Merge branch 'master' of github.com:tech-server/tgmanage

9 files changed, 394 insertions, 238 deletions

diff --git a/web/etc/apache2/munin.tg15.gathering.org.conf b/web/etc/apache2/munin.tg15.gathering.org.conf
deleted file mode 100644
index aaa3848..0000000
--- a/web/etc/apache2/munin.tg15.gathering.org.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-<VirtualHost *:8080>
-        ServerAdmin drift@gathering.org
-        ServerName munin.tg15.gathering.org
-
-	# Enable this for template generation
-	Alias /munin /var/cache/munin/www
-
-	# Enable this for cgi-based templates
-	#Alias /munin-cgi/static /var/cache/munin/www/static
-	#ScriptAlias /munin-cgi /usr/lib/munin/cgi/munin-cgi-html
-	#<Location /munin-cgi>
-	#	Order allow,deny
-	#	Allow from localhost 127.0.0.0/8 ::1
-	#	AuthUserFile /etc/munin/munin-htpasswd
-	#	AuthName "Munin"
-	#	AuthType Basic
-	#	require valid-user
-	#</Location>
-
-	DocumentRoot /var/cache/munin/www
-	<Directory /var/cache/munin/www>
-		AllowOverride None
-	        Order allow,deny
-	        Allow from all
-	        Options Indexes
-		#Require all granted
-	
-		# This file can be used as a .htaccess file, or a part of your apache
-		# config file.
-		#
-		# For the .htaccess file option to work the munin www directory
-		# (/var/cache/munin/www) must have "AllowOverride all" or something 
-		# close to that set.
-		#
-	
-		# AuthUserFile /etc/munin/munin-htpasswd
-		# AuthName "Munin"
-		# AuthType Basic
-		# require valid-user
-	
-		# This next part requires mod_expires to be enabled.
-		#
-		
-		# Set the default expiration time for files to 5 minutes 10 seconds from
-		# their creation (modification) time.  There are probably new files by
-		# that time. 
-		#
-
-		SetEnvIF ^X-Forwarded-For$ "^185\.12\.59\.12$" AllowIP
-                SetEnvIF ^X-Forwarded-For$ "^2a02:ed02:1337::12$" AllowIP
-
-                <RequireAny>
-                        AuthUserFile /root/tgmanage/web/.htpasswd
-                        AuthName "Tech:Server Secret Volcano Lair"
-                        AuthType Basic
-                        Require valid-user
-
-                        Require env AllowIP
-                </RequireAny>
-
-	    <IfModule mod_expires.c>
-	        ExpiresActive On
-	    	ExpiresDefault M310
-	    </IfModule>
-	
-	</Directory> 
-	
-	# Enables fastcgi for munin-cgi-html if present
-	#<Location /munin-cgi>
-	#    <IfModule mod_fastcgi.c>
-	#        SetHandler fastcgi-script
-	#    </IfModule>
-	#</Location>
-	
-	#<Location /munin-cgi/static>
-	#	SetHandler None
-	#</Location>
-	
-	# Enables fastcgi for munin-cgi-graph if present
-	ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
-	<Location /munin-cgi/munin-cgi-graph>
-		Order allow,deny
-		Allow from localhost 127.0.0.0/8 ::1
-		# AuthUserFile /etc/munin/munin-htpasswd
-		# AuthName "Munin"
-		# AuthType Basic
-		# require valid-user
-		<IfModule mod_fcgid.c>
-		    SetHandler fcgid-script
-		</IfModule>
-		<IfModule !mod_fcgid.c>
-		    SetHandler cgi-script
-		</IfModule>
-	</Location>
-
-	ScriptAlias /munin-cgi/munin-cgi-html /usr/lib/munin/cgi/munin-cgi-html
-	<Location /munin-cgi/munin-cgi-html>
-		Order allow,deny
-		Allow from localhost 127.0.0.0/8 ::1
-		# AuthUserFile /etc/munin/munin-htpasswd
-		# AuthName "Munin"
-		# AuthType Basic
-		# require valid-user
-		<IfModule mod_fcgid.c>
-		    SetHandler fcgid-script
-		</IfModule>
-		<IfModule !mod_fcgid.c>
-		    SetHandler cgi-script
-		</IfModule>
-	</Location>
-
-        ErrorLog /var/log/apache2/error-munin.tg15.gathering.org.log
-
-        # Possible values include: debug, info, notice, warn, error, crit,
-        # alert, emerg.
