Remplacement de nginx par haproxy

2020-08-06 21:51:52 +02:00 · 2020-08-06 21:51:52 +02:00 · 0bc657893f
parent 4cd01f46cd
commit 0bc657893f
1 changed files with 100 additions and 64 deletions
--- a/README.md
+++ b/README.md
@ -25,15 +25,15 @@ rm /etc/update-motd.d/50-motd-news # Pour Ubuntu
 echo -n "
 echo \"
- ██ ▄█▀ ██▀███   ██░ ██  ▄▄▄       ▄████▄   ██ ▄█▀▓█████  ███▄    █ 
+ ██ ▄█▀ ██▀███   ██░ ██  ▄▄▄       ▄████▄   ██ ▄█▀▓█████  ███▄    █
- ██▄█▒ ▓██ ▒ ██▒▓██░ ██▒▒████▄    ▒██▀ ▀█   ██▄█▒ ▓█   ▀  ██ ▀█   █ 
+ ██▄█▒ ▓██ ▒ ██▒▓██░ ██▒▒████▄    ▒██▀ ▀█   ██▄█▒ ▓█   ▀  ██ ▀█   █
 ▓███▄░ ▓██ ░▄█ ▒▒██▀▀██░▒██  ▀█▄  ▒▓█    ▄ ▓███▄░ ▒███   ▓██  ▀█ ██▒
 ▓██ █▄ ▒██▀▀█▄  ░▓█ ░██ ░██▄▄▄▄██ ▒▓▓▄ ▄██▒▓██ █▄ ▒▓█  ▄ ▓██▒  ▐▌██▒
 ▒██▒ █▄░██▓ ▒██▒░▓█▒░██▓ ▓█   ▓██▒▒ ▓███▀ ░▒██▒ █▄░▒████▒▒██░   ▓██░
-▒ ▒▒ ▓▒░ ▒▓ ░▒▓░ ▒ ░░▒░▒ ▒▒   ▓▒█░░ ░▒ ▒  ░▒ ▒▒ ▓▒░░ ▒░ ░░ ▒░   ▒ ▒ 
+▒ ▒▒ ▓▒░ ▒▓ ░▒▓░ ▒ ░░▒░▒ ▒▒   ▓▒█░░ ░▒ ▒  ░▒ ▒▒ ▓▒░░ ▒░ ░░ ▒░   ▒ ▒
 ░ ░▒ ▒░  ░▒ ░ ▒░ ▒ ░▒░ ░  ▒   ▒▒ ░  ░  ▒   ░ ░▒ ▒░ ░ ░  ░░ ░░   ░ ▒░
-░ ░░ ░   ░░   ░  ░  ░░ ░  ░   ▒   ░        ░ ░░ ░    ░      ░   ░ ░ 
+░ ░░ ░   ░░   ░  ░  ░░ ░  ░   ▒   ░        ░ ░░ ░    ░      ░   ░ ░
-░  ░      ░      ░  ░  ░      ░  ░░ ░      ░  ░      ░  ░         ░ 
+░  ░      ░      ░  ░  ░      ░  ░░ ░      ░  ░      ░  ░         ░
                                  ░                                 
 \"
 " >> /etc/update-motd.d/00-header
@ -57,7 +57,7 @@ systemctl restart ssh
 apt install zsh zsh-common zsh-syntax-highlighting zsh-doc zsh-autosuggestions
 # Garder les variables d'environnement
 echo "emulate sh -c 'source /etc/profile'" >> /etc/zsh/zprofile
-sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" # oui cette commande pique les yeux ^^ 
+sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" # oui cette commande pique les yeux ^^
 ```
 On choisit un beau de thème de shell (steeef par exemple !):
 ```
@ -122,7 +122,7 @@ table filter {
        # for LXD
        proto (udp tcp) dport domain ACCEPT;
        proto udp dport bootps ACCEPT;
-        
+
        # WEB
        proto tcp dport http ACCEPT;
        proto tcp dport https ACCEPT;
@ -289,70 +289,106 @@ Si tout s'est bien passé :
 certbot certonly --dns-ovh --dns-ovh-credentials ~/.ovh.ini -d *.krhacken.org
 ```
 #### Mise en place des certificats pour HAProxy
 HAProxy a besoin d'un seul fichier pour le certificat wildcard, voici comment créer ce fichier.
