Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3768986
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
45 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/.gitignore b/.gitignore
index 008af35..72bd94d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,6 @@
__pycache__
*.pyc
*.pyo
+
+# Autogenerated content
+roles/webserver-core/nginx/files/ocsp-ca-certs.pem
diff --git a/Makefile b/Makefile
index adf22d4..cdfd969 100644
--- a/Makefile
+++ b/Makefile
@@ -1,58 +1,64 @@
# -------------------------------------------------------------
# Salt - Operations repository
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: Allow to generate repository or API content
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
HOST_NAME != hostname -s
HOST_DOMAIN != hostname -d
API_DIR=/var/wwwroot/$(HOST_DOMAIN)/$(HOST_NAME)/datasources/infra
RM=rm -f
MKDIR=mkdir -p
MV=mv
# -------------------------------------------------------------
# Main targets
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
_default: repo
all: repo api
clean: clean-repo clean-api
test:
(cd _tests && make)
# -------------------------------------------------------------
# Build targets - repository
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-repo: roles/webserver-content/init.sls .git/hooks/pre-commit
+repo: roles/webserver-content/init.sls \
+ roles/webserver-core/nginx/files/ocsp-ca-certs.pem \
+ .git/hooks/pre-commit
roles/webserver-content/init.sls:
tmpfile=`mktemp /tmp/make-rOPS-generate-webcontent-index.XXXXXX` ; \
utils/generate-webcontent-index.py > "$$tmpfile" ;\
${MV} "$$tmpfile" roles/webserver-content/init.sls
+roles/webserver-core/nginx/files/ocsp-ca-certs.pem:
+ utils/generate-ocsp-bundle.sh > roles/webserver-core/nginx/files/ocsp-ca-certs.pem
+
.git/hooks/pre-commit:
pre-commit install
clean-repo:
${RM} roles/webserver-content/init.sls .git/hooks/pre-commit
+ ${RM} roles/webserver-core/nginx/files/ocsp-ca-certs.pem
# -------------------------------------------------------------
# Build targets - API
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
api: $(API_DIR)/all-states.json
$(API_DIR)/all-states.json:
${MKDIR} ${API_DIR}
utils/show-local-states.py > ${API_DIR}/all-states.json
clean-api:
${RM} ${API_DIR}/all-states.json
diff --git a/roles/paas-docker/nginx/config.sls b/roles/paas-docker/nginx/config.sls
index ca687d2..52c0e70 100644
--- a/roles/paas-docker/nginx/config.sls
+++ b/roles/paas-docker/nginx/config.sls
@@ -1,87 +1,59 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2018-03-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% set containers = pillar.get('docker_containers', {}) %}
-# -------------------------------------------------------------
-# Base folder
-#
-# :: general configuration
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{{ dirs.etc }}/nginx/nginx.conf:
- file.managed:
- - source: salt://roles/paas-docker/nginx/files/nginx.conf
-
-nginx_dhparams:
- cmd.run:
- - name: openssl dhparam -out {{ dirs.etc }}/nginx/dhparams.pem 2048
- - creates: {{ dirs.etc }}/nginx/dhparams.pem
-
-# -------------------------------------------------------------
-# includes folder
-#
-# :: general configuration
-# :: application-specific code
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{{ dirs.etc }}/nginx/includes:
- file.recurse:
- - source: salt://roles/paas-docker/nginx/files/includes
- - dir_mode: 755
- - file_mode: 644
-
# -------------------------------------------------------------
# vhosts folder
#
# :: fallback when a domain isn't found
# :: server cover page
# :: containers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/vhosts:
file.directory:
- dir_mode: 755
{{ dirs.etc }}/nginx/vhosts/000-fallback.conf:
file.managed:
- source: salt://roles/paas-docker/nginx/files/vhosts/base/fallback.conf
{{ dirs.etc }}/nginx/vhosts/001-server.conf:
file.managed:
- source: salt://roles/paas-docker/nginx/files/vhosts/base/server.conf
- template: jinja
- context:
fqdn: {{ grains['fqdn'] }}
ipv4: {{ grains['ipv4'] | join(" ") }}
ipv6: "{{ salt['node.get_ipv6_list']() }}"
{% for service, instances in containers.items() %}
{% for instance, container in instances.items() %}
{% if 'host' in container %}
{% set vhost_config = salt["paas_docker.resolve_vhost_config_file"](service) %}
{{ dirs.etc }}/nginx/vhosts/{{ service }}/{{ instance }}.conf:
file.managed:
- source: salt://{{ vhost_config }}
- mode: 644
- makedirs: True
- template: jinja
- context:
fqdn: {{ container['host'] }}
app_port: {{ container['app_port'] }}
aliases: {{ container['aliases'] | default('', true) | join(" ") }}
# If the nginx configuration needs more key,
# pass directly the container dictionary.
args: {{ container }}
{% endif %}
{% endfor %}
{% endfor %}
diff --git a/roles/paas-docker/nginx/files/includes/cors-open b/roles/paas-docker/nginx/files/includes/cors-open
deleted file mode 100644
index b3018a8..0000000
--- a/roles/paas-docker/nginx/files/includes/cors-open
+++ /dev/null
@@ -1,54 +0,0 @@
-# -------------------------------------------------------------
-# Configuration for Nasqueron web sites
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Description: nginx CORS configuration
-# Reference: Michiel Kalkman, "Wide open nginx CORS configuration",
-# https://michielkalkman.com/snippets/nginx-cors-open-configuration/
-# License: Trivial work, not eligible for copyright.
-# Source file: roles/paas-docker/nginx/files/includes/cors-open
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
-# -------------------------------------------------------------
-# OPTIONS
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-if ($request_method = 'OPTIONS') {
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
- add_header 'Access-Control-Max-Age' 1728000;
- add_header 'Content-Type' 'text/plain; charset=utf-8';
- add_header 'Content-Length' 0;
-
- return 204;
- }
-
- # -------------------------------------------------------------
- # GET
- # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-if ($request_method = 'GET') {
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
- add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
-}
-
-# -------------------------------------------------------------
-# POST
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-if ($request_method = 'POST') {
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
- add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
-}
diff --git a/roles/paas-docker/nginx/files/includes/geo_nasqueron b/roles/paas-docker/nginx/files/includes/geo_nasqueron
deleted file mode 100644
index a4189bb..0000000
--- a/roles/paas-docker/nginx/files/includes/geo_nasqueron
+++ /dev/null
@@ -1,24 +0,0 @@
-geo $nasqueron_server {
- default 0;
-
- # Dreadnought
- 51.255.124.8/30 1;
-
- # Ysul
- 163.172.49.16 1;
- 212.83.187.132 1;
-
- # WindRiver
- 51.159.18.59 1;
-
- # CloudHugger
- 188.165.200.229 1;
-
- # Docker containers
- 172.17.0.0/16 1;
-}
-
-map $nasqueron_server $not_a_nasqueron_server {
- default 0;
- 0 1;
-}
diff --git a/roles/paas-docker/nginx/files/includes/letsencrypt b/roles/paas-docker/nginx/files/includes/letsencrypt
deleted file mode 100644
index f885b42..0000000
--- a/roles/paas-docker/nginx/files/includes/letsencrypt
+++ /dev/null
@@ -1,20 +0,0 @@
-# -------------------------------------------------------------
-# Configuration for Let's encrypt nginx
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2016-01-05
-# Description: Get SSL certificates from Let's encrypt
-# Source file: roles/paas-docker/nginx/files/includes/letsencrypt
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
- location /.well-known/acme-challenge {
- default_type text/plain;
- root /srv/letsencrypt/www;
- }
diff --git a/roles/paas-docker/nginx/files/includes/tls b/roles/paas-docker/nginx/files/includes/tls
deleted file mode 100644
index 735f1ea..0000000
--- a/roles/paas-docker/nginx/files/includes/tls
+++ /dev/null
@@ -1,28 +0,0 @@
-# -------------------------------------------------------------
-# Configuration for Let's encrypt nginx
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2017-04-03
-# Description: Get SSL certificates from Let's encrypt
-# Source file: roles/paas-docker/nginx/files/includes/tls
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
-listen 443 ssl http2;
-listen [::]:443 ssl http2;
-keepalive_timeout 70;
-
-ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:10m;
-ssl_session_tickets off;
-
-ssl_protocols TLSv1.2;
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-ssl_prefer_server_ciphers on;
-ssl_dhparam /etc/nginx/dhparams.pem;
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/includes/letsencrypt.conf b/roles/shellserver/web-hosting/files/eglide/nginx/includes/letsencrypt.conf
deleted file mode 100644
index b33c88b..0000000
--- a/roles/shellserver/web-hosting/files/eglide/nginx/includes/letsencrypt.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# -------------------------------------------------------------
-# Configuration for Let's encrypt nginx
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2016-01-05
-# Description: Get SSL certificates from Let's encrypt
-# Source file: roles/shellserver/web-hosting/files/eglide/nginx/includes/letsencrypt.conf
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
- location /.well-known/acme-challenge {
- allow all;
-
- default_type text/plain;
- root /var/letsencrypt-auto;
- }
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/nginx.conf b/roles/shellserver/web-hosting/files/eglide/nginx/nginx.conf
deleted file mode 100644
index 015a6b0..0000000
--- a/roles/shellserver/web-hosting/files/eglide/nginx/nginx.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# -------------------------------------------------------------
-# Eglide — nginx configuration
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Eglide
-# Created: 2016-07-26
-# License: Trivial work, not eligible to copyright
-# Source file: roles/shellserver/web-hosting/files/eglide/nginx/nginx.conf
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
-# -------------------------------------------------------------
-# Server configuration
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-worker_processes 1;
-
-events {
- worker_connections 1024;
-}
-
-# -------------------------------------------------------------
-# HTTP configuration
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-http {
- include mime.types;
- default_type text/plain;
-
- server_names_hash_bucket_size 128;
-
- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
-
- sendfile on;
- keepalive_timeout 65;
- gzip on;
-
- include vhosts/*.conf;
-}
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/ssl_params b/roles/shellserver/web-hosting/files/eglide/nginx/ssl_params
deleted file mode 100644
index 36f7c6c..0000000
--- a/roles/shellserver/web-hosting/files/eglide/nginx/ssl_params
+++ /dev/null
@@ -1,15 +0,0 @@
- #Enable https
- listen 443 ssl http2;
- listen [2001:470:1f13:896:0:c0de:15:11fe]:443 ssl http2;
-
- ssl_session_timeout 1d;
- ssl_session_cache shared:SSL:50m;
- ssl_session_tickets off;
-
- ssl_protocols TLSv1.2;
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
- ssl_prefer_server_ciphers on;
-
- add_header Strict-Transport-Security max-age=15768000;
- ssl_stapling on;
- ssl_stapling_verify on;
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000.conf b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
similarity index 97%
rename from roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000.conf
rename to roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
index b4097eb..e6c9404 100644
--- a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000.conf
+++ b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
@@ -1,40 +1,40 @@
# -------------------------------------------------------------
# Eglide — nginx configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
# Created: 2016-07-26
# License: Trivial work, not eligible to copyright
-# Source file: roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000.conf
+# Source file: roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Default vhost as a catchall when Host: header value doesn't
# match any server name, ie the domain is unknown.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [2001:470:1f12:9e1::2]:80;
listen [2001:470:1f13:9e1:0:c0ff:ee:1]:80;
server_name _;
access_log /var/log/www/unknown_domains-access.log main;
error_log /var/log/www/unknown_domains-error.log;
location / {
return 404;
}
error_page 404 /unknown.html;
location = /unknown.html {
root /var/wwwroot/unknown_domains;
}
}
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-eglide.org.conf b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
similarity index 91%
rename from roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-eglide.org.conf
rename to roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
index 7653a48..bbe74dc 100644
--- a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-eglide.org.conf
+++ b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
@@ -1,65 +1,64 @@
# -------------------------------------------------------------
# Eglide — nginx configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
# Created: 2016-07-26
# License: Trivial work, not eligible to copyright
-# Source file: roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-eglide.org.conf
+# Source file: roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Main vhost receives special responsibilities like serving
# user directories.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name localhost eglide eglide.org eglide.nasqueron.org www.eglide.org [2001:470:1f12:896::2] [2001:470:1f13:896:0:c0de:15:11fe];
root /var/wwwroot/eglide.org/www;
access_log /var/log/www/eglide.org/www-access.log main;
error_log /var/log/www/eglide.org/www-error.log;
###
### SSL
###
- include includes/letsencrypt.conf;
+ include includes/letsencrypt;
- include ssl_params;
+ include includes/tls;
ssl_certificate /etc/letsencrypt/live/www.eglide.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.eglide.org/privkey.pem;
- ssl_trusted_certificate /etc/letsencrypt/live/www.eglide.org/chain.pem;
###
### Main site
###
location / {
index index.html index.htm default.html default.htm;
}
error_page 500 502 503 504 /50x.html;
###
### public_html user directories
###
set $userdir public_html;
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/$userdir$2;
index index.html index.htm;
autoindex on;
}
}
diff --git a/roles/webserver-core/map.jinja b/roles/webserver-core/map.jinja
new file mode 100644
index 0000000..5122db9
--- /dev/null
+++ b/roles/webserver-core/map.jinja
@@ -0,0 +1,18 @@
+{% set options = salt["grains.filter_by"]({
+ "Debian": {
+ "www_user": "nobody",
+ },
+ "FreeBSD": {
+ "www_user": "www",
+ },
+ "RedHat": {
+ "www_user": "nginx",
+ "pid_path": "/run/nginx.pid",
+ }
+}, default="Debian") %}
+
+{% if salt["node.has_role"]("paas-docker") %}
+{% set certbot_dir = "/srv/letsencrypt/www" %}
+{% else %}
+{% set certbot_dir = "/var/letsencrypt-auto" %}
+{% endif %}
diff --git a/roles/webserver-core/nginx/config.sls b/roles/webserver-core/nginx/config.sls
index 9235938..15ae87e 100644
--- a/roles/webserver-core/nginx/config.sls
+++ b/roles/webserver-core/nginx/config.sls
@@ -1,31 +1,77 @@
# -------------------------------------------------------------
# Salt — Webserver core units for all webservers roles
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
+{% from "roles/webserver-core/map.jinja" import options, certbot_dir with context %}
+
+# -------------------------------------------------------------
+# Base configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.etc }}/nginx/nginx.conf:
+ file.managed:
+ - source: salt://roles/webserver-core/nginx/files/nginx.conf
+ - template: jinja
+ - context:
+ nginx_dir: {{ dirs.etc }}/nginx
+ nginx_options: {{ options }}
# -------------------------------------------------------------
# includes folder
#
# :: general configuration
# :: application-specific code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_nginx_includes:
file.recurse:
- name: {{ dirs.etc }}/nginx/includes
- source: salt://roles/webserver-core/nginx/files/includes
- dir_mode: 755
- file_mode: 644
+ - template: jinja
+ - context:
+ nginx_dir: {{ dirs.etc }}/nginx
+ nginx_options: {{ options }}
+ certbot_dir: {{ certbot_dir }}
+
+# -------------------------------------------------------------
+# Parameters for Diffie-Hellman
+#
+# Some ciphers still require DH exchange. They contain "DHE" in
+# the name, e.g. DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+webserver_core_nginx_dh:
+ cmd.run:
+ - name: openssl dhparam -out {{ dirs.etc }}/nginx/dhparams.pem 4096
+ - creates: {{ dirs.etc }}/nginx/dhparams.pem
+
+# -------------------------------------------------------------
+# OCSP - Online Certificate Status Protocol
+#
+# To allow nginx to verify TLS certificate presented by CA
+# when it makes requests to the CRL, a bundle of CA certificates
+# should be available.
