssl_protocols TLSv1.2 TLSv1.3; # GNUNUX ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on; # GNUNUX ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 # GNUNUX ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
ssl_session_timeout 1d; # defaults to 5m # GNUNUX ssl_session_timeout 1d; # defaults to 5m
ssl_session_cache shared:SSL:10m; # estimated to 40k sessions # GNUNUX ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
ssl_session_tickets off; # GNUNUX ssl_session_tickets off;
ssl_stapling on; # GNUNUX ssl_stapling on;
ssl_stapling_verify on; # GNUNUX ssl_stapling_verify on;
# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
@ -145,7 +139,6 @@ server {
## ##
# GNUNUX root /var/www/peertube/storage; # GNUNUX root /var/www/peertube/storage;
root /usr/share/peertube;
# Enable compression for JS/CSS/HTML, for improved client load times. # Enable compression for JS/CSS/HTML, for improved client load times.
# It might be nice to compress JSON/XML as returned by the API, but # It might be nice to compress JSON/XML as returned by the API, but
@ -268,4 +261,4 @@ server {
try_files $uri @api; try_files $uri @api;
} }
} # GNUNUX }

View file

@ -0,0 +1,4 @@
upstream %%domain_name_eth0 {
# GNUNUX server ${PEERTUBE_HOST};
server localhost:9000;
}

View file

@ -7,16 +7,13 @@
<file>/etc/piwigo/database.inc.php</file> <file>/etc/piwigo/database.inc.php</file>
<file mode="755">/sbin/piwigo.sh</file> <file mode="755">/sbin/piwigo.sh</file>
<file engine="none">/etc/php-fpm.d/piwigo.conf</file> <file engine="none">/etc/php-fpm.d/piwigo.conf</file>
<file source="piwigo.nginx.conf">/etc/nginx/default.d/piwigo.conf</file>
</service> </service>
</services> </services>
<variables> <variables>
<variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/> <variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
<variable name="piwigo_admin_password" type="password" auto_save="False" hidden="True"/> <variable name="piwigo_admin_password" type="password" auto_save="False" hidden="True"/>
<family name="nginx"> <variable name="piwigo_locations" type="filename" multi="True" mandatory="True"/>
<variable name="nginx_root_directory" mandatory="True" redefine="True">
<value>/usr/local/share/piwigo</value>
</variable>
</family>
<variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True"> <variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
<value>Album photographique</value> <value>Album photographique</value>
</variable> </variable>
@ -53,7 +50,7 @@
</fill> </fill>
<fill name="get_locations"> <fill name="get_locations">
<param name="usernames" type="variable">piwigo_users</param> <param name="usernames" type="variable">piwigo_users</param>
<target>nginx_locations</target> <target>piwigo_locations</target>
</fill> </fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -1,3 +1,5 @@
# To allow POST on static pages
error_page 405 =200 $uri;
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
@ -7,17 +9,14 @@ add_header X-Permitted-Cross-Domain-Policies none;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;'; add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
add_header Referrer-Policy no-referrer always; add_header Referrer-Policy no-referrer always;
%for %%location in %%nginx_locations %for %%location in %%piwigo_locations
location %%location { location %%location {
%if %%location == '/' %if %%location == '/'
root %slurp root %slurp
%else %else
alias %slurp alias %slurp
%end if %end if
%%nginx_root_directory; /usr/local/share/piwigo;
%if not %%getVar('php_fpm_installed', False)
index index.html;
%else
index index.php; index index.php;
location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ { location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
fastcgi_pass php-fpm; fastcgi_pass php-fpm;
@ -25,6 +24,5 @@ location %%location {
fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params; include fastcgi_params;
} }
%end if
} }
%end for %end for

View file

@ -7,7 +7,7 @@
<file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file> <file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file>
<file>/etc/peertube/production.yaml</file> <file>/etc/peertube/production.yaml</file>
<file engine="none">/etc/pam.d/login</file> <file engine="none">/etc/pam.d/login</file>
<file source="nginx.peertube.conf">/etc/nginx/conf.d/peertube.conf</file> <file source="nginx.peertube.conf">/etc/nginx/sites-enabled/peertube.conf</file>
</service> </service>
</services> </services>
<variables> <variables>

1
seed/postgresql/DEBUG.md Normal file
View file

@ -0,0 +1 @@
pg_dumpall --clean > /srv/database.sql

View file

@ -33,7 +33,7 @@ class Authentication:
ret = req.get(url) ret = req.get(url)
code = ret.status_code code = ret.status_code
content = ret.content content = ret.content
assert code == 200 assert code == 200, f"cannot access to lemonldap; {content}"
assert b'<title trspan="authPortal">Authentication portal</title>' in content, f'cannot find LemonLdap title: {content}' assert b'<title trspan="authPortal">Authentication portal</title>' in content, f'cannot find LemonLdap title: {content}'
def auth_lemonldap(self, def auth_lemonldap(self,