| Re: [vhffs] support HTTPS |
[ Thread Index | Date Index | More vhffs.org/vhffs Archives ]
Salut Laurent,
On Wed, Apr 06, 2016 at 03:57:18PM +0200, Laurent Stella wrote:
> Salut Sylvain ;
>
> (oui je sais ca fait beaucoup d'emails, je fais pas mal d'infra en ce
> moment).
> j'ai quelques merdes avec certaines appli PHP qui ont parfois du mal à s'y
> retrouver entre HTTPS ou HTTP, port 80 ou 443 ... on a pourtant ajouté les
> en-tête côté nginx, utilisé le module RPAF sur apache mais c'est un peu la
> foire selon les cas.
> quelle solution vous avez utilisé chez tuxfamily ?
On utilise RPAF aussi. Rien de vraiment spécial sinon.
> si c'est la même, tu peux me copier des extraits de config stp ?
Ouaip, voila:
-- nginx --
# cat /etc/nginx/sites-enabled/tuxfamily
server_names_hash_max_size 32768;
client_max_body_size 0;
server {
listen 8080;
listen [::]:8080 ipv6only=on;
location /.well-known/acme-challenge/ {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://192.168.1.30:80;
}
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://127.0.0.1:80;
}
}
server {
listen 8081 ssl;
# We can't use ipv6only=on in snippets, it warns about duplicated
# option, duplicate the snippet here
listen [::]:8081 ssl ipv6only=on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl ciphers list generated by https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/private/dhparam.pem;
location /.well-known/acme-challenge/ {
return 404;
}
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass https://127.0.0.1:443;
}
ssl_certificate /etc/ssl/certs/tuxfamily.org.fullchain;
ssl_certificate_key /etc/ssl/private/tuxfamily.org.key;
}
include /data/tls/conf/nginx-tls-proxy.conf;
# cat /etc/nginx/snippets/ssl-proxy.conf
listen 8081 ssl;
listen [::]:8081 ssl;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl ciphers list generated by https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/private/dhparam.pem;
location /.well-known/acme-challenge/ {
return 404;
}
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass https://127.0.0.1:443;
}
# head /data/tls/conf/nginx-tls-proxy.conf
server {
server_name blog.libre.cc;
ssl_certificate /data/tls/e/ba/1b96d9140085e476516eb93dee459/fullchain.pem;
ssl_certificate_key /data/tls/e/ba/1b96d9140085e476516eb93dee459/privkey.pem;
include snippets/ssl-proxy.conf;
}
server {
server_name blog.lolica.org;
ssl_certificate /data/tls/0/ec/c09da993dfe3721c7cd76062e01c9/fullchain.pem;
ssl_certificate_key /data/tls/0/ec/c09da993dfe3721c7cd76062e01c9/privkey.pem;
include snippets/ssl-proxy.conf;
}
-- apache --
# cat /etc/apache2/sites-enabled/tuxfamily
ServerTokens Prod
HashType md5
HashEncoding hexa
HashSplit 2
HashLimit 6
HashDocumentRootSuffix htdocs
HashAddAliasPrefix www
#CoreDumpDirectory /tmp2
<VirtualHost *:80>
ServerAdmin modo@xxxxxxxxxxxxxxxxxxx
DocumentRoot /data/web
HashEnable On
ServerSignature On
DirectoryIndex index.html index.xhtml index.php index.php5 index.php4 index.php3 index.phtml
<Directory /data/web/>
Options -ExecCGI Indexes SymLinksIfOwnerMatch +Includes MultiViews
IndexIgnore */.quota */.*passw* */.htaccess
IndexOptions NameWidth=*
AllowOverride All
order allow,deny
allow from all
</Directory>
#ErrorLog /data/logs/web/incoming/${APACHE_HOSTNAME}/error.log
ErrorLog syslog:local3
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhffs
#CustomLog /data/logs/web/incoming/${APACHE_HOSTNAME}/vhffs.log vhffs
CustomLog ||/usr/local/bin/syslogger vhffs
#RewriteLog /data/logs/web/incoming/${APACHE_HOSTNAME}/rewrite.log
#RewriteLogLevel 9
Alias /icons/ "/usr/share/apache2/icons/"
<Directory "/usr/share/apache2/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin modo@xxxxxxxxxxxxxxxxxxx
DocumentRoot /data/web
HashEnable On
ServerSignature On
SSLEngine On
SSLCertificateFile /etc/ssl/public/dummy-web.crt
SSLCertificateKeyFile /etc/ssl/private/dummy-web.key
DirectoryIndex index.html index.xhtml index.php index.php5 index.php4 index.php3 index.phtml
<Directory /data/web/>
Options -ExecCGI Indexes SymLinksIfOwnerMatch +Includes MultiViews
IndexIgnore */.quota */.*passw* */.htaccess
IndexOptions NameWidth=*
AllowOverride All
order allow,deny
allow from all
</Directory>
#ErrorLog /data/logs/web/incoming/${APACHE_HOSTNAME}/error.log
ErrorLog syslog:local3
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhffs
#CustomLog /data/logs/web/incoming/${APACHE_HOSTNAME}/vhffs.log vhffs
CustomLog ||/usr/local/bin/syslogger vhffs
#RewriteLog /data/logs/web/incoming/${APACHE_HOSTNAME}/rewrite.log
#RewriteLogLevel 9
Alias /icons/ "/usr/share/apache2/icons/"
<Directory "/usr/share/apache2/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
-- IPVS --
# cat /etc/ldirectord.cf
# Global Directives
checktimeout=20
checkinterval=3
autoreload=yes
logfile="/var/log/ldirectord.log"
#logfile="local0"
quiescent=no
# --- HTTP ---
virtual=212.85.158.4:80
real=192.168.1.70:8080 masq 1000
real=192.168.1.71:8080 masq 1000
real=192.168.1.72:8080 masq 1000
real=192.168.1.73:8080 masq 1000
service=http
virtualhost=hack.tuxfamily.org
request="/ldirectordcheck.php"
receive="ok"
scheduler=wlc
protocol=tcp
checktype=negotiate
persistent=30
virtual6=[2a02:2178:1000:201::4]:80
real6=[2a02:2178:1000:200::70]:8080 masq 1000
real6=[2a02:2178:1000:200::71]:8080 masq 1000
real6=[2a02:2178:1000:200::72]:8080 masq 1000
real6=[2a02:2178:1000:200::73]:8080 masq 1000
service=http
scheduler=wlc
protocol=tcp
# ldirectord does not support http check in IPv6
checktype=connect
persistent=30
virtual=212.85.158.4:443
real=192.168.1.70:8081 masq 1000
real=192.168.1.71:8081 masq 1000
real=192.168.1.72:8081 masq 1000
real=192.168.1.73:8081 masq 1000
service=https
virtualhost=hack.tuxfamily.org
request="/ldirectordcheck.php"
receive="ok"
scheduler=wlc
protocol=tcp
checktype=negotiate
persistent=30
virtual6=[2a02:2178:1000:201::4]:443
real6=[2a02:2178:1000:200::70]:8081 masq 1000
real6=[2a02:2178:1000:200::71]:8081 masq 1000
real6=[2a02:2178:1000:200::72]:8081 masq 1000
real6=[2a02:2178:1000:200::73]:8081 masq 1000
service=https
scheduler=wlc
protocol=tcp
# ldirectord does not support https check in IPv6
checktype=connect
persistent=30
Sylvain
Attachment:
signature.asc
Description: Digital signature
| Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |