From a6376578475a144cc98533b144c23ca96265690f Mon Sep 17 00:00:00 2001 From: Yax <1949284+kianby@users.noreply.github.com> Date: Tue, 8 Feb 2022 19:41:17 +0100 Subject: [PATCH] local testing uses SSL (thanks to traefik.me) --- Makefile | 2 +- local-nginx.conf | 42 -------------------- nginx/dhparam.pem | 13 ++++++ nginx/nginx.conf | 92 +++++++++++++++++++++++++++++++++++++++++++ params-local.json | 4 +- poetry.lock | 24 +++++------ update_local_certs.sh | 9 +++++ 7 files changed, 129 insertions(+), 57 deletions(-) delete mode 100644 local-nginx.conf create mode 100644 nginx/dhparam.pem create mode 100644 nginx/nginx.conf create mode 100755 update_local_certs.sh diff --git a/Makefile b/Makefile index b6f9ea1..e86921e 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ serve: site_local cd _site && python -m SimpleHTTPServer 2> /dev/null || python3 -m http.server dock: site_local - docker run --name bloglocal -p 8000:8000 -v `pwd`/_site:/usr/share/nginx/html:ro -v `pwd`/local-nginx.conf:/etc/nginx/nginx.conf:ro nginx + docker run --name bloglocal -p 80:80 -p 443:443 -v `pwd`/_site:/usr/share/nginx/html:ro -v `pwd`/nginx/nginx.conf:/etc/nginx/nginx.conf:ro -v `pwd`/nginx/dhparam.pem:/etc/nginx/dhparam.pem:ro -v `pwd`/ssl:/etc/nginx/ssl:ro nginx undock: docker stop bloglocal diff --git a/local-nginx.conf b/local-nginx.conf deleted file mode 100644 index 89577e0..0000000 --- a/local-nginx.conf +++ /dev/null @@ -1,42 +0,0 @@ -user nginx; -worker_processes 1; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - - sendfile off; - send_timeout 20; - keepalive_timeout 60; - - gzip on; - gzip_static on; - gzip_min_length 512; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_vary on; - gzip_comp_level 6; - gzip_proxied any; - gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js; - gzip_disable "MSIE [1-6]\.(?!.*SV1)"; - - server { - listen 8000 default_server; - listen [::]:8000 default_server; - server_name _; - - root /usr/share/nginx/html; - index index.html; - add_header Cache-Control "no-cache"; - - location /newcomment { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_pass http://172.17.0.1:8100/newcomment; - } - } -} diff --git a/nginx/dhparam.pem b/nginx/dhparam.pem new file mode 100644 index 0000000..1a4ab16 --- /dev/null +++ b/nginx/dhparam.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEArZ2eraHASEwWg51GuvviujRhawl6Vp1f9YTdPFcMoxidRycgvDE/ +aI5CATYqetkos2M0pBJ01YN4bbLtYG98DkUzsRUouL0+65L3BB+ClEFL9CqGZhmk +AivS7WajarSfVpGaCCxVMPviWdX8qfAncGasC34XNZLJAkmMjKhhj1OcFBgoxrfW +AKmyBuTYthd1C/refwHrXjC2vM1l3ts/UJ5sKhyCD0PBxpLMiiRUrqsENMl8lUsW +/qbzzq/kc5Tgo4DRTdsLEUk22YyYGpk1jjK1Yr4elHNUZbaqOZwOESsd1pm0KW93 +/QzTIvS18SLA346DkL8hKwPlQOQRR7HSofXKkMGyDU/wkxqgAivT46Y322GW+Aw9 +WKTGZ8njp/IhureOo7N19PPADFcF0sGap4aUzbu4cpRVucpLUIzYkk2iSTJTRtrO +5QvY7/KBhtBO1a72VSN94mIfI2V+j4d3X+ISqhBB4ABP92FfE1v1ktU3bwEq9PqG +M/jj8whO7Sp2V5zsk/7aCFj88QaSc5/rhIG2Y8ntPBoknr635ZpQ+b2lCxx8bcOs +PxdFX2bHhrxdwhq29n1LacJPKwUceaA0Xd/Xm2xmLjGoZ4qduYnmIhUtg15vY0KC +9jiaxlfaxhNkMcTPhXDUQtLit++NbBHESVFBmSG7R8gcIHwWTiJxxCsCAQI= +-----END DH PARAMETERS----- diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..80167e6 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,92 @@ +user nginx; +worker_processes 1; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + sendfile off; + send_timeout 20; + keepalive_timeout 60; + + gzip on; + gzip_static on; + gzip_min_length 512; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_vary on; + gzip_comp_level 6; + gzip_proxied any; + gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js; + gzip_disable "MSIE [1-6]\.(?!.*SV1)"; + + server { + listen 80; + server_name blogduyax.traefik.me; + + location / { + # enforce https + return 301 https://$server_name$request_uri; + } + } + + server { + listen 443 ssl http2; + server_name blogduyax.traefik.me; + + # ========================================= + # // SSL + # ========================================= + + # session settings + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_buffer_size 1400; + + # Diffie-Hellman parameter for DHE cipher suites + ssl_dhparam /etc/nginx/dhparam.pem; + + # ssl certs + ssl_certificate /etc/nginx/ssl/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/privkey.pem; + + # protocols + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + + # HSTS, remove # from the line below to enable HSTS + #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + # OCSP Stapling + ssl_stapling on; + ssl_stapling_verify on; + + # ========================================= + # SSL // + # ========================================= + + root /usr/share/nginx/html; + index index.html; + add_header Cache-Control "no-cache"; + + location /newcomment { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://172.17.0.1:8100/newcomment; + } + + location /web { + proxy_pass http://172.17.0.1:8100/web; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + } +} diff --git a/params-local.json b/params-local.json index 5f0a4e6..c35ba48 100644 --- a/params-local.json +++ b/params-local.json @@ -2,7 +2,7 @@ "title": "Le blog du Yax", "subtitle": "GNU, Linux, BSD et autres libertés", "author": "Yax", - "site_url": "http://127.0.0.1:8000", - "stacosys_url": "http://127.0.0.1:8100", + "site_url": "https://blogduyax.traefik.me", + "stacosys_url": "http://127.0.0.1:8100/api", "external_check": "./check_git.sh" } diff --git a/poetry.lock b/poetry.lock index 2c6d0b0..23bc0db 100644 --- a/poetry.lock +++ b/poetry.lock @@ -8,7 +8,7 @@ python-versions = "*" [[package]] name = "charset-normalizer" -version = "2.0.9" +version = "2.0.11" description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." category = "main" optional = false @@ -35,7 +35,7 @@ python-versions = "*" [[package]] name = "pygments" -version = "2.10.0" +version = "2.11.2" description = "Pygments is a syntax highlighting package written in Python." category = "main" optional = false @@ -43,7 +43,7 @@ python-versions = ">=3.5" [[package]] name = "requests" -version = "2.26.0" +version = "2.27.1" description = "Python HTTP for Humans." category = "main" optional = false @@ -61,7 +61,7 @@ use_chardet_on_py3 = ["chardet (>=3.0.2,<5)"] [[package]] name = "urllib3" -version = "1.26.7" +version = "1.26.8" description = "HTTP library with thread-safe connection pooling, file post, and more." category = "main" optional = false @@ -83,8 +83,8 @@ certifi = [ {file = "certifi-2021.10.8.tar.gz", hash = "sha256:78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872"}, ] charset-normalizer = [ - {file = "charset-normalizer-2.0.9.tar.gz", hash = "sha256:b0b883e8e874edfdece9c28f314e3dd5badf067342e42fb162203335ae61aa2c"}, - {file = "charset_normalizer-2.0.9-py3-none-any.whl", hash = "sha256:1eecaa09422db5be9e29d7fc65664e6c33bd06f9ced7838578ba40d58bdf3721"}, + {file = "charset-normalizer-2.0.11.tar.gz", hash = "sha256:98398a9d69ee80548c762ba991a4728bfc3836768ed226b3945908d1a688371c"}, + {file = "charset_normalizer-2.0.11-py3-none-any.whl", hash = "sha256:2842d8f5e82a1f6aa437380934d5e1cd4fcf2003b06fed6940769c164a480a45"}, ] idna = [ {file = "idna-3.3-py3-none-any.whl", hash = "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff"}, @@ -95,14 +95,14 @@ mistune = [ {file = "mistune-0.8.4.tar.gz", hash = "sha256:59a3429db53c50b5c6bcc8a07f8848cb00d7dc8bdb431a4ab41920d201d4756e"}, ] pygments = [ - {file = "Pygments-2.10.0-py3-none-any.whl", hash = "sha256:b8e67fe6af78f492b3c4b3e2970c0624cbf08beb1e493b2c99b9fa1b67a20380"}, - {file = "Pygments-2.10.0.tar.gz", hash = "sha256:f398865f7eb6874156579fdf36bc840a03cab64d1cde9e93d68f46a425ec52c6"}, + {file = "Pygments-2.11.2-py3-none-any.whl", hash = "sha256:44238f1b60a76d78fc8ca0528ee429702aae011c265fe6a8dd8b63049ae41c65"}, + {file = "Pygments-2.11.2.tar.gz", hash = "sha256:4e426f72023d88d03b2fa258de560726ce890ff3b630f88c21cbb8b2503b8c6a"}, ] requests = [ - {file = "requests-2.26.0-py2.py3-none-any.whl", hash = "sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24"}, - {file = "requests-2.26.0.tar.gz", hash = "sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"}, + {file = "requests-2.27.1-py2.py3-none-any.whl", hash = "sha256:f22fa1e554c9ddfd16e6e41ac79759e17be9e492b3587efa038054674760e72d"}, + {file = "requests-2.27.1.tar.gz", hash = "sha256:68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61"}, ] urllib3 = [ - {file = "urllib3-1.26.7-py2.py3-none-any.whl", hash = "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"}, - {file = "urllib3-1.26.7.tar.gz", hash = "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece"}, + {file = "urllib3-1.26.8-py2.py3-none-any.whl", hash = "sha256:000ca7f471a233c2251c6c7023ee85305721bfdf18621ebff4fd17a8653427ed"}, + {file = "urllib3-1.26.8.tar.gz", hash = "sha256:0e7c33d9a63e7ddfcb86780aac87befc2fbddf46c58dbb487e0855f7ceec283c"}, ] diff --git a/update_local_certs.sh b/update_local_certs.sh new file mode 100755 index 0000000..1854979 --- /dev/null +++ b/update_local_certs.sh @@ -0,0 +1,9 @@ +#!/bin/sh +[ ! -d "ssl" ] && mkdir ssl +cd ssl +wget -N https://traefik.me/cert.pem +wget -N https://traefik.me/chain.pem +wget -N https://traefik.me/fullchain.pem +wget -N https://traefik.me/privkey.pem +cd - +