guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/02: nginx: hydra.gnu.org: Add TLS server.

From: Ludovic Courtès
Subject: 02/02: nginx: hydra.gnu.org: Add TLS server.
Date: Tue, 15 Mar 2016 21:01:34 +0000 
civodul pushed a commit to branch master
in repository maintenance.

commit 3cbcf1bec4aa0039d003186eb58acd4b8079b3a0
Author: Ludovic Courtès <address@hidden>
Date:   Tue Mar 15 22:00:29 2016 +0100

    nginx: hydra.gnu.org: Add TLS server.
---
 hydra/nginx/hydra.gnu.org-locations.conf |   75 +++++++++++++++++++
 hydra/nginx/hydra.gnu.org.conf           |  115 ++++++------------------------
 2 files changed, 97 insertions(+), 93 deletions(-)

diff --git a/hydra/nginx/hydra.gnu.org-locations.conf 
b/hydra/nginx/hydra.gnu.org-locations.conf
new file mode 100644
index 0000000..9cf10c3
--- /dev/null
+++ b/hydra/nginx/hydra.gnu.org-locations.conf
@@ -0,0 +1,75 @@
+# Configuration of the various locations at hydra.gnu.org.
+# This file is meant to be included in the main configuration file.
+
+location / {
+    proxy_pass http://127.0.0.1:3000;
+}
+
+location /api {
+    # For the sake of the JS code at http://gnu.org/s/guix/packages.
+    add_header 'Access-Control-Allow-Origin' 'http://www.gnu.org';
+    proxy_pass http://127.0.0.1:3000;
+}
+
+location /nar/ {
+    proxy_pass http://127.0.0.1:3000;
+
+    client_body_buffer_size 256k;
+
+    # Enable caching for nar files, to avoid reconstructing and recompressing
+    # archives.
+    proxy_cache nar;
+    proxy_cache_valid 200 72h;  # cache hits for 3 days.
+    proxy_cache_valid any 1m;   # cache misses/others for 1 min.
+
+    proxy_ignore_client_abort on;
+
+    # Disable chunked encoding to avoid enormous chunks.
+    #chunked_transfer_encoding off;
+
+    # Nars are already compressed.
+    gzip off;
+
+    # We need to hide and ignore the Set-Cookie header
+    # to enable caching.
+    proxy_hide_header    Set-Cookie;
+    proxy_ignore_headers Set-Cookie;
+
+    # Provide a 'content-length' header so that 'guix substitute-binary'
+    # knows upfront how much it is downloading.
+    #add_header Content-Length $body_bytes_sent;
+}
+
+location ~ /(nix-cache-info|static|logo|favicon\.ico) {
+    proxy_pass http://127.0.0.1:3000;
+
+    # Cache this file since that's always the first thing we ask for.
+    proxy_cache static;
+    proxy_cache_valid 200 100h;  # cache hits for a looong time.
+    proxy_cache_valid any 5m;    # cache misses/others for 5 min.
+    proxy_ignore_client_abort on;
+
+    # We need to hide and ignore the Set-Cookie header
+    # to enable caching.
+    proxy_hide_header    Set-Cookie;
+    proxy_ignore_headers Set-Cookie;
+}
+
+location ~ \.narinfo$ {
+    proxy_pass http://127.0.0.1:3000;
+
+    # For HTTP pipelining.  This has a dramatic impact on performance.
+    client_body_buffer_size 128k;
+
+    # Enable caching for narinfo files, to avoid recomputing nar signatures.
+    proxy_cache narinfo;
+    proxy_cache_valid 200 18h;  # cache hits for 18 hours.
+    proxy_cache_valid any 1m;   # cache misses/others for 1 min.
+
+    proxy_ignore_client_abort on;
+
+    # We need to hide and ignore the Set-Cookie header
+    # to enable caching.
+    proxy_hide_header    Set-Cookie;
+    proxy_ignore_headers Set-Cookie;
+}
diff --git a/hydra/nginx/hydra.gnu.org.conf b/hydra/nginx/hydra.gnu.org.conf
index 7b0e835..6d7fdaa 100644
--- a/hydra/nginx/hydra.gnu.org.conf
+++ b/hydra/nginx/hydra.gnu.org.conf
@@ -73,106 +73,35 @@ http {
           break;
        }
 
