From 0cd3085fcd9b99722822b6bd5d4cd758d211f371 Mon Sep 17 00:00:00 2001 From: Mathieu Sanchez Date: Wed, 24 Apr 2019 13:43:20 +0900 Subject: [PATCH] Put real domain name + add gitea installation + add config apis --- .../conf/applications/api.c2a-systeme.fr.conf | 96 +++++++++++++++++++ .../applications/dev.api.c2a-systeme.fr.conf | 96 +++++++++++++++++++ .../conf/applications/git.c2a-systeme.fr.conf | 96 +++++++++++++++++++ .../applications/gitlab.c2a-systeme.fr.conf | 8 +- .../applications/jenkins.c2a-systeme.fr.conf | 8 +- .../portainer.c2a-systeme.fr.conf | 8 +- docker/install-gitea.sh | 7 ++ docker/install-gitlab.sh | 4 +- docker/install-nginx.sh | 10 +- 9 files changed, 316 insertions(+), 17 deletions(-) create mode 100644 docker/conf/applications/api.c2a-systeme.fr.conf create mode 100644 docker/conf/applications/dev.api.c2a-systeme.fr.conf create mode 100644 docker/conf/applications/git.c2a-systeme.fr.conf create mode 100644 docker/install-gitea.sh diff --git a/docker/conf/applications/api.c2a-systeme.fr.conf b/docker/conf/applications/api.c2a-systeme.fr.conf new file mode 100644 index 0000000..9ff527c --- /dev/null +++ b/docker/conf/applications/api.c2a-systeme.fr.conf @@ -0,0 +1,96 @@ +# http://nginx.org/en/docs/http/websocket.html +# http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# http server +server { + listen 80; + listen [::]:80; + + server_name api.c2a-systeme.fr; + + location / { + # redirect everything to HTTPS + return 301 https://$host$request_uri; + } +} + +# https server +server { + server_name api.c2a-systeme.fr; + listen 443 http2; + listen [::]:443 http2; + + ssl on; + # paths are relative to prefix and not to this file + ssl_certificate /etc/letsencrypt/live/api.c2a-systeme.fr/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/api.c2a-systeme.fr/privkey.pem; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + + # https://bettercrypto.org/static/applied-crypto-hardening.pdf + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + # https://cipherli.st/ + # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + + # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=15768000"; + + # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options + add_header X-Frame-Options "SAMEORIGIN"; + proxy_hide_header X-Frame-Options; + + # https://github.com/twitter/secureheaders + # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix + # https://wiki.mozilla.org/Security/Guidelines/Web_Security + add_header X-XSS-Protection "1; mode=block"; + proxy_hide_header X-XSS-Protection; + add_header X-Download-Options "noopen"; + proxy_hide_header X-Download-Options; + add_header X-Content-Type-Options "nosniff"; + proxy_hide_header X-Content-Type-Options; + add_header X-Permitted-Cross-Domain-Policies "none"; + proxy_hide_header X-Permitted-Cross-Domain-Policies; + add_header Referrer-Policy "no-referrer-when-downgrade"; + proxy_hide_header Referrer-Policy; + + + proxy_http_version 1.1; + proxy_intercept_errors on; + proxy_read_timeout 3500; + proxy_connect_timeout 3250; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Ssl on; + + # upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html) + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + location / { + # No buffering to temp files, it fails for large downloads + proxy_max_temp_file_size 0; + + # Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want + client_max_body_size 0; + + # Bloc accès of the search robots + location = /robots.txt { + return 200 "User-agent: *\nDisallow: /"; + } + + proxy_pass http://127.0.0.1:8004; + + } +} diff --git a/docker/conf/applications/dev.api.c2a-systeme.fr.conf b/docker/conf/applications/dev.api.c2a-systeme.fr.conf new file mode 100644 index 0000000..2555d07 --- /dev/null +++ b/docker/conf/applications/dev.api.c2a-systeme.fr.conf @@ -0,0 +1,96 @@ +# http://nginx.org/en/docs/http/websocket.html +# http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# http server +server { + listen 80; + listen [::]:80; + + server_name dev.api.c2a-systeme.fr; + + location / { + # redirect everything to HTTPS + return 301 https://$host$request_uri; + } +} + +# https server +server { + server_name dev.api.c2a-systeme.fr; + listen 443 http2; + listen [::]:443 http2; + + ssl on; + # paths are relative to prefix and not to this file + ssl_certificate /etc/letsencrypt/live/dev.api.c2a-systeme.fr/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/dev.api.c2a-systeme.fr/privkey.pem; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + + # https://bettercrypto.org/static/applied-crypto-hardening.pdf + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + # https://cipherli.st/ + # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + + # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=15768000"; + + # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options + add_header X-Frame-Options "SAMEORIGIN"; + proxy_hide_header X-Frame-Options; + + # https://github.com/twitter/secureheaders + # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix + # https://wiki.mozilla.org/Security/Guidelines/Web_Security + add_header X-XSS-Protection "1; mode=block"; + proxy_hide_header X-XSS-Protection; + add_header X-Download-Options "noopen"; + proxy_hide_header X-Download-Options; + add_header X-Content-Type-Options "nosniff"; + proxy_hide_header X-Content-Type-Options; + add_header X-Permitted-Cross-Domain-Policies "none"; + proxy_hide_header X-Permitted-Cross-Domain-Policies; + add_header Referrer-Policy "no-referrer-when-downgrade"; + proxy_hide_header Referrer-Policy; + + + proxy_http_version 1.1; + proxy_intercept_errors on; + proxy_read_timeout 3500; + proxy_connect_timeout 3250; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Ssl on; + + # upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html) + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + location / { + # No buffering to temp files, it fails for large downloads + proxy_max_temp_file_size 0; + + # Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want + client_max_body_size 0; + + # Bloc accès of the search robots + location = /robots.txt { + return 200 "User-agent: *\nDisallow: /"; + } + + proxy_pass http://127.0.0.1:8005; + + } +} diff --git a/docker/conf/applications/git.c2a-systeme.fr.conf b/docker/conf/applications/git.c2a-systeme.fr.conf new file mode 100644 index 0000000..3bb36ac --- /dev/null +++ b/docker/conf/applications/git.c2a-systeme.fr.conf @@ -0,0 +1,96 @@ +# http://nginx.org/en/docs/http/websocket.html +# http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# http server +server { + listen 80; + listen [::]:80; + + server_name git.c2a-systeme.fr; + + location / { + # redirect everything to HTTPS + return 301 https://$host$request_uri; + } +} + +# https server +server { + server_name git.c2a-systeme.fr; + listen 443 http2; + listen [::]:443 http2; + + ssl on; + # paths are relative to prefix and not to this file + ssl_certificate /etc/letsencrypt/live/git.c2a-systeme.fr/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/git.c2a-systeme.fr/privkey.pem; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + + # https://bettercrypto.org/static/applied-crypto-hardening.pdf + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + # https://cipherli.st/ + # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + + # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=15768000"; + + # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options + add_header X-Frame-Options "SAMEORIGIN"; + proxy_hide_header X-Frame-Options; + + # https://github.com/twitter/secureheaders + # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix + # https://wiki.mozilla.org/Security/Guidelines/Web_Security + add_header X-XSS-Protection "1; mode=block"; + proxy_hide_header X-XSS-Protection; + add_header X-Download-Options "noopen"; + proxy_hide_header X-Download-Options; + add_header X-Content-Type-Options "nosniff"; + proxy_hide_header X-Content-Type-Options; + add_header X-Permitted-Cross-Domain-Policies "none"; + proxy_hide_header X-Permitted-Cross-Domain-Policies; + add_header Referrer-Policy "no-referrer-when-downgrade"; + proxy_hide_header Referrer-Policy; + + + proxy_http_version 1.1; + proxy_intercept_errors on; + proxy_read_timeout 3500; + proxy_connect_timeout 3250; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Ssl on; + + # upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html) + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + location / { + # No buffering to temp files, it fails for large downloads + proxy_max_temp_file_size 0; + + # Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want + client_max_body_size 0; + + # Bloc accès of the search robots + location = /robots.txt { + return 200 "User-agent: *\nDisallow: /"; + } + + proxy_pass http://127.0.0.1:8000; + + } +} diff --git a/docker/conf/applications/gitlab.c2a-systeme.fr.conf b/docker/conf/applications/gitlab.c2a-systeme.fr.conf index 6e973ce..92fffda 100644 --- a/docker/conf/applications/gitlab.c2a-systeme.fr.conf +++ b/docker/conf/applications/gitlab.c2a-systeme.fr.conf @@ -10,7 +10,7 @@ server { listen 80; listen [::]:80; - server_name gitla.teksatcau.fr; + server_name gitlab.c2a-systeme.fr; location / { # redirect everything to HTTPS @@ -20,14 +20,14 @@ server { # https server server { - server_name gitla.teksatcau.fr; + server_name gitlab.c2a-systeme.fr; listen 