krhacken
/
docu-vps
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remplacement de nginx par haproxy

master
Pierre Coimbra 2020-08-06 21:51:52 +02:00
parent 4cd01f46cd
commit 0bc657893f
No known key found for this signature in database
GPG Key ID: F9C449C78F6FAEE6
1 changed files with 100 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

148
README.md
View File

@ -289,70 +289,106 @@ Si tout s'est bien passé :
certbot certonly --dns-ovh --dns-ovh-credentials ~/.ovh.ini -d *.krhacken.org certbot certonly --dns-ovh --dns-ovh-credentials ~/.ovh.ini -d *.krhacken.org
``` ```
#### Mise en place des certificats pour HAProxy
HAProxy a besoin d'un seul fichier pour le certificat wildcard, voici comment créer ce fichier.
#### Fichiers de configuration Nginx
Adapter `/etc/nginx/nginx.conf`
``` ```
ssl_protocols TLSv1.2 TLSv1.3; cat /etc/letsencrypt/live/krhacken.org/privkey.pem /etc/letsencrypt/live/krhacken.org/fullchain.pem > /etc/ssl/letsencrypt/krhacken.org.pem
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 80.67.169.12 80.67.169.40 valid=300s;
resolver_timeout 5s;
``` ```
On modifie le script de renouvellement utilisé par certbot pour inclure cette action
vhost pour nextcloud : `/etc/nginx/sites-available/nextcloud` `/opt/certbot-renew.sh`
``` ```
server { #!/bin/bash
listen 80; /usr/bin/certbot renew
server_name cloud.krhacken.org; /bin/cat /etc/letsencrypt/live/krhacken.org/privkey.pem /etc/letsencrypt/live/krhacken.org/fullchain.pem > /etc/ssl/letsencrypt/krhacken.org.pem
return 301 https://$server_name$request_uri; /bin/systemctl reload haproxy.service
}
server {
listen 443 ssl;
server_name cloud.krhacken.org;
location / {
proxy_pass http://IP_nextcloud_server;
include /etc/nginx/proxy_params;
}
# Upload settings
client_max_body_size 1G;
fastcgi_buffers 64 4K;
# C{ard,al}Dav tweaks
location = /.well-known/carddav {
rewrite ^(.*) https://$server_name/remote.php/dav permanent;
}
location = /.well-known/caldav {
rewrite ^(.*) https://$server_name/remote.php/dav permanent;
}
location = /.well-known/webfinger {
rewrite ^(.*) https://$server_name/public.php?service=webfinger permanent;
}
# TLS
ssl_certificate /etc/letsencrypt/live/krhacken.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/krhacken.org/privkey.pem;
# Logs
access_log /var/log/nginx/nextcloud.access.log;
error_log /var/log/nginx/nextcloud.error.log;
# STS
add_header Strict-Transport-Security "max-age=31536000;includeSubDomains" always;
}
``` ```
Il possible qu'un bug survienne lors du redémarrage de Nginx, la solution est [ici](https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1581864). #### Fichiers de configuration HAProxy
Adapter `/etc/haproxy/haproxy.conf`
```
global
log /dev/log local0
log /dev/log local1 notice
stats socket /run/haproxy/admin.sock
stats timeout 30s
user haproxy
group haproxy
daemon
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
nbproc 1
defaults
log global
mode http
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend unsecure-all
bind :::80 accept-proxy v4v6
mode http
redirect scheme https code 301
default_backend drop-http
frontend secure-all
bind :::443 v4v6 accept-proxy ssl no-sslv3 crt /etc/ssl/letsencrypt/krhacken.org.pem
mode http
option forwardfor
option httplog
acl www hdr_beg(host) -i www.
reqirep ^Host:\ www.(.*)$ Host:\ \1 if www
rspadd Strict-Transport-Security:\ max-age=63072000
acl cloud hdr_end(host) cloud.krhacken.org
acl git hdr_end(host) git.krhacken.org
acl matrix hdr_end(host) matrix.krhacken.org
use_backend cloud if cloud
use_backend git if git
use_backend matrix if matrix
default_backend drop-http
backend cloud
mode http
server cloud-1 10.0.0.51:80 check
backend git
mode http
server git-1 10.0.0.202:80 check
backend matrix
mode http
server matrix-1 10.0.0.66:80 check
backend drop-http
mode http
http-request silent-drop
```
Pour chaque nouveau service il faut ajouter :
- Un ACL pour le domaine
- Une instruction use_backend par ACL
- Une backend
### Nextcloud (Syze) ### Nextcloud (Syze)
#### Pré-requis : #### Pré-requis :