+#
+# To generate the bundle file on this repository, use `make`.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/usr/local/share/certs/ocsp-ca-certs.pem:
+ file.managed:
+ - source: salt://roles/webserver-core/nginx/files/ocsp-ca-certs.pem
+ - makedirs: True
+ - mode: 644
# -------------------------------------------------------------
# vhost folder
#
# To be filled by the specific web role or unit
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/vhosts:
file.directory
diff --git a/roles/webserver-legacy/nginx/files/includes/cors-open b/roles/webserver-core/nginx/files/includes/cors-open
similarity index 95%
rename from roles/webserver-legacy/nginx/files/includes/cors-open
rename to roles/webserver-core/nginx/files/includes/cors-open
index df202e5..403d578 100644
--- a/roles/webserver-legacy/nginx/files/includes/cors-open
+++ b/roles/webserver-core/nginx/files/includes/cors-open
@@ -1,54 +1,54 @@
# -------------------------------------------------------------
-# Configuration for Nasqueron web sites
+# nginx :: configuration :: CORS :: open policy
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: nginx CORS configuration
# Reference: Michiel Kalkman, "Wide open nginx CORS configuration",
# https://michielkalkman.com/snippets/nginx-cors-open-configuration/
# License: Trivial work, not eligible for copyright.
-# Source file: roles/webserver-legacy/nginx/files/includes/cors-open
+# Source file: roles/webserver-core/nginx/files/includes/cors-open
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# OPTIONS
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
# -------------------------------------------------------------
# GET
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
# -------------------------------------------------------------
# POST
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
diff --git a/roles/webserver-legacy/nginx/files/includes/cors-open-no-cache b/roles/webserver-core/nginx/files/includes/cors-open-no-cache
similarity index 95%
rename from roles/webserver-legacy/nginx/files/includes/cors-open-no-cache
rename to roles/webserver-core/nginx/files/includes/cors-open-no-cache
index 0f6baf8..3939684 100644
--- a/roles/webserver-legacy/nginx/files/includes/cors-open-no-cache
+++ b/roles/webserver-core/nginx/files/includes/cors-open-no-cache
@@ -1,66 +1,66 @@
# -------------------------------------------------------------
-# Configuration for Nasqueron web sites
+# nginx :: configuration :: CORS + no cache :: open policy
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: nginx CORS configuration
# Reference: Michiel Kalkman, "Wide open nginx CORS configuration",
# https://michielkalkman.com/snippets/nginx-cors-open-configuration/
# License: Trivial work, not eligible for copyright.
-# Source file: roles/webserver-legacy/nginx/files/includes/cors-open-no-cache
+# Source file: roles/webserver-core/nginx/files/includes/cors-open-no-cache
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# OPTIONS
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
add_header 'X-Config-Type' 'cors-open-no-cache';
expires off;
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
return 204;
}
# -------------------------------------------------------------
# GET
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
add_header 'X-Config-Type' 'cors-open-no-cache';
expires off;
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
}
# -------------------------------------------------------------
# POST
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
add_header 'X-Config-Type' 'cors-open-no-cache';
expires off;
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
}
diff --git a/roles/webserver-core/nginx/files/includes/fastcgi_params b/roles/webserver-core/nginx/files/includes/fastcgi_params