-        LogLevel debug
-
-        CustomLog /var/log/apache2/access-munin.tg15.gathering.org.log combined
-        ServerSignature On
-</VirtualHost>
diff --git a/web/etc/apache2/nms-public.tg15.gathering.org.conf b/web/etc/apache2/nms-public.tg15.gathering.org.conf
deleted file mode 100644
index 6ca255d..0000000
--- a/web/etc/apache2/nms-public.tg15.gathering.org.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-<VirtualHost *:8080>
-        ServerAdmin drift@gathering.org
-        ServerName nms-public.tg15.gathering.org
-
-	DocumentRoot /root/tgmanage/web/nms-public.gathering.org
-	AddHandler cgi-script .cgi .sh .pl .py
-	
-        LogLevel warn
-        ErrorLog /var/log/apache2/error-nms-public.tg15.gathering.org.log
-        CustomLog /var/log/apache2/access-nms-public.tg15.gathering.org.log combined
-
-	<Directory "/root/tgmanage/web/nms-public.gathering.org">
-                AllowOverride None
-                Options Indexes FollowSymLinks ExecCGI MultiViews
-
-                Require all granted
-        </Directory>
-
-	ServerSignature On
-
-</VirtualHost>
diff --git a/web/etc/apache2/nms-public.tg16.gathering.org.conf b/web/etc/apache2/nms-public.tg16.gathering.org.conf
new file mode 100644
index 0000000..7e24b5c
--- /dev/null
+++ b/web/etc/apache2/nms-public.tg16.gathering.org.conf
@@ -0,0 +1,30 @@
+<VirtualHost *:8080>
+        ServerAdmin drift@gathering.org
+        ServerName nms-public.tg16.gathering.org
+        ServerAlias nms-public.tg16.gathering.org
+
+        DocumentRoot /srv/tgmanage/web/nms-public.gathering.org
+	ScriptAlias /api/public/ /srv/tgmanage/web/nms-public.gathering.org/api/public/
+	<Directory "/srv/tgmanage/web/nms-public.gathering.org/api/public/">
+		AllowOverride None
+		Options +ExecCGI -MultiViews +Indexes +SymLinksIfOwnerMatch
+		Require all granted
+	</Directory>
+        <Directory "/srv/tgmanage/web/nms-public.gathering.org">
+                AllowOverride None
+                Options Indexes FollowSymLinks MultiViews
+		Require all granted
+
+                AddDefaultCharset UTF-8
+        </Directory>
+
+        ErrorLog /var/log/apache2/error-nms-public.tg16.gathering.org.log
+
+        # Possible values include: debug, info, notice, warn, error, crit,
+        # alert, emerg.
+        LogLevel warn
+
+        CustomLog /var/log/apache2/access-nms-public.tg16.gathering.org.log combined
+        ServerSignature On
+
+</VirtualHost>
diff --git a/web/etc/apache2/nms.tg16.gathering.org.conf b/web/etc/apache2/nms.tg16.gathering.org.conf
index 9a6d7cd..08471e0 100644
--- a/web/etc/apache2/nms.tg16.gathering.org.conf
+++ b/web/etc/apache2/nms.tg16.gathering.org.conf
@@ -1,21 +1,32 @@
 <VirtualHost *:8080>
         ServerAdmin drift@gathering.org
         ServerName nms.tg16.gathering.org
-        ServerAlias einstein.tg16.gathering.org
+        ServerAlias nms.tg16.gathering.org
 
         DocumentRoot /srv/tgmanage/web/nms.gathering.org
-	ScriptAlias /api/private/ /srv/tgmanage/web/nms.gathering.org/api/private/
+	ScriptAlias /api/write/ /srv/tgmanage/web/nms.gathering.org/api/write/
+	ScriptAlias /api/read/ /srv/tgmanage/web/nms.gathering.org/api/read/
 	ScriptAlias /api/public/ /srv/tgmanage/web/nms.gathering.org/api/public/
-	<Directory "/srv/tgmanage/web/nms.gathering.org/api/private/">
+	<Directory "/srv/tgmanage/web/nms.gathering.org/api/write/">
 		AllowOverride None
 		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
 		<RequireAny>
-			AuthUserFile /srv/tgmanage/web/.htpasswd
+			AuthUserFile /srv/tgmanage/web/htpasswd-write
 	                AuthName "Tech:Server Secret Volcano Lair"
         	        AuthType Basic
 			Require valid-user
 		</RequireAny>
 	</Directory>
+	<Directory "/srv/tgmanage/web/nms.gathering.org/api/read/">
+		AllowOverride None
+		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+		<RequireAny>
+			AuthUserFile /srv/tgmanage/web/htpasswd-read
