Re: [vhffs] support HTTPS

[ Thread Index | Date Index | More vhffs.org/vhffs Archives ]


Salut Laurent,

On Wed, Apr 06, 2016 at 03:57:18PM +0200, Laurent Stella wrote:
> Salut Sylvain ;
> 
> (oui je sais ca fait beaucoup d'emails, je fais pas mal d'infra en ce
> moment).
> j'ai quelques merdes avec certaines appli PHP qui ont parfois du mal à s'y
> retrouver entre HTTPS ou HTTP, port 80 ou 443 ... on a pourtant ajouté les
> en-tête côté nginx, utilisé le module RPAF sur apache mais c'est un peu la
> foire selon les cas.
> quelle solution vous avez utilisé chez tuxfamily ?

On utilise RPAF aussi. Rien de vraiment spécial sinon.


> si c'est la même, tu peux me copier des extraits de config stp ?

Ouaip, voila:


-- nginx --

# cat /etc/nginx/sites-enabled/tuxfamily 
server_names_hash_max_size 32768;
client_max_body_size 0;

server {
	listen 8080;
	listen [::]:8080 ipv6only=on;

	location /.well-known/acme-challenge/ {
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_pass http://192.168.1.30:80;
	}

	location / {
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_pass http://127.0.0.1:80;
	}
}

server {
	listen 8081 ssl;
	# We can't use ipv6only=on in snippets, it warns about duplicated
	# option, duplicate the snippet here
	listen [::]:8081 ssl ipv6only=on;

	ssl_session_cache      shared:SSL:10m;
	ssl_session_timeout    10m;

	# enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;
	# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ssl ciphers list generated by https://mozilla.github.io/server-side-tls/ssl-config-generator/
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/ssl/private/dhparam.pem;

	location /.well-known/acme-challenge/ {
		return 404;
	}

	location / {
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_pass https://127.0.0.1:443;
	}

	ssl_certificate /etc/ssl/certs/tuxfamily.org.fullchain;
	ssl_certificate_key /etc/ssl/private/tuxfamily.org.key;
}

include /data/tls/conf/nginx-tls-proxy.conf;


# cat /etc/nginx/snippets/ssl-proxy.conf 
listen 8081 ssl;
listen [::]:8081 ssl;

ssl_session_cache      shared:SSL:10m;
ssl_session_timeout    10m;

# enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl ciphers list generated by https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/private/dhparam.pem;

location /.well-known/acme-challenge/ {
	return 404;
}

location / {
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_pass https://127.0.0.1:443;
}


# head /data/tls/conf/nginx-tls-proxy.conf
server {
    server_name blog.libre.cc;

    ssl_certificate /data/tls/e/ba/1b96d9140085e476516eb93dee459/fullchain.pem;
    ssl_certificate_key /data/tls/e/ba/1b96d9140085e476516eb93dee459/privkey.pem;

    include snippets/ssl-proxy.conf;
}

server {
    server_name blog.lolica.org;

    ssl_certificate /data/tls/0/ec/c09da993dfe3721c7cd76062e01c9/fullchain.pem;
    ssl_certificate_key /data/tls/0/ec/c09da993dfe3721c7cd76062e01c9/privkey.pem;

    include snippets/ssl-proxy.conf;
}


-- apache --

# cat /etc/apache2/sites-enabled/tuxfamily 
ServerTokens Prod

HashType md5
HashEncoding hexa
HashSplit 2
HashLimit 6
HashDocumentRootSuffix htdocs
HashAddAliasPrefix www

#CoreDumpDirectory /tmp2

<VirtualHost *:80>
	ServerAdmin modo@xxxxxxxxxxxxxxxxxxx
	
	DocumentRoot /data/web

	HashEnable On
	ServerSignature On

	DirectoryIndex index.html index.xhtml index.php index.php5 index.php4 index.php3 index.phtml

	<Directory /data/web/>
		Options -ExecCGI Indexes SymLinksIfOwnerMatch +Includes MultiViews
		IndexIgnore */.quota */.*passw* */.htaccess
		IndexOptions NameWidth=*
		AllowOverride All
		order allow,deny
		allow from all
	</Directory>

