Dryusdan
/
install-server
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add nginx conf

This commit is contained in:
Dryusdan 2018-01-30 13:01:16 +01:00
parent 1a76134c22
commit 4ee764c72d
13 changed files with 536 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
roots/etc/nginx/conf.d/headers.conf Normal file
View File

@ -0,0 +1,2 @@
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

1
roots/etc/nginx/conf.d/hsts.conf Normal file
View File

@ -0,0 +1 @@
add_header Strict-Transport-Security "max-age=31536000";

4
roots/etc/nginx/conf.d/ocsp.conf Normal file
View File

@ -0,0 +1,4 @@
ssl_stapling on;
ssl_stapling_verify on;
resolver 9.9.9.9 51.254.25.115 valid=300s;
resolver_timeout 5s;

11
roots/etc/nginx/conf.d/proxy.conf Normal file
View File

@ -0,0 +1,11 @@
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_redirect off;

14
roots/etc/nginx/conf.d/ssl.conf Normal file
View File

@ -0,0 +1,14 @@
ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
ssl_ciphers "EECDH+CHACHA20:EECDH+AESGCM";
ssl_prefer_server_ciphers on;
#ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;

120
roots/etc/nginx/nginx.conf Normal file
View File

@ -0,0 +1,120 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_disable msie6;
keepalive_requests 100;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
proxy_max_temp_file_size 20480m;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
#more_set_headers 'Server: secret';
aio threads;
aio_write on;
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 128;
limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
limit_req zone=allips burst=150 nodelay;
gzip on;
gzip_comp_level 5;
gzip_min_length 512;
gzip_buffers 4 8k;
gzip_proxied any;
gzip_vary on;
gzip_disable "msie6";
gzip_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
#brotli on;
#brotli_static on;
#brotli_buffers 16 8k;
#brotli_comp_level 6;
#brotli_types
# text/css
# text/javascript
# text/xml
# text/plain
# text/x-component
# application/javascript
# application/x-javascript
# application/json
# application/xml
# application/rss+xml
# application/vnd.ms-fontobject
# font/truetype
# font/opentype
# image/svg+xml;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

89
roots/etc/nginx/sites-available/beta.img.drycat.fr Normal file
View File

@ -0,0 +1,89 @@
server {
listen 80;
server_name beta.img.drycat.fr;
location /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://beta.paste.drycat.fr$request_uri;
}
}
server {
listen 443 ssl http2;
server_name beta.img.drycat.fr;
index index.html index.php index.htm;
ssl_certificate /etc/nginx/ssl/certificates/beta.img.drycat.fr.crt;
ssl_certificate_key /etc/nginx/ssl/certificates/beta.img.drycat.fr.key;
ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
#include /nginx/conf.d/ssl.conf;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
ssl_ciphers "EECDH+CHACHA20:EECDH+AESGCM";
ssl_prefer_server_ciphers on;
#ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
#include /nginx/conf.d/headers.conf;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#include /nginx/conf.d/hsts.conf;
add_header Strict-Transport-Security "max-age=31536000";
#include /nginx/conf.d/ocsp.conf;
ssl_stapling on;
ssl_stapling_verify on;
resolver 9.9.9.9 51.254.25.115 valid=300s;
resolver_timeout 5s;
location / {
#include /nginx/conf.d/proxy.conf;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_redirect off;
client_max_body_size 50M;
proxy_pass http://127.0.0.1:9000;
}
location ~ /\.well-known/acme-challenge {
default_type "text/plain";
root /etc/ssl/private/acme-challenge/;
allow all;
}
}

88
roots/etc/nginx/sites-available/beta.paste.drycat.fr Normal file
View File

@ -0,0 +1,88 @@
server {
listen 80;
server_name beta.paste.drycat.fr;
location /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://beta.paste.drycat.fr$request_uri;
}
}
server {
listen 443 ssl http2;
server_name beta.paste.drycat.fr;
index index.html index.php index.htm;
ssl_certificate /etc/nginx/ssl/certificates/beta.paste.drycat.fr.crt;
ssl_certificate_key /etc/nginx/ssl/certificates/beta.paste.drycat.fr.key;
ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
#include /nginx/conf.d/ssl.conf;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
ssl_ciphers "EECDH+CHACHA20:EECDH+AESGCM";
ssl_prefer_server_ciphers on;
#ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
#include /nginx/conf.d/headers.conf;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#include /nginx/conf.d/hsts.conf;
add_header Strict-Transport-Security "max-age=31536000";
#include /nginx/conf.d/ocsp.conf;
ssl_stapling on;
ssl_stapling_verify on;
resolver 9.9.9.9 51.254.25.115 valid=300s;
resolver_timeout 5s;
location / {
#include /nginx/conf.d/proxy.conf;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_redirect off;
client_max_body_size 50M;
proxy_pass http://127.0.0.1:9000;
}
location ~ /\.well-known/acme-challenge {
default_type "text/plain";
root /etc/ssl/private/acme-challenge/;
allow all;
}
}

23
roots/etc/nginx/sites-available/default Normal file
View File

@ -0,0 +1,23 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name _ default;
#location ~ /\.well-known/acme-challenge {
# include /etc/nginx/conf.d/proxy.conf;
# proxy_pass http://127.0.0.1:81;
#}
location ~ /\.well-known/acme-challenge {
root /var/www/letsencrypt/paste.drycat.fr;
allow all;
}
#location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
# default_type text/plain;
# return 200 "$1.r_nPj5_YcCSwTNQOUfesQKbMeeTR7yQP_YfohDlF6EA";
#}
}