+	                AuthName "The Gathering Network Management System"
+        	        AuthType Basic
+			Require valid-user
+		</RequireAny>
+	</Directory>
 	<Directory "/srv/tgmanage/web/nms.gathering.org/api/public/">
 		AllowOverride None
 		Options +ExecCGI -MultiViews +Indexes +SymLinksIfOwnerMatch
@@ -24,16 +35,13 @@
         <Directory "/srv/tgmanage/web/nms.gathering.org">
                 AllowOverride None
                 Options Indexes FollowSymLinks MultiViews
-
                 AddDefaultCharset UTF-8
-
 		<RequireAny>
-			AuthUserFile /srv/tgmanage/web/.htpasswd
-	                AuthName "Tech:Server Secret Volcano Lair"
+			AuthUserFile /srv/tgmanage/web/htpasswd-read
+	                AuthName "The Gathering Network Management System"
         	        AuthType Basic
 			Require valid-user
 		</RequireAny>
-
         </Directory>
 
         ErrorLog /var/log/apache2/error-nms.tg16.gathering.org.log
diff --git a/web/etc/apache2/stats.tg15.gathering.org.conf b/web/etc/apache2/stats.tg15.gathering.org.conf
deleted file mode 100644
index 2dc99a4..0000000
--- a/web/etc/apache2/stats.tg15.gathering.org.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-<VirtualHost *:8080>
-	ServerAdmin drift@gathering.org
-        ServerName stats.tg15.gathering.org
-
-        DocumentRoot /root/tgmanage/web/stats.gathering.org
-        <Directory "/root/tgmanage/web/stats.gathering.org">
-                AllowOverride None
-                Options Indexes FollowSymLinks ExecCGI MultiViews
-
-		Require all granted
-        </Directory>
-
-        ErrorLog /var/log/apache2/error-stats.tg15.gathering.org.log
-
-        # Possible values include: debug, info, notice, warn, error, crit,
-        # alert, emerg.
-        LogLevel warn
-
-        CustomLog /var/log/apache2/access-stats.tg15.gathering.org.log combined
-        ServerSignature On
-</VirtualHost>
diff --git a/web/etc/apache2/stream.tg15.gathering.org.conf b/web/etc/apache2/stream.tg15.gathering.org.conf
deleted file mode 100644
index 1f92f47..0000000
--- a/web/etc/apache2/stream.tg15.gathering.org.conf
+++ /dev/null
@@ -1,25 +0,0 @@
- <VirtualHost *:8080>
-        ServerAdmin drift@gathering.org
-        ServerName stream.tg15.gathering.org
-        ServerAlias krosus.tg15.gathering.org
-
-        DocumentRoot /root/tgmanage/web/stream.gathering.org
-        <Directory "/root/tgmanage/web/stream.gathering.org/">
-                AllowOverride None
-                Options Indexes FollowSymLinks ExecCGI MultiViews
-                Order allow,deny
-                Allow from all
-		Require all granted
-                AddHandler cgi-script .cgi .sh .pl .py
-                AddDefaultCharset UTF-8
-        </Directory>
-
-        ErrorLog /var/log/apache2/error-stream.tg15.gathering.org.log
-
-        # Possible values include: debug, info, notice, warn, error, crit,
-        # alert, emerg.
-        LogLevel info
-
-        CustomLog /var/log/apache2/access-stream.tg15.gathering.org.log combined
-        ServerSignature On
-</VirtualHost>
diff --git a/web/etc/cron/einstein.cron b/web/etc/cron/einstein.cron
deleted file mode 100644
index 616867f..0000000
--- a/web/etc/cron/einstein.cron
+++ /dev/null
@@ -1,39 +0,0 @@
-# Edit this file to introduce tasks to be run by cron.
-# 
-# Each task to run has to be defined through a single line
-# indicating with different fields when the task will be run
-# and what command to run for the task
-# 
-# To define the time you can provide concrete values for
-# minute (m), hour (h), day of month (dom), month (mon),
-# and day of week (dow) or use '*' in these fields (for 'any').# 
-# Notice that tasks will be started based on the cron's system
-# daemon's notion of time and timezones.
-# 
-# Output of the crontab jobs (including errors) is sent through
-# email to the user the crontab file belongs to (unless redirected).