	#ErrorLog /data/logs/web/incoming/${APACHE_HOSTNAME}/error.log
	ErrorLog syslog:local3
	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhffs
	#CustomLog /data/logs/web/incoming/${APACHE_HOSTNAME}/vhffs.log vhffs
	CustomLog ||/usr/local/bin/syslogger vhffs

	#RewriteLog /data/logs/web/incoming/${APACHE_HOSTNAME}/rewrite.log
	#RewriteLogLevel 9

	Alias /icons/ "/usr/share/apache2/icons/"
	<Directory "/usr/share/apache2/icons">
	    Options Indexes MultiViews
	    AllowOverride None
	    Order allow,deny
	    Allow from all
	</Directory>
</VirtualHost>

<VirtualHost *:443>
	ServerAdmin modo@xxxxxxxxxxxxxxxxxxx
	
	DocumentRoot /data/web

	HashEnable On
	ServerSignature On

	SSLEngine On
	SSLCertificateFile /etc/ssl/public/dummy-web.crt
	SSLCertificateKeyFile /etc/ssl/private/dummy-web.key

	DirectoryIndex index.html index.xhtml index.php index.php5 index.php4 index.php3 index.phtml

	<Directory /data/web/>
		Options -ExecCGI Indexes SymLinksIfOwnerMatch +Includes MultiViews
		IndexIgnore */.quota */.*passw* */.htaccess
		IndexOptions NameWidth=*
		AllowOverride All
		order allow,deny
		allow from all
	</Directory>

	#ErrorLog /data/logs/web/incoming/${APACHE_HOSTNAME}/error.log
	ErrorLog syslog:local3
	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhffs
	#CustomLog /data/logs/web/incoming/${APACHE_HOSTNAME}/vhffs.log vhffs
	CustomLog ||/usr/local/bin/syslogger vhffs

	#RewriteLog /data/logs/web/incoming/${APACHE_HOSTNAME}/rewrite.log
	#RewriteLogLevel 9

	Alias /icons/ "/usr/share/apache2/icons/"
	<Directory "/usr/share/apache2/icons">
	    Options Indexes MultiViews
	    AllowOverride None
	    Order allow,deny
	    Allow from all
	</Directory>	
</VirtualHost>


-- IPVS --

# cat /etc/ldirectord.cf
# Global Directives
checktimeout=20
checkinterval=3
autoreload=yes
logfile="/var/log/ldirectord.log"
#logfile="local0"
quiescent=no

# --- HTTP ---

virtual=212.85.158.4:80
        real=192.168.1.70:8080 masq 1000
        real=192.168.1.71:8080 masq 1000
        real=192.168.1.72:8080 masq 1000
        real=192.168.1.73:8080 masq 1000
        service=http
        virtualhost=hack.tuxfamily.org
        request="/ldirectordcheck.php"
        receive="ok"
        scheduler=wlc
        protocol=tcp
        checktype=negotiate
        persistent=30

virtual6=[2a02:2178:1000:201::4]:80
        real6=[2a02:2178:1000:200::70]:8080 masq 1000
        real6=[2a02:2178:1000:200::71]:8080 masq 1000
        real6=[2a02:2178:1000:200::72]:8080 masq 1000
        real6=[2a02:2178:1000:200::73]:8080 masq 1000
        service=http
        scheduler=wlc
        protocol=tcp
        # ldirectord does not support http check in IPv6
        checktype=connect
        persistent=30

virtual=212.85.158.4:443
        real=192.168.1.70:8081 masq 1000
        real=192.168.1.71:8081 masq 1000
        real=192.168.1.72:8081 masq 1000
        real=192.168.1.73:8081 masq 1000
        service=https
        virtualhost=hack.tuxfamily.org
        request="/ldirectordcheck.php"
        receive="ok"
        scheduler=wlc
        protocol=tcp
        checktype=negotiate
        persistent=30

virtual6=[2a02:2178:1000:201::4]:443
        real6=[2a02:2178:1000:200::70]:8081 masq 1000
        real6=[2a02:2178:1000:200::71]:8081 masq 1000
        real6=[2a02:2178:1000:200::72]:8081 masq 1000
        real6=[2a02:2178:1000:200::73]:8081 masq 1000
        service=https
        scheduler=wlc
        protocol=tcp
        # ldirectord does not support https check in IPv6
        checktype=connect
        persistent=30


Sylvain

Attachment: signature.asc
Description: Digital signature



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/