 #### Fichiers de configuration Nginx
 Adapter `/etc/nginx/nginx.conf`
 ```
-ssl_protocols TLSv1.2 TLSv1.3; 
+cat /etc/letsencrypt/live/krhacken.org/privkey.pem /etc/letsencrypt/live/krhacken.org/fullchain.pem > /etc/ssl/letsencrypt/krhacken.org.pem
 ssl_prefer_server_ciphers on;
 ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
 ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
 ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
 ssl_session_timeout 10m;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off; # Requires nginx >= 1.5.9
 ssl_stapling on; # Requires nginx >= 1.3.7
 ssl_stapling_verify on; # Requires nginx => 1.3.7
 resolver 80.67.169.12 80.67.169.40 valid=300s;
 resolver_timeout 5s;
 ```
 On modifie le script de renouvellement utilisé par certbot pour inclure cette action
-vhost pour nextcloud : `/etc/nginx/sites-available/nextcloud`
+`/opt/certbot-renew.sh`
 ```
-server {
+#!/bin/bash
-	listen 80;
+/usr/bin/certbot renew
-	server_name cloud.krhacken.org;
+/bin/cat /etc/letsencrypt/live/krhacken.org/privkey.pem /etc/letsencrypt/live/krhacken.org/fullchain.pem > /etc/ssl/letsencrypt/krhacken.org.pem
-	return 301 https://$server_name$request_uri;
+/bin/systemctl reload haproxy.service
 }
 server {
 	listen 443 ssl;
 	server_name cloud.krhacken.org;
 	location / {
 		proxy_pass http://IP_nextcloud_server;
 		include /etc/nginx/proxy_params;
 	}
 	# Upload settings
 	client_max_body_size 1G;
 	fastcgi_buffers 64 4K;
 	# C{ard,al}Dav tweaks
 	location = /.well-known/carddav {
 		rewrite ^(.*) https://$server_name/remote.php/dav permanent;
 	}
 	location = /.well-known/caldav {
 		rewrite ^(.*) https://$server_name/remote.php/dav permanent;
 	}
 	location = /.well-known/webfinger {
 		rewrite ^(.*) https://$server_name/public.php?service=webfinger permanent;
 	}
 	# TLS
 	ssl_certificate /etc/letsencrypt/live/krhacken.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/krhacken.org/privkey.pem;
 	# Logs
 	access_log /var/log/nginx/nextcloud.access.log;
 	error_log /var/log/nginx/nextcloud.error.log;
 	# STS
 	add_header Strict-Transport-Security "max-age=31536000;includeSubDomains" always;
 }
 ```
-Il possible qu'un bug survienne lors du redémarrage de Nginx, la solution est [ici](https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1581864).
+#### Fichiers de configuration HAProxy
 Adapter `/etc/haproxy/haproxy.conf`
 ```
 global
  log /dev/log local0
  log /dev/log local1 notice
  stats socket /run/haproxy/admin.sock
  stats timeout 30s
  user haproxy
  group haproxy
  daemon
  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private
  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  ssl-default-server-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
  ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  nbproc 1
 defaults
  log global
  mode http
  option dontlognull
  timeout connect 5000
  timeout client 50000
  timeout server 50000
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http
 frontend unsecure-all
  bind :::80 accept-proxy v4v6
  mode http
  redirect scheme https code 301
  default_backend drop-http
 frontend secure-all
  bind :::443 v4v6 accept-proxy ssl no-sslv3 crt /etc/ssl/letsencrypt/krhacken.org.pem
  mode http
  option forwardfor
  option httplog
  acl www hdr_beg(host) -i www.
  reqirep ^Host:\ www.(.*)$ Host:\ \1 if www
  rspadd Strict-Transport-Security:\ max-age=63072000
  acl cloud hdr_end(host) cloud.krhacken.org
  acl git hdr_end(host) git.krhacken.org
  acl matrix hdr_end(host) matrix.krhacken.org
  use_backend cloud if cloud
  use_backend git if git
  use_backend matrix if matrix
  default_backend drop-http
 backend cloud
  mode http
  server cloud-1 10.0.0.51:80 check
 backend git
  mode http
  server git-1 10.0.0.202:80 check
 backend matrix
  mode http
  server matrix-1 10.0.0.66:80 check
 backend drop-http
  mode http
  http-request silent-drop
 ```
 Pour chaque nouveau service il faut ajouter :
 - Un ACL pour le domaine
 - Une instruction use_backend par ACL
 - Une backend
 ### Nextcloud (Syze)
 #### Pré-requis :
@ -393,7 +429,7 @@ server {
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
-    
+
    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;