From 7d17c873ab6a0b3906ca43c590d32ed9f3e08a03 Mon Sep 17 00:00:00 2001 From: Mathieu Sanchez Date: Wed, 3 Apr 2019 16:42:41 +0900 Subject: [PATCH] Add nginx conf --- .../applications/gitlab.c2a-systeme.fr.conf | 100 ++++++++++++++++++ .../portainer.c2a-systeme.fr.conf | 18 ++++ docker/conf/mime.types | 79 ++++++++++++++ docker/conf/nginx.conf | 52 +++++++++ docker/gitlab.sh | 7 +- docker/install-nginx.sh | 15 +++ docker/mongo.sh | 2 +- docker/nginx.sh | 6 -- docker/portainer.sh | 12 +-- install.sh | 4 + 10 files changed, 279 insertions(+), 16 deletions(-) create mode 100644 docker/conf/applications/gitlab.c2a-systeme.fr.conf create mode 100644 docker/conf/applications/portainer.c2a-systeme.fr.conf create mode 100644 docker/conf/mime.types create mode 100644 docker/conf/nginx.conf create mode 100644 docker/install-nginx.sh delete mode 100644 docker/nginx.sh diff --git a/docker/conf/applications/gitlab.c2a-systeme.fr.conf b/docker/conf/applications/gitlab.c2a-systeme.fr.conf new file mode 100644 index 0000000..c2bf89f --- /dev/null +++ b/docker/conf/applications/gitlab.c2a-systeme.fr.conf @@ -0,0 +1,100 @@ +# http://nginx.org/en/docs/http/websocket.html +# http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# http server +server { + listen 80; + listen [::]:80; + + server_name gitlab.c2a-systeme.fr; + + location / { + # redirect everything to HTTPS + return 301 https://$host$request_uri; + } +} + +# https server +server { + server_name gitlab.c2a-systeme.fr; + listen 443 http2; + listen [::]:443 http2; + + ssl on; + # paths are relative to prefix and not to this file + ssl_certificate /home/c2a/conf/nginx/certs/gitlab.c2a-systeme.fr.cert; + ssl_certificate_key /home/c2a/conf/nginx/certs/gitlab.c2a-systeme.fr.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + + # https://bettercrypto.org/static/applied-crypto-hardening.pdf + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + # https://cipherli.st/ + # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + + # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + # ssl_dhparam /home/yellowtent/boxdata/dhparams.pem; + # add_header Strict-Transport-Security "max-age=15768000"; + + # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options + add_header X-Frame-Options "SAMEORIGIN"; + proxy_hide_header X-Frame-Options; + + # https://github.com/twitter/secureheaders + # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix + # https://wiki.mozilla.org/Security/Guidelines/Web_Security + add_header X-XSS-Protection "1; mode=block"; + proxy_hide_header X-XSS-Protection; + add_header X-Download-Options "noopen"; + proxy_hide_header X-Download-Options; + add_header X-Content-Type-Options "nosniff"; + proxy_hide_header X-Content-Type-Options; + add_header X-Permitted-Cross-Domain-Policies "none"; + proxy_hide_header X-Permitted-Cross-Domain-Policies; + add_header Referrer-Policy "no-referrer-when-downgrade"; + proxy_hide_header Referrer-Policy; + + proxy_http_version 1.1; + proxy_intercept_errors on; + proxy_read_timeout 3500; + proxy_connect_timeout 3250; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Ssl on; + + # upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html) + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + location / { + # increase the proxy buffer sizes to not run into buffer issues (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + + # No buffering to temp files, it fails for large downloads + proxy_max_temp_file_size 0; + + # Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want + client_max_body_size 0; + + # Custom robots.txt + # location = /robots.txt { + # return 200 ""; + # } + + proxy_pass http://127.0.0.1:8001; + } + +} \ No newline at end of file diff --git a/docker/conf/applications/portainer.c2a-systeme.fr.conf b/docker/conf/applications/portainer.c2a-systeme.fr.conf new file mode 100644 index 0000000..e4cc5f3 --- /dev/null +++ b/docker/conf/applications/portainer.c2a-systeme.fr.conf @@ -0,0 +1,18 @@ +# http://nginx.org/en/docs/http/websocket.html +# http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# http server +server { + listen 80; + listen [::]:80; + + server_name portainer.c2a-systeme.fr; + + location / { + proxy_pass http://127.0.0.1:8003; + } +} \ No newline at end of file diff --git a/docker/conf/mime.types b/docker/conf/mime.types new file mode 100644 index 0000000..36c6d17 --- /dev/null +++ b/docker/conf/mime.types @@ -0,0 +1,79 @@ +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/x-javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/java-archive