443 http2; listen [::]:443 http2; ssl on; # paths are relative to prefix and not to this file - ssl_certificate /etc/letsencrypt/live/gitla.teksatcau.fr/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/gitla.teksatcau.fr/privkey.pem; + ssl_certificate /etc/letsencrypt/live/gitlab.c2a-systeme.fr/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/gitlab.c2a-systeme.fr/privkey.pem; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; diff --git a/docker/conf/applications/jenkins.c2a-systeme.fr.conf b/docker/conf/applications/jenkins.c2a-systeme.fr.conf index 1e0e82b..025ebe5 100644 --- a/docker/conf/applications/jenkins.c2a-systeme.fr.conf +++ b/docker/conf/applications/jenkins.c2a-systeme.fr.conf @@ -9,7 +9,7 @@ server { listen 80; listen [::]:80; - server_name jenkins.teksatcau.fr; + server_name jenkins.c2a-systeme.fr; location / { # redirect everything to HTTPS @@ -19,14 +19,14 @@ server { # https server server { - server_name jenkins.teksatcau.fr; + server_name jenkins.c2a-systeme.fr; listen 443 http2; listen [::]:443 http2; ssl on; # paths are relative to prefix and not to this file - ssl_certificate /etc/letsencrypt/live/jenkins.teksatcau.fr/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/jenkins.teksatcau.fr/privkey.pem; + ssl_certificate /etc/letsencrypt/live/jenkins.c2a-systeme.fr/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/jenkins.c2a-systeme.fr/privkey.pem; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; diff --git a/docker/conf/applications/portainer.c2a-systeme.fr.conf b/docker/conf/applications/portainer.c2a-systeme.fr.conf index 2c1b0bf..d5f1b47 100644 --- a/docker/conf/applications/portainer.c2a-systeme.fr.conf +++ b/docker/conf/applications/portainer.c2a-systeme.fr.conf @@ -9,7 +9,7 @@ server { listen 80; listen [::]:80; - server_name portainer.teksatcau.fr; + server_name portainer.c2a-systeme.fr; location / { # redirect everything to HTTPS @@ -19,14 +19,14 @@ server { # https server server { - server_name portainer.teksatcau.fr; + server_name portainer.c2a-systeme.fr; listen 443 http2; listen [::]:443 http2; ssl on; # paths are relative to prefix and not to this file - ssl_certificate /etc/letsencrypt/live/portainer.teksatcau.fr/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/portainer.teksatcau.fr/privkey.pem; + ssl_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/portainer.c2a-systeme.fr/privkey.pem; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; diff --git a/docker/install-gitea.sh b/docker/install-gitea.sh new file mode 100644 index 0000000..9da7665 --- /dev/null +++ b/docker/install-gitea.sh @@ -0,0 +1,7 @@ +docker run --detach \ + --name gitea \ + --publish 8000:3000 \ + --publish 2200:22 \ + --volume /var/gitea:/data \ + --restart unless-stopped \ + gitea/gitea:latest diff --git a/docker/install-gitlab.sh b/docker/install-gitlab.sh index a7782b5..5bc270f 100755 --- a/docker/install-gitlab.sh +++ b/docker/install-gitlab.sh @@ -2,9 +2,9 @@ docker run --detach \ --name gitlab \ --publish 8001:80 \ --publish 2201:22 \ - --hostname gitla.teksatcau.fr \ + --hostname gitlab.c2a-systeme.fr \ --volume /srv/gitlab/config:/etc/gitlab \ - --env GITLAB_OMNIBUS_CONFIG="external_url 'https://gitla.teksatcau.fr/';gitlab_rails['gitlab_shell_ssh_port'] = 2201;nginx['listen_port'] = 80;nginx['listen_https'] = false;" \ + --env GITLAB_OMNIBUS_CONFIG="external_url 'https://gitlab.c2a-systeme.fr/';gitlab_rails['gitlab_shell_ssh_port'] = 2201;nginx['listen_port'] = 80;nginx['listen_https'] = false;" \ --volume /srv/gitlab/logs:/var/log/gitlab \ --volume /srv/gitlab/data:/var/opt/gitlab \ --restart unless-stopped \ diff --git a/docker/install-nginx.sh b/docker/install-nginx.sh index 25249a9..177d959 100755 --- a/docker/install-nginx.sh +++ b/docker/install-nginx.sh @@ -1,8 +1,12 @@ apt-get install -y nginx -/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d gitlab.teksatcau.fr -/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d jenkins.teksatcau.fr -/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d portainer.teksatcau.fr +/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d www.c2a-systeme.fr +/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d git.c2a-systeme.fr +/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d api.c2a-systeme.fr +/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d gitlab.c2a-systeme.fr +/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d dev.api.c2a-systeme.fr +/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d jenkins.c2a-systeme.fr +/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d portainer.c2a-systeme.fr cp ./docker/conf/nginx.conf /etc/nginx/ cp ./docker/conf/mime.types /etc/nginx/