Change to teksatcau.fr domain for test

This commit is contained in:
Mathieu Sanchez 2019-04-08 12:03:20 +09:00
parent dab6f768af
commit 368091a0af
6 changed files with 243 additions and 7 deletions

View File

@ -1,5 +1,4 @@
# http://nginx.org/en/docs/http/websocket.html
# http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
@ -13,6 +12,83 @@ server {
server_name gitlab.teksatcau.fr;
location / {
proxy_pass http://127.0.0.1:8001;
# redirect everything to HTTPS
return 301 https://$host$request_uri;
}
}
# https server
server {
server_name gitlab.teksatcau.fr;
listen 443 http2;
listen [::]:443 http2;
ssl on;
# paths are relative to prefix and not to this file
ssl_certificate /etc/letsencrypt/live/gitlab.teksatcau.fr/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/gitlab.teksatcau.fr/privkey.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://cipherli.st/
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=15768000";
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN";
proxy_hide_header X-Frame-Options;
# https://github.com/twitter/secureheaders
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
add_header X-XSS-Protection "1; mode=block";
proxy_hide_header X-XSS-Protection;
add_header X-Download-Options "noopen";
proxy_hide_header X-Download-Options;
add_header X-Content-Type-Options "nosniff";
proxy_hide_header X-Content-Type-Options;
add_header X-Permitted-Cross-Domain-Policies "none";
proxy_hide_header X-Permitted-Cross-Domain-Policies;
add_header Referrer-Policy "no-referrer-when-downgrade";
proxy_hide_header Referrer-Policy;
proxy_http_version 1.1;
proxy_intercept_errors on;
proxy_read_timeout 3500;
proxy_connect_timeout 3250;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
# upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
location / {
# No buffering to temp files, it fails for large downloads
proxy_max_temp_file_size 0;
# Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want
client_max_body_size 0;
# location = /robots.txt {
# return 200 "";
# }
proxy_pass http://127.0.0.1:8001;
}
}

View File

@ -1,5 +1,4 @@
# http://nginx.org/en/docs/http/websocket.html
# http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
@ -13,6 +12,83 @@ server {
server_name jenkins.teksatcau.fr;
location / {
proxy_pass http://127.0.0.1:8002;
# redirect everything to HTTPS
return 301 https://$host$request_uri;
}
}
# https server
server {
server_name jenkins.teksatcau.fr;
listen 443 http2;
listen [::]:443 http2;
ssl on;
# paths are relative to prefix and not to this file
ssl_certificate /etc/letsencrypt/live/jenkins.teksatcau.fr/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/jenkins.teksatcau.fr/privkey.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://cipherli.st/
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=15768000";
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN";
proxy_hide_header X-Frame-Options;
# https://github.com/twitter/secureheaders
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
add_header X-XSS-Protection "1; mode=block";
proxy_hide_header X-XSS-Protection;
add_header X-Download-Options "noopen";
proxy_hide_header X-Download-Options;
add_header X-Content-Type-Options "nosniff";
proxy_hide_header X-Content-Type-Options;
add_header X-Permitted-Cross-Domain-Policies "none";
proxy_hide_header X-Permitted-Cross-Domain-Policies;
add_header Referrer-Policy "no-referrer-when-downgrade";
proxy_hide_header Referrer-Policy;
proxy_http_version 1.1;
proxy_intercept_errors on;
proxy_read_timeout 3500;
proxy_connect_timeout 3250;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
# upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
location / {
# No buffering to temp files, it fails for large downloads
proxy_max_temp_file_size 0;
# Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want
client_max_body_size 0;
# location = /robots.txt {
# return 200 "";
# }
proxy_pass http://127.0.0.1:8002;
}
}

View File

@ -1,5 +1,4 @@
# http://nginx.org/en/docs/http/websocket.html
# http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
@ -13,6 +12,83 @@ server {
server_name portainer.teksatcau.fr;
location / {
proxy_pass http://127.0.0.1:8003;
# redirect everything to HTTPS
return 301 https://$host$request_uri;
}
}
# https server
server {
server_name portainer.teksatcau.fr;
listen 443 http2;
listen [::]:443 http2;
ssl on;
# paths are relative to prefix and not to this file
ssl_certificate /etc/letsencrypt/live/portainer.teksatcau.fr/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/portainer.teksatcau.fr/privkey.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://cipherli.st/
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=15768000";
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN";
proxy_hide_header X-Frame-Options;
# https://github.com/twitter/secureheaders
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
add_header X-XSS-Protection "1; mode=block";
proxy_hide_header X-XSS-Protection;
add_header X-Download-Options "noopen";
proxy_hide_header X-Download-Options;
add_header X-Content-Type-Options "nosniff";
proxy_hide_header X-Content-Type-Options;
add_header X-Permitted-Cross-Domain-Policies "none";
proxy_hide_header X-Permitted-Cross-Domain-Policies;
add_header Referrer-Policy "no-referrer-when-downgrade";
proxy_hide_header Referrer-Policy;
proxy_http_version 1.1;
proxy_intercept_errors on;
proxy_read_timeout 3500;
proxy_connect_timeout 3250;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
# upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
location / {
# No buffering to temp files, it fails for large downloads
proxy_max_temp_file_size 0;
# Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want
client_max_body_size 0;
# location = /robots.txt {
# return 200 "";
# }
proxy_pass http://127.0.0.1:8003;
}
}

View File

@ -4,7 +4,7 @@ docker run --detach \
--publish 8001:80 \
--publish 2201:22 \
--hostname gitlab.c2a-system.test \
--env GITLAB_OMNIBUS_CONFIG="external_url 'http://gitlab.c2a-system.test/'; gitlab_rails['gitlab_shell_ssh_port'] = 2201;" \
--env GITLAB_OMNIBUS_CONFIG="external_url 'http://gitlab.teksatcau.fr/'; gitlab_rails['gitlab_shell_ssh_port'] = 2201;" \
--volume /srv/gitlab/config:/etc/gitlab \
--volume /srv/gitlab/logs:/var/log/gitlab \
--volume /srv/gitlab/data:/var/opt/gitlab \

View File

@ -1,5 +1,9 @@
apt-get install -y nginx
letsencrypt --email mathieu.sanchez@outlook.fr certonly --nginx -d gitlab.teksatcau.fr
letsencrypt --email mathieu.sanchez@outlook.fr certonly --nginx -d jenkins.teksatcau.fr
letsencrypt --email mathieu.sanchez@outlook.fr certonly --nginx -d portainer.teksatcau.fr
cp ./docker/conf/nginx.conf /etc/nginx/
cp ./docker/conf/mime.types /etc/nginx/
cp ./docker/conf/applications/* /etc/nginx/conf.d/

View File

@ -33,3 +33,7 @@ git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
./docker/install-mongo.sh
service nginx restart
letsencrypt --email mathieu.sanchez@outlook.fr certonly --nginx -d gitlab.teksatcau.fr
letsencrypt --email mathieu.sanchez@outlook.fr certonly --nginx -d jenkins.teksatcau.fr
letsencrypt --email mathieu.sanchez@outlook.fr certonly --nginx -d portainer.teksatcau.fr