jar war ear; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.ms-excel xls; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream eot; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} \ No newline at end of file diff --git a/docker/conf/nginx.conf b/docker/conf/nginx.conf new file mode 100644 index 0000000..4511e53 --- /dev/null +++ b/docker/conf/nginx.conf @@ -0,0 +1,52 @@ +user www-data; + +worker_processes 1; + +pid /run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + # the collectd config depends on this log format + log_format combined2 '$remote_addr - [$time_local] ' + '"$request" $status $body_bytes_sent $request_time ' + '"$http_referer" "$host" "$http_user_agent"'; + + # required for long host names + server_names_hash_bucket_size 128; + + access_log /var/log/nginx/access.log combined2; + + sendfile on; + + # timeout for client to finish sending headers + client_header_timeout 30s; + + # timeout for reading client request body (successive read timeout and not whole body!) + client_body_timeout 60s; + + # keep-alive connections timeout in 65s. this is because many browsers timeout in 60 seconds + keepalive_timeout 65s; + + # zones for rate limiting + limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 request a second + + + # default http server that returns 404 for any domain we are not listening on + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name does_not_match_anything; + + location / { + return 404; + } + } + + include applications/*.conf; +} diff --git a/docker/gitlab.sh b/docker/gitlab.sh index 7631dd9..d2becbe 100644 --- a/docker/gitlab.sh +++ b/docker/gitlab.sh @@ -1,9 +1,10 @@ -docker run --detach / +docker run --detach \ --name gitlab \ - --publish 8001:80 + --publish 8001:80 \ + --publish 44301:443 \ --publish 2201:22 \ --hostname gitlab.c2a-system.dev \ - --env GITLAB_OMNIBUS_CONFIG=\"external_url 'http://gitlab.c2a-system.dev/'; gitlab_rails['gitlab_shell_ssh_port'] = 2201;\" \ + --env GITLAB_OMNIBUS_CONFIG="external_url 'http://gitlab.c2a-system.dev/'; gitlab_rails['gitlab_shell_ssh_port'] = 2201;" \ --volume /srv/gitlab/config:/etc/gitlab \ --volume /srv/gitlab/logs:/var/log/gitlab \ --volume /srv/gitlab/data:/var/opt/gitlab \ diff --git a/docker/install-nginx.sh b/docker/install-nginx.sh new file mode 100644 index 0000000..220938e --- /dev/null +++ b/docker/install-nginx.sh @@ -0,0 +1,15 @@ +mkdir /home/c2a/conf +mkdir /home/c2a/conf/nginx +mkdir /home/c2a/conf/nginx/applications +cp conf/nginx.conf /home/c2a/conf/nginx/ +cp conf/mime.types /home/c2a/conf/nginx/ +cp conf/applications/* /home/c2a/conf/nginx/applications/ +docker run --detach \ + --name gitlab \ + --publish 80:80 \ + --publish 443:443 \ + --volume /home/c2a/conf/nginx/nginx.conf:/etc/nginx/nginx.conf \ + --volume /home/c2a/conf/nginx/mime.types:/etc/nginx/mime.types \ + --volume /home/c2a/conf/nginx/applications:/etc/nginx/conf.d \ + --restart unless-stopped \ + nginx:latest \ No newline at end of file diff --git a/docker/mongo.sh b/docker/mongo.sh index 9d15d39..a49de94 100644 --- a/docker/mongo.sh +++ b/docker/mongo.sh @@ -1,4 +1,4 @@ -docker run --detach / +docker run --detach \ --name mongo \ -p 27017:27017 \ -e MONGO_INITDB_ROOT_USERNAME=c2a \ diff --git a/docker/nginx.sh b/docker/nginx.sh deleted file mode 100644 index 13b1f1a..0000000 --- a/docker/nginx.sh +++ /dev/null @@ -1,6 +0,0 @@ -docker run --detach / - --name gitlab \ - --publish 80:80 \ - --publish 443:443 \ - --restart unless-stopped \ - nginx:latest \ No newline at end of file diff --git a/docker/portainer.sh b/docker/portainer.sh index cfaa461..8d1b81e 100644 --- a/docker/portainer.sh +++ b/docker/portainer.sh @@ -1,8 +1,8 @@ -docker volume create portainer_data -docker run --detach / - --name portainer - --publish 8002:9000 \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v portainer_data:/data \ +docker volume create portainer_data; +docker run --detach \ + --name portainer \ + --publish 8003:9000 \ + -volume /var/run/docker.sock:/var/run/docker.sock \ + -volume portainer_data:/data \ --restart unless-stopped \ portainer/portainer:latest \ No newline at end of file diff --git a/install.sh b/install.sh index 26ab6f8..0ca3d9b 100644 --- a/install.sh +++ b/install.sh @@ -17,3 +17,7 @@ add-apt-repository \ stable" apt-get update apt-get install docker-ce docker-ce-cli containerd.io + +# Authorized launch script +chmod 755 conf/*.sh +./docker/install-nginx.sh \ No newline at end of file