index 845811c..3b2c691 100644
--- a/roles/webserver-core/nginx/files/includes/fastcgi_params
+++ b/roles/webserver-core/nginx/files/includes/fastcgi_params
@@ -1,51 +1,49 @@
# -------------------------------------------------------------
-# Configuration for Nasqueron web sites
+# nginx :: configuration :: FastCGI
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2017-11-19
# Project: Nasqueron
# Description: nginx FastCGI configuration
# License: Trivial work, not eligible for copyright.
# Source file: roles/webserver-core/nginx/files/includes/fastcgi_params
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Headers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# -------------------------------------------------------------
# PHP tweak
#
# Required if PHP was built with --enable-force-cgi-redirect.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
fastcgi_param REDIRECT_STATUS 200;
diff --git a/roles/webserver-core/nginx/files/includes/geo_nasqueron b/roles/webserver-core/nginx/files/includes/geo_nasqueron
new file mode 100644
index 0000000..2458fcd
--- /dev/null
+++ b/roles/webserver-core/nginx/files/includes/geo_nasqueron
@@ -0,0 +1,43 @@
+# -------------------------------------------------------------
+# nginx :: configuration :: geo :: Nasqueron servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Source file: roles/webserver-core/nginx/files/includes/geo_nasqueron
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+geo $nasqueron_server {
+ default 0;
+
+ # Dreadnought
+ 51.255.124.8/30 1;
+
+ # Ysul
+ 163.172.49.16 1;
+ 212.83.187.132 1;
+
+ # WindRiver
+ 51.159.18.59 1;
+
+ # CloudHugger
+ 188.165.200.229 1;
+
+ # Drake private network
+ 172.27.27.0/24 1;
+
+ # Docker containers
+ 172.17.0.0/16 1;
+ 172.18.0.0/16 1;
+ 172.21.0.0/16 1;
+}
+
+map $nasqueron_server $not_a_nasqueron_server {
+ default 0;
+ 0 1;
+}
diff --git a/roles/webserver-legacy/nginx/files/includes/letsencrypt b/roles/webserver-core/nginx/files/includes/letsencrypt
similarity index 72%
rename from roles/webserver-legacy/nginx/files/includes/letsencrypt
rename to roles/webserver-core/nginx/files/includes/letsencrypt
index e32143f..d301675 100644
--- a/roles/webserver-legacy/nginx/files/includes/letsencrypt
+++ b/roles/webserver-core/nginx/files/includes/letsencrypt
@@ -1,21 +1,22 @@
# -------------------------------------------------------------
-# Configuration for Let's encrypt nginx
+# nginx :: configuration :: Let's Encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2016-01-05
+# Project: Nasqueron
# Description: Get SSL certificates from Let's encrypt
# License: Trivial work, not eligible for copyright.
-# Source file: roles/webserver-legacy/nginx/files/includes/letsencrypt
+# Source file: roles/webserver-core/nginx/files/includes/letsencrypt
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
location /.well-known/acme-challenge {
+ allow all;
+
default_type text/plain;
- root /var/letsencrypt-auto;
+ root {{ certbot_dir }};
}
diff --git a/roles/paas-docker/nginx/files/includes/proxy_params b/roles/webserver-core/nginx/files/includes/proxy_params
similarity index 88%
rename from roles/paas-docker/nginx/files/includes/proxy_params
rename to roles/webserver-core/nginx/files/includes/proxy_params
index f461e65..894f622 100644
--- a/roles/paas-docker/nginx/files/includes/proxy_params
+++ b/roles/webserver-core/nginx/files/includes/proxy_params
@@ -1,46 +1,44 @@
# -------------------------------------------------------------
-# Configuration for Nasqueron web sites
+# nginx :: configuration :: proxy
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-03-16
# Project: Nasqueron
# Description: nginx proxy configuration
# License: Trivial work, not eligible for copyright.
-# Source file: roles/paas-docker/nginx/files/includes/proxy_params
+# Source file: roles/webserver-core/nginx/files/includes/proxy_params
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Headers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# -------------------------------------------------------------
# Maximum upload size
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
client_max_body_size 10m;
client_body_buffer_size 128k;
# -------------------------------------------------------------
# Other proxy parameters
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
diff --git a/roles/webserver-core/nginx/files/includes/tls b/roles/webserver-core/nginx/files/includes/tls
index 69a30b5..69c2120 100644
--- a/roles/webserver-core/nginx/files/includes/tls
+++ b/roles/webserver-core/nginx/files/includes/tls
@@ -1,21 +1,66 @@
# -------------------------------------------------------------
-# Configuration for nginx TLS
+# nginx :: configuration :: TLS
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2016-01-05
+# Project: Nasqueron
+# Description: Compatible TLS configuration for most clients
+# Strategy: nginx 1.22.1, intermediate config, OpenSSL 1.1.1o
+# See also: https://ssl-config.mozilla.org/
# License: Trivial work, not eligible for copyright.
# Source file: roles/webserver-core/nginx/files/includes/tls
# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
listen 443 ssl http2;
listen [::]:443 ssl http2;
keepalive_timeout 70;
ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
+ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
-ssl_protocols TLSv1.2;
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-ssl_prefer_server_ciphers on;
+ssl_dhparam {{ nginx_dir }}/dhparams.pem;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# -------------------------------------------------------------
+# HSTS - HTTP Strict Transport Security
+#
+# As we provide a Let's Encrypt certificate for all our services,
+# browser should be instructed to connect directly to HTTPS.
