diff --git a/docker/conf/applications/dev.reports.c2a-systeme.fr.conf b/docker/conf/applications/dev.reports.c2a-systeme.fr.conf new file mode 100644 index 0000000..e57263e --- /dev/null +++ b/docker/conf/applications/dev.reports.c2a-systeme.fr.conf @@ -0,0 +1,64 @@ +# http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# http server +server { + listen 80; + listen [::]:80; + + server_name dev.reports.c2a-systeme.fr; + + location / { + # redirect everything to HTTPS + return 301 https://$host$request_uri; + } +} + +# https server +server { + server_name dev.reports.c2a-systeme.fr; + listen 443 http2; + listen [::]:443 http2; + + ssl on; + ssl_certificate /etc/letsencrypt/live/dev.reports.c2a-systeme.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dev.reports.c2a-systeme.fr/privkey.pem; + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:50m; + + # Enable server-side protection against BEAST attacks + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; + + # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 + ssl_dhparam /etc/ssl/ffdhe4096.pem; + ssl_ecdh_curve secp521r1:secp384r1; + + # Enable OCSP stapling + # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/dev.reports.c2a-systeme.fr/fullchain.pem; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare + resolver_timeout 5s; + + auth_basic "Restricted"; + auth_basic_user_file /etc/nginx/.htpasswd; + + root /var/www/html/c2a-web-app-dev; + index index.html; + + # Required for LE certificate enrollment using certbot + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/html; + } + + location / { + try_files $uri $uri/ /index.html =404; + } +} diff --git a/docker/conf/applications/dev.www.c2a-systeme.fr.conf b/docker/conf/applications/dev.www.c2a-systeme.fr.conf new file mode 100644 index 0000000..577adc9 --- /dev/null +++ b/docker/conf/applications/dev.www.c2a-systeme.fr.conf @@ -0,0 +1,64 @@ +# http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# http server +server { + listen 80; + listen [::]:80; + + server_name dev.www.c2a-systeme.fr; + + location / { + # redirect everything to HTTPS + return 301 https://$host$request_uri; + } +} + +# https server +server { + server_name dev.www.c2a-systeme.fr; + listen 443 http2; + listen [::]:443 http2; + + ssl on; + ssl_certificate /etc/letsencrypt/live/dev.www.c2a-systeme.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dev.www.c2a-systeme.fr/privkey.pem; + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:50m; + + # Enable server-side protection against BEAST attacks + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; + + # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 + ssl_dhparam /etc/ssl/ffdhe4096.pem; + ssl_ecdh_curve secp521r1:secp384r1; + + # Enable OCSP stapling + # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/dev.www.c2a-systeme.fr/fullchain.pem; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare + resolver_timeout 5s; + + auth_basic "Restricted"; + auth_basic_user_file /etc/nginx/.htpasswd; + + root /var/www/html/c2a-web-platform-dev; + index index.html; + + # Required for LE certificate enrollment using certbot + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/html; + } + + location / { + try_files $uri $uri/ /index.html =404; + } +} diff --git a/docker/install-nginx.sh b/docker/install-nginx.sh index 1b1916b..8ccf9d4 100755 --- a/docker/install-nginx.sh +++ b/docker/install-nginx.sh @@ -8,7 +8,9 @@ certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@out certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d dev.api.c2a-systeme.fr certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d reports.c2a-systeme.fr certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d jenkins.c2a-systeme.fr +certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d dev.www.c2a-systeme.fr certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d portainer.c2a-systeme.fr +certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d dev.reports.c2a-systeme.fr cp ./docker/conf/nginx.conf /etc/nginx/ cp ./docker/conf/mime.types /etc/nginx/ diff --git a/install.sh b/install.sh index 020def9..8f2a183 100755 --- a/install.sh +++ b/install.sh @@ -9,7 +9,8 @@ apt-get install -y \ curl \ gnupg2 \ software-properties-common \ - htop + htop \ + apache2-utils curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - apt-key fingerprint 0EBFCD88 add-apt-repository \