-# 
-# For example, you can run a backup of all your user accounts
-# at 5 a.m every week with:
-# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
-# 
-# For more information see the manual pages of crontab(5) and cron(8)
-# 
-# m h  dom mon dow   command
-
-# hver dag kl 18:00
-0 18 * * * /bin/bash /root/tgmanage/clients/fetch-cubemap-munin.sh 
-
-# søndag kl 06:00
-0 6 05 04 * /bin/bash /root/tgmanage/clients/fetch-cubemap-munin.sh 
-
-*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/nettkart-trafikk.png http://tg:REMOVED@nms.tg15.gathering.org/nettkart.pl
-*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/nettkart-dhcp.png http://tg:REMOVED@nms.tg15.gathering.org/dhcpkart.pl
-*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/tempkart.png http://tg:REMOVED@nms.tg15.gathering.org/stempmap.pl
-*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/switches.json http://tg:REMOVED@nms.tg15.gathering.org/switches-json.pl
-*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/nettkart.json 'http://tg:REMOVED@nms.tg15.gathering.org/nettkart-json.pl?secret=frosk&secret2=fisk&noise=0.0000000001&phase=3&period=86400'
-*/5 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/weathermap.png http://185.12.59.23/cacti/plugins/weathermap/output/962ddeea4b2d7ad5bd02.png
-
-24 12 * * * /bin/bash /root/backup/tg15backup.sh
-13 07 05 04 * /bin/bash /root/backup/tg15backup.sh
-45 08 05 04 * /bin/bash /root/backup/tg15backup.sh
diff --git a/web/etc/nginx/default.conf b/web/etc/nginx/default.conf
new file mode 100644
index 0000000..4335774
--- /dev/null
+++ b/web/etc/nginx/default.conf
@@ -0,0 +1,339 @@
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+
+ssl_dhparam /etc/nginx/dhparam.pem;
+resolver 185.110.149.2 185.110.148.2;
+
+# Yoda!
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+	root /var/www/html;
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+        add_header Strict-Transport-Security max-age=15768000;
+	server_name yoda.tg16.gathering.org;
+
+	location /display  {
+		allow 185.110.148.24;
+		allow 2a06:5841:1337::24;
+		allow 185.110.148.25;
+		allow 2a06:5841:1337::25;
+		allow 185.110.148.26;
+		allow 2a06:5841:1337::26;
+		allow 2a06:5841:150a::/64;
+		allow 185.110.150.0/25;
+		deny all;
+	}
+	#location / {
+	#	return 301 https://$host$request_uri;
+	#}
+}
+
+# Munin
+server {
+	listen 80;
+        listen [::]:80; 
+        access_log /var/log/nginx/munin.tg16.gathering.org_ssl_access.log;
+        error_log /var/log/nginx/munin.tg16.gathering.org_ssl_error.log error;
+        root /var/www/html;
+
+        server_name munin.tg16.gathering.org;
+
+        allow 185.110.150.0/25;
+        allow 2a06:5841:150a::/64;
+        allow 185.110.149.0/26;
+        allow 2a06:5841:149a::/64;
+        allow 185.110.148.0/26;
+        allow 2a06:5841:1337::/64;
+        allow 185.110.151.0/27;
+        allow 2a06:5841:151a::/64;
+        deny all;
+
+        location ^~ /munin-cgi/munin-cgi-graph/ {
+                fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
+                fastcgi_param PATH_INFO $fastcgi_path_info;
+                fastcgi_pass unix:/var/run/munin/fastcgi-graph.sock;
+                include fastcgi_params;
+        }
+
+
+        location /munin/static/ {
+                alias /etc/munin/static/;
+        }
+
+        location /munin/ {
+                fastcgi_split_path_info ^(/munin)(.*);
+                fastcgi_param PATH_INFO $fastcgi_path_info;
+                fastcgi_pass unix:/var/run/munin/fastcgi-html.sock;
+                include fastcgi_params;
+
+		rewrite ^/munin/(.*.png)$ /munin-cgi/munin-cgi-graph/$1;
+        }
+
+        location = / {
+                return 301 $scheme://$server_name/munin/;
+        }
+}
+
+# Yoda!
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        access_log /var/log/nginx/yoda.tg16.gathering.org_ssl_access.log;
+        error_log /var/log/nginx/yoda.tg16.gathering.org_ssl_error.log error;
+	server_name yoda.tg16.gathering.org;
+        add_header Strict-Transport-Security max-age=0;
+	add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains';
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+        ssl_prefer_server_ciphers on;
+        ssl_certificate     /root/le/prodcerts/yoda.prod.pem;
+        ssl_certificate_key /root/le/keys/domain.key;
+        ssl_session_timeout 5m;
+        ssl_session_cache shared:SSL:50m;
+        client_max_body_size 10m;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+	root /var/www/html;
+	index index.pl index.html;
+	location ~ \.pl|cgi$ {
+		try_files $uri =404;
+		gzip off;
+		fastcgi_pass  127.0.0.1:8999;
+		fastcgi_index index.pl;
+		fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+		include fastcgi_params;
+        }
+        location / {
+		try_files $uri $uri/ =404;
+        }
+}
+
+# Webcam
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        access_log /var/log/nginx/webcam.tg16.gathering.org_ssl_access.log;
+        error_log /var/log/nginx/webcam.tg16.gathering.org_ssl_error.log error;
+	server_name webcam.tg16.gathering.org webcams.tg16.gathering.org;
+        add_header Strict-Transport-Security max-age=0;
+	add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains';
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+        ssl_prefer_server_ciphers on;
+        ssl_certificate     /root/le/prodcerts/yoda.prod.pem;
+        ssl