+#
+# This is low risk, as the browser only honour this request
+# as soon as it successfully connected to HTTPS without any
+# certificate issue.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+# -------------------------------------------------------------
+# OCSP - Online Certificate Status Protocol
+#
+# To improve TLS handshake speed, and to help protecting the
+# privacy of the users connecting here, as there isn't any need
+# for them to connect to the CRL anymore, OSCP is enabled.
+#
+# The parameter `ssl_trusted_certificate` points to a bundle
+# of CA certificates, currently containing Let's Encrypt
+# intermediate and root certificates. If *any* certificate
+# is issued by another CA, their certificates must be added
+# to the bundle too.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_trusted_certificate /usr/local/share/certs/ocsp-ca-certs.pem
+
+resolver 127.0.0.1;
diff --git a/roles/paas-docker/nginx/files/nginx.conf b/roles/webserver-core/nginx/files/nginx.conf
similarity index 72%
rename from roles/paas-docker/nginx/files/nginx.conf
rename to roles/webserver-core/nginx/files/nginx.conf
index 4245fc8..950aa3c 100644
--- a/roles/paas-docker/nginx/files/nginx.conf
+++ b/roles/webserver-core/nginx/files/nginx.conf
@@ -1,58 +1,58 @@
# -------------------------------------------------------------
-# Configuration for Docker PaaS front-end nginx
+# nginx :: configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2020-02-18
-# Source file: roles/paas-docker/nginx/files/nginx.conf
+# Project: Nasqueron
+# Source file: roles/webserver-core/nginx/files/nginx.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
-user nginx;
+user {{ nginx_options["www_user"] }};
worker_processes auto;
error_log /var/log/nginx/error.log;
-pid /run/nginx.pid;
-include /usr/share/nginx/modules/*.conf;
+{% if "pid_path" in nginx_options -%}
+pid {{ nginx_options["pid_path"] }};
+{%- endif %}
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# Optimizing how packets are sent
# Reference: https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 64M;
server_names_hash_bucket_size 128;
include mime.types;
- default_type application/octet-stream;
+ default_type text/plain;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Base
- include /etc/nginx/vhosts/000-fallback.conf;
- include /etc/nginx/vhosts/001-server.conf;
+ include vhosts/000-fallback.conf;
+ include vhosts/001-server.conf;
- # Services hosted in containers
- include /etc/nginx/vhosts/*/*.conf;
+ # Services hosted
+ include vhosts/*/*.conf;
}
diff --git a/roles/webserver-core/nginx/init.sls b/roles/webserver-core/nginx/init.sls
index fb3a480..e2048e4 100644
--- a/roles/webserver-core/nginx/init.sls
+++ b/roles/webserver-core/nginx/init.sls
@@ -1,9 +1,10 @@
# -------------------------------------------------------------
# Salt — Webserver core units for all webservers roles
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .software
+ - .config
diff --git a/utils/generate-ocsp-bundle.sh b/utils/generate-ocsp-bundle.sh
new file mode 100755
index 0000000..ddfbec8
--- /dev/null
+++ b/utils/generate-ocsp-bundle.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# -------------------------------------------------------------
+# rOPS — generate OCSP bundle with CA certificates
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# Let's encrypt
+#
+# Active certificates:
+# - Let’s Encrypt R3 - signed by ISRG Root X1
+# - Let’s Encrypt E1 - signed by ISRG Root X2
+#
+# Disaster recovery certificates:
+# - Let’s Encrypt R4 - signed by ISRG Root X1
+# - Let’s Encrypt E2 - signed by ISRG Root X2
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+curl -sS https://letsencrypt.org/certs/lets-encrypt-r3.pem
+curl -sS https://letsencrypt.org/certs/lets-encrypt-e1.pem
+
+curl -sS https://letsencrypt.org/certs/lets-encrypt-r4.pem
+curl -sS https://letsencrypt.org/certs/lets-encrypt-e2.pem
+
+curl -sS https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem
+curl -sS https://letsencrypt.org/certs/isrg-root-x2-cross-signed.pem
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Mon, Nov 25, 11:53 (1 d, 12 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2258845
Default Alt Text
(45 KB)
Attached To
Mode
rOPS Nasqueron Operations
Attached
Detach File
Event Timeline
Log In to Comment