[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/02: nginx: hydra.gnu.org: Add TLS server.
From: |
Ludovic Courtès |
Subject: |
02/02: nginx: hydra.gnu.org: Add TLS server. |
Date: |
Tue, 15 Mar 2016 21:01:34 +0000 |
civodul pushed a commit to branch master
in repository maintenance.
commit 3cbcf1bec4aa0039d003186eb58acd4b8079b3a0
Author: Ludovic Courtès <address@hidden>
Date: Tue Mar 15 22:00:29 2016 +0100
nginx: hydra.gnu.org: Add TLS server.
---
hydra/nginx/hydra.gnu.org-locations.conf | 75 +++++++++++++++++++
hydra/nginx/hydra.gnu.org.conf | 115 ++++++------------------------
2 files changed, 97 insertions(+), 93 deletions(-)
diff --git a/hydra/nginx/hydra.gnu.org-locations.conf
b/hydra/nginx/hydra.gnu.org-locations.conf
new file mode 100644
index 0000000..9cf10c3
--- /dev/null
+++ b/hydra/nginx/hydra.gnu.org-locations.conf
@@ -0,0 +1,75 @@
+# Configuration of the various locations at hydra.gnu.org.
+# This file is meant to be included in the main configuration file.
+
+location / {
+ proxy_pass http://127.0.0.1:3000;
+}
+
+location /api {
+ # For the sake of the JS code at http://gnu.org/s/guix/packages.
+ add_header 'Access-Control-Allow-Origin' 'http://www.gnu.org';
+ proxy_pass http://127.0.0.1:3000;
+}
+
+location /nar/ {
+ proxy_pass http://127.0.0.1:3000;
+
+ client_body_buffer_size 256k;
+
+ # Enable caching for nar files, to avoid reconstructing and recompressing
+ # archives.
+ proxy_cache nar;
+ proxy_cache_valid 200 72h; # cache hits for 3 days.
+ proxy_cache_valid any 1m; # cache misses/others for 1 min.
+
+ proxy_ignore_client_abort on;
+
+ # Disable chunked encoding to avoid enormous chunks.
+ #chunked_transfer_encoding off;
+
+ # Nars are already compressed.
+ gzip off;
+
+ # We need to hide and ignore the Set-Cookie header
+ # to enable caching.
+ proxy_hide_header Set-Cookie;
+ proxy_ignore_headers Set-Cookie;
+
+ # Provide a 'content-length' header so that 'guix substitute-binary'
+ # knows upfront how much it is downloading.
+ #add_header Content-Length $body_bytes_sent;
+}
+
+location ~ /(nix-cache-info|static|logo|favicon\.ico) {
+ proxy_pass http://127.0.0.1:3000;
+
+ # Cache this file since that's always the first thing we ask for.
+ proxy_cache static;
+ proxy_cache_valid 200 100h; # cache hits for a looong time.
+ proxy_cache_valid any 5m; # cache misses/others for 5 min.
+ proxy_ignore_client_abort on;
+
+ # We need to hide and ignore the Set-Cookie header
+ # to enable caching.
+ proxy_hide_header Set-Cookie;
+ proxy_ignore_headers Set-Cookie;
+}
+
+location ~ \.narinfo$ {
+ proxy_pass http://127.0.0.1:3000;
+
+ # For HTTP pipelining. This has a dramatic impact on performance.
+ client_body_buffer_size 128k;
+
+ # Enable caching for narinfo files, to avoid recomputing nar signatures.
+ proxy_cache narinfo;
+ proxy_cache_valid 200 18h; # cache hits for 18 hours.
+ proxy_cache_valid any 1m; # cache misses/others for 1 min.
+
+ proxy_ignore_client_abort on;
+
+ # We need to hide and ignore the Set-Cookie header
+ # to enable caching.
+ proxy_hide_header Set-Cookie;
+ proxy_ignore_headers Set-Cookie;
+}
diff --git a/hydra/nginx/hydra.gnu.org.conf b/hydra/nginx/hydra.gnu.org.conf
index 7b0e835..6d7fdaa 100644
--- a/hydra/nginx/hydra.gnu.org.conf
+++ b/hydra/nginx/hydra.gnu.org.conf
@@ -73,106 +73,35 @@ http {
break;
}
- location / {
- proxy_pass http://127.0.0.1:3000;
- }
-
- location /api {
- # For the sake of the JS code at http://gnu.org/s/guix/packages.
- add_header 'Access-Control-Allow-Origin' 'http://www.gnu.org';
- proxy_pass http://127.0.0.1:3000;
- }
-
- location /nar/ {
- proxy_pass http://127.0.0.1:3000;
-
- client_body_buffer_size 256k;
-
- # Enable caching for nar files, to avoid reconstructing and
recompressing
- # archives.
- proxy_cache nar;
- proxy_cache_valid 200 72h; # cache hits for 3 days.
- proxy_cache_valid any 1m; # cache misses/others for 1 min.
-
- proxy_ignore_client_abort on;
-
- # Disable chunked encoding to avoid enormous chunks.
- #chunked_transfer_encoding off;
-
- # Nars are already compressed.
- gzip off;
-
- # We need to hide and ignore the Set-Cookie header
- # to enable caching.
- proxy_hide_header Set-Cookie;
- proxy_ignore_headers Set-Cookie;
-
- # Provide a 'content-length' header so that 'guix substitute-binary'
- # knows upfront how much it is downloading.
- #add_header Content-Length $body_bytes_sent;
- }
+ include hydra.gnu.org-locations.conf;
+ }
- location ~ /(nix-cache-info|static|logo|favicon\.ico) {
- proxy_pass http://127.0.0.1:3000;
+ # HTTPS server.
+ server {
+ listen 443 ssl;
+ server_name hydra.gnu.org;
- # Cache this file since that's always the first thing we ask for.
- proxy_cache static;
- proxy_cache_valid 200 100h; # cache hits for a looong time.
- proxy_cache_valid any 5m; # cache misses/others for 5 min.
- proxy_ignore_client_abort on;
+ ssl_certificate /etc/letsencrypt/live/hydra.gnu.org/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/hydra.gnu.org/privkey.pem;
- # We need to hide and ignore the Set-Cookie header
- # to enable caching.
- proxy_hide_header Set-Cookie;
- proxy_ignore_headers Set-Cookie;
- }
+ # Make sure SSL is disabled.
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- location ~ \.narinfo$ {
- proxy_pass http://127.0.0.1:3000;
+ # Disable weak cipher suites.
+ ssl_ciphers HIGH:!aNULL:!MD5;
+ ssl_prefer_server_ciphers on;
- # For HTTP pipelining. This has a dramatic impact on performance.
- client_body_buffer_size 128k;
+ # Use our own DH parameters created with:
+ # openssl dhparam -out dhparams.pem 2048
+ # as suggested at <https://weakdh.org/sysadmin.html>.
+ ssl_dhparam /etc/dhparams.pem;
- # Enable caching for narinfo files, to avoid recomputing nar
signatures.
- proxy_cache narinfo;
- proxy_cache_valid 200 18h; # cache hits for 18 hours.
- proxy_cache_valid any 1m; # cache misses/others for 1 min.
+ access_log /var/log/nginx/hydra.https.access.log;
- proxy_ignore_client_abort on;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Port $server_port;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- # We need to hide and ignore the Set-Cookie header
- # to enable caching.
- proxy_hide_header Set-Cookie;
- proxy_ignore_headers Set-Cookie;
- }
+ include hydra.gnu.org-locations.conf;
}
-
- # TODO: HTTPS server
- #
- # We need to generate a certificate and investigate
- # proper settings for ssl_protocols and ssl_ciphers.
- #
- #server {
- # listen 443;
- # server_name hydra.gnu.org;
- #
- # ssl_certificate cert.pem;
- # ssl_certificate_key cert.key;
- #
- # ssl_session_cache shared:SSL:1m;
- # ssl_session_timeout 5m;
- #
- # ssl_ciphers HIGH:!aNULL:!MD5;
- # ssl_prefer_server_ciphers on;
- #
- # access_log /var/log/nginx/hydra.access.log;
- #
- # proxy_set_header X-Forwarded-Host $host;
- # proxy_set_header X-Forwarded-Port $server_port;
- # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- #
- # location / {
- # proxy_pass http://127.0.0.1:3000;
- # }
- #}
}