-       location / {
-           proxy_pass http://127.0.0.1:3000;
-       }
-
-       location /api {
-           # For the sake of the JS code at http://gnu.org/s/guix/packages.
-           add_header 'Access-Control-Allow-Origin' 'http://www.gnu.org';
-           proxy_pass http://127.0.0.1:3000;
-       }
-
-       location /nar/ {
-           proxy_pass http://127.0.0.1:3000;
-
-           client_body_buffer_size 256k;
-
-           # Enable caching for nar files, to avoid reconstructing and 
recompressing
-           # archives.
-           proxy_cache nar;
-           proxy_cache_valid 200 72h;  # cache hits for 3 days.
-           proxy_cache_valid any 1m;   # cache misses/others for 1 min.
-
-           proxy_ignore_client_abort on;
-
-           # Disable chunked encoding to avoid enormous chunks.
-           #chunked_transfer_encoding off;
-
-           # Nars are already compressed.
-           gzip off;
-
-           # We need to hide and ignore the Set-Cookie header
-           # to enable caching.
-           proxy_hide_header    Set-Cookie;
-           proxy_ignore_headers Set-Cookie;
-
-           # Provide a 'content-length' header so that 'guix substitute-binary'
-           # knows upfront how much it is downloading.
-           #add_header Content-Length $body_bytes_sent;
-       }
+       include hydra.gnu.org-locations.conf;
+    }
 
-       location ~ /(nix-cache-info|static|logo|favicon\.ico) {
-           proxy_pass http://127.0.0.1:3000;
+    # HTTPS server.
+    server {
+       listen       443 ssl;
+       server_name  hydra.gnu.org;
 
-           # Cache this file since that's always the first thing we ask for.
-           proxy_cache static;
-           proxy_cache_valid 200 100h;  # cache hits for a looong time.
-           proxy_cache_valid any 5m;    # cache misses/others for 5 min.
-           proxy_ignore_client_abort on;
+       ssl_certificate     /etc/letsencrypt/live/hydra.gnu.org/fullchain.pem;
+       ssl_certificate_key /etc/letsencrypt/live/hydra.gnu.org/privkey.pem;
 
-           # We need to hide and ignore the Set-Cookie header
-           # to enable caching.
-           proxy_hide_header    Set-Cookie;
-           proxy_ignore_headers Set-Cookie;
-       }
+       # Make sure SSL is disabled.
+       ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
 
-       location ~ \.narinfo$ {
-           proxy_pass http://127.0.0.1:3000;
+       # Disable weak cipher suites.
+       ssl_ciphers         HIGH:!aNULL:!MD5;
+       ssl_prefer_server_ciphers on;
 
-           # For HTTP pipelining.  This has a dramatic impact on performance.
-           client_body_buffer_size 128k;
+       # Use our own DH parameters created with:
+       #    openssl dhparam -out dhparams.pem 2048
+       # as suggested at <https://weakdh.org/sysadmin.html>.
+       ssl_dhparam         /etc/dhparams.pem;
 
-           # Enable caching for narinfo files, to avoid recomputing nar 
signatures.
-           proxy_cache narinfo;
-           proxy_cache_valid 200 18h;  # cache hits for 18 hours.
-           proxy_cache_valid any 1m;   # cache misses/others for 1 min.
+        access_log  /var/log/nginx/hydra.https.access.log;
 
-           proxy_ignore_client_abort on;
+       proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+       proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
 
-           # We need to hide and ignore the Set-Cookie header
-           # to enable caching.
-           proxy_hide_header    Set-Cookie;
-           proxy_ignore_headers Set-Cookie;
-       }
+       include hydra.gnu.org-locations.conf;
     }
-
-    # TODO: HTTPS server
-    #
-    # We need to generate a certificate and investigate
-    # proper settings for ssl_protocols and ssl_ciphers.
-    #
-    #server {
-    #  listen       443;
-    #  server_name  hydra.gnu.org;
-    #
-    #  ssl_certificate      cert.pem;
-    #  ssl_certificate_key  cert.key;
-    #
-    #   ssl_session_cache    shared:SSL:1m;
-    #  ssl_session_timeout  5m;
-    #
-    #  ssl_ciphers  HIGH:!aNULL:!MD5;
-    #  ssl_prefer_server_ciphers  on;
-    #
-    #   access_log  /var/log/nginx/hydra.access.log;
-    #
-    #  proxy_set_header X-Forwarded-Host $host;
-    #   proxy_set_header X-Forwarded-Port $server_port;
-    #  proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
-    #
-    #  location / {
-    #      proxy_pass http://127.0.0.1:3000;
-    #  }
-    #}
 }
reply via email to
[Prev in Thread] Current Thread [Next in Thread]