49
roots/etc/nginx/sites-available/default-exemple Normal file
View File

@ -0,0 +1,49 @@
server {
listen 80;
listen [::]:80;
server_name <DOMAIN>;
location /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name <DOMAIN>;
index index.html index.php index.htm;
ssl_certificate /etc/nginx/ssl/certificates/<DOMAIN>.crt;
ssl_certificate_key /etc/nginx/ssl/certificates/<DOMAIN>.key;
include /etc/nginx/conf.d/ssl.conf;
include /etc/nginx/conf.d/headers.conf;
include /etc/nginx/conf.d/hsts.conf;
include /etc/nginx/conf.d/ocsp.conf;
location / {
include /etc/nginx/conf.d/proxy.conf;
client_max_body_size 50M;
proxy_pass http://127.0.0.1:9000;
}
location /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
}

49
roots/etc/nginx/sites-available/img.drycat.fr.conf Normal file
View File

@ -0,0 +1,49 @@
server {
listen 80;
listen [::]:80;
server_name beta.img.drycat.fr;
location /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name beta.img.drycat.fr;
index index.html index.php index.htm;
ssl_certificate /etc/nginx/ssl/certificates/beta.img.drycat.fr.cert.pem;
ssl_certificate_key /etc/nginx/ssl/certificates/beta.img.drycat.fr.key.pem;
include /etc/nginx/conf.d/ssl.conf;
include /etc/nginx/conf.d/headers.conf;
include /etc/nginx/conf.d/hsts.conf;
include /etc/nginx/conf.d/ocsp.conf;
location / {
include /etc/nginx/conf.d/proxy.conf;
client_max_body_size 50M;
proxy_pass http://127.0.0.1:9000;
}
location /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:8443;
proxy_set_header Host $host;
}
}

0
roots/etc/nginx/sites-available/rss.drycat.fr.conf Normal file
View File

86
scripts/nginx_compile.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/sh
apt-get -y install build-essential zlib1g-dev libpcre3 libpcre3-dev libbz2-dev libssl-dev tar unzip
NGINX_VER=1.13.8
OPENSSL_VER=1.1.0g
NGINX_GPG="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 \
A09CD539B8BB8CBE96E82BDFABD4D3B3F5806B4D \
4C2C85E705DC730833990C38A9376139A524C53E \
65506C02EFC250F1B7A3D694ECF0E90B2C172083 \
B0F4253373F8F6F510D42178520A9993A1C052F8 \
7338973069ED3F443F4D37DFA64FD5B17ADB39A8"
echo "**** download package ****"
git clone https://github.com/openresty/headers-more-nginx-module --depth=1 /tmp/headers-more-nginx-module
git clone https://github.com/bagder/libbrotli --depth=1 /tmp/libbrotli
git clone https://github.com/google/ngx_brotli --depth=1 /tmp/ngx_brotli
wget -q http://nginx.org/download/nginx-${NGINX_VER}.tar.gz -O /tmp/nginx-${NGINX_VER}.tar.gz
wget -q http://nginx.org/download/nginx-${NGINX_VER}.tar.gz.asc -O /tmp/nginx-${NGINX_VER}.tar.gz.asc
wget -q https://www.openssl.org/source/openssl-${OPENSSL_VER}.tar.gz -O /tmp/openssl-${OPENSSL_VER}.tar.gz
git clone https://github.com/grahamedgecombe/nginx-ct --depth=1 /tmp/nginx-ct
echo "**** compile brotli ****"
cd /tmp/libbrotli
./autogen.sh
./configure
mkdir brotli/c/tools/.deps
touch brotli/c/tools/.deps/brotli-brotli.Po
make -j 1
make install
cd /tmp/ngx_brotli
git submodule update --init
echo "**** untar openssl ****"
cd /tmp
tar xzf openssl-${OPENSSL_VER}.tar.gz
echo "**** compile nginx ****"
cd /tmp
for server in ha.pool.sks-keyservers.net hkp://keyserver.ubuntu.com:80 hkp://p80.pool.sks-keyservers.net:80 pgp.mit.edu;
do
echo "Fetching GPG key $NGINX_GPGKEY from $server";
gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys $NGINX_GPG && found=yes && break;
done
gpg --batch --verify nginx-${NGINX_VER}.tar.gz.asc nginx-${NGINX_VER}.tar.gz
tar xzf nginx-${NGINX_VER}.tar.gz
cd /tmp/nginx-${NGINX_VER}
wget -q https://raw.githubusercontent.com/cujanovic/nginx-dynamic-tls-records-patch/master/nginx__dynamic_tls_records_1.13.0%2B.patch -O dynamic_records.patch
patch -p1 < dynamic_records.patch
./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--http-log-path=/var/log/nginx/logs/nginx_access.log \
--error-log-path=/var/log/nginx/logs/nginx_error.log \
--pid-path=/run/nginx.pid \
--lock-path=/run/nginx.lock \
--user=www-data --group=www-data \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-threads \
--with-stream \
--with-stream_ssl_module \
--with-http_slice_module \
--with-mail \
--with-pcre-jit \
--with-mail_ssl_module \
--with-http_v2_module \
--with-file-aio \
--with-ipv6 \
--add-module=/tmp/headers-more-nginx-module \
--add-module=/tmp/nginx-ct \
--add-module=/tmp/ngx_brotli \
--with-cc-opt="-O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -Wno-deprecated-declarations" \
--with-openssl-opt='no-async enable-ec_nistp_64_gcc_128 no-shared no-ssl2 no-ssl3 no-comp no-idea no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS -O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2' \
--with-openssl=/tmp/openssl-${OPENSSL_VER}
make -j 1
make install