Re: [vhffs] support HTTPS |
[ Thread Index | Date Index | More vhffs.org/vhffs Archives ]
Salut Laurent, On Wed, Apr 06, 2016 at 03:57:18PM +0200, Laurent Stella wrote: > Salut Sylvain ; > > (oui je sais ca fait beaucoup d'emails, je fais pas mal d'infra en ce > moment). > j'ai quelques merdes avec certaines appli PHP qui ont parfois du mal à s'y > retrouver entre HTTPS ou HTTP, port 80 ou 443 ... on a pourtant ajouté les > en-tête côté nginx, utilisé le module RPAF sur apache mais c'est un peu la > foire selon les cas. > quelle solution vous avez utilisé chez tuxfamily ? On utilise RPAF aussi. Rien de vraiment spécial sinon. > si c'est la même, tu peux me copier des extraits de config stp ? Ouaip, voila: -- nginx -- # cat /etc/nginx/sites-enabled/tuxfamily server_names_hash_max_size 32768; client_max_body_size 0; server { listen 8080; listen [::]:8080 ipv6only=on; location /.well-known/acme-challenge/ { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://192.168.1.30:80; } location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://127.0.0.1:80; } } server { listen 8081 ssl; # We can't use ipv6only=on in snippets, it warns about duplicated # option, duplicate the snippet here listen [::]:8081 ssl ipv6only=on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # enables server-side protection from BEAST attacks # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers on; # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ssl ciphers list generated by https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/ssl/private/dhparam.pem; location /.well-known/acme-challenge/ { return 404; } location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass https://127.0.0.1:443; } ssl_certificate /etc/ssl/certs/tuxfamily.org.fullchain; ssl_certificate_key /etc/ssl/private/tuxfamily.org.key; } include /data/tls/conf/nginx-tls-proxy.conf; # cat /etc/nginx/snippets/ssl-proxy.conf listen 8081 ssl; listen [::]:8081 ssl; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # enables server-side protection from BEAST attacks # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers on; # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ssl ciphers list generated by https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/ssl/private/dhparam.pem; location /.well-known/acme-challenge/ { return 404; } location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass https://127.0.0.1:443; } # head /data/tls/conf/nginx-tls-proxy.conf server { server_name blog.libre.cc; ssl_certificate /data/tls/e/ba/1b96d9140085e476516eb93dee459/fullchain.pem; ssl_certificate_key /data/tls/e/ba/1b96d9140085e476516eb93dee459/privkey.pem; include snippets/ssl-proxy.conf; } server { server_name blog.lolica.org; ssl_certificate /data/tls/0/ec/c09da993dfe3721c7cd76062e01c9/fullchain.pem; ssl_certificate_key /data/tls/0/ec/c09da993dfe3721c7cd76062e01c9/privkey.pem; include snippets/ssl-proxy.conf; } -- apache -- # cat /etc/apache2/sites-enabled/tuxfamily ServerTokens Prod HashType md5 HashEncoding hexa HashSplit 2 HashLimit 6 HashDocumentRootSuffix htdocs HashAddAliasPrefix www #CoreDumpDirectory /tmp2 <VirtualHost *:80> ServerAdmin modo@xxxxxxxxxxxxxxxxxxx DocumentRoot /data/web HashEnable On ServerSignature On DirectoryIndex index.html index.xhtml index.php index.php5 index.php4 index.php3 index.phtml <Directory /data/web/> Options -ExecCGI Indexes SymLinksIfOwnerMatch +Includes MultiViews IndexIgnore */.quota */.*passw* */.htaccess IndexOptions NameWidth=* AllowOverride All order allow,deny allow from all </Directory> #ErrorLog /data/logs/web/incoming/${APACHE_HOSTNAME}/error.log ErrorLog syslog:local3 # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhffs #CustomLog /data/logs/web/incoming/${APACHE_HOSTNAME}/vhffs.log vhffs CustomLog ||/usr/local/bin/syslogger vhffs #RewriteLog /data/logs/web/incoming/${APACHE_HOSTNAME}/rewrite.log #RewriteLogLevel 9 Alias /icons/ "/usr/share/apache2/icons/" <Directory "/usr/share/apache2/icons"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> </VirtualHost> <VirtualHost *:443> ServerAdmin modo@xxxxxxxxxxxxxxxxxxx DocumentRoot /data/web HashEnable On ServerSignature On SSLEngine On SSLCertificateFile /etc/ssl/public/dummy-web.crt SSLCertificateKeyFile /etc/ssl/private/dummy-web.key DirectoryIndex index.html index.xhtml index.php index.php5 index.php4 index.php3 index.phtml <Directory /data/web/> Options -ExecCGI Indexes SymLinksIfOwnerMatch +Includes MultiViews IndexIgnore */.quota */.*passw* */.htaccess IndexOptions NameWidth=* AllowOverride All order allow,deny allow from all </Directory> #ErrorLog /data/logs/web/incoming/${APACHE_HOSTNAME}/error.log ErrorLog syslog:local3 # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhffs #CustomLog /data/logs/web/incoming/${APACHE_HOSTNAME}/vhffs.log vhffs CustomLog ||/usr/local/bin/syslogger vhffs #RewriteLog /data/logs/web/incoming/${APACHE_HOSTNAME}/rewrite.log #RewriteLogLevel 9 Alias /icons/ "/usr/share/apache2/icons/" <Directory "/usr/share/apache2/icons"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> </VirtualHost> -- IPVS -- # cat /etc/ldirectord.cf # Global Directives checktimeout=20 checkinterval=3 autoreload=yes logfile="/var/log/ldirectord.log" #logfile="local0" quiescent=no # --- HTTP --- virtual=212.85.158.4:80 real=192.168.1.70:8080 masq 1000 real=192.168.1.71:8080 masq 1000 real=192.168.1.72:8080 masq 1000 real=192.168.1.73:8080 masq 1000 service=http virtualhost=hack.tuxfamily.org request="/ldirectordcheck.php" receive="ok" scheduler=wlc protocol=tcp checktype=negotiate persistent=30 virtual6=[2a02:2178:1000:201::4]:80 real6=[2a02:2178:1000:200::70]:8080 masq 1000 real6=[2a02:2178:1000:200::71]:8080 masq 1000 real6=[2a02:2178:1000:200::72]:8080 masq 1000 real6=[2a02:2178:1000:200::73]:8080 masq 1000 service=http scheduler=wlc protocol=tcp # ldirectord does not support http check in IPv6 checktype=connect persistent=30 virtual=212.85.158.4:443 real=192.168.1.70:8081 masq 1000 real=192.168.1.71:8081 masq 1000 real=192.168.1.72:8081 masq 1000 real=192.168.1.73:8081 masq 1000 service=https virtualhost=hack.tuxfamily.org request="/ldirectordcheck.php" receive="ok" scheduler=wlc protocol=tcp checktype=negotiate persistent=30 virtual6=[2a02:2178:1000:201::4]:443 real6=[2a02:2178:1000:200::70]:8081 masq 1000 real6=[2a02:2178:1000:200::71]:8081 masq 1000 real6=[2a02:2178:1000:200::72]:8081 masq 1000 real6=[2a02:2178:1000:200::73]:8081 masq 1000 service=https scheduler=wlc protocol=tcp # ldirectord does not support https check in IPv6 checktype=connect persistent=30 Sylvain
Attachment:
signature.asc
Description: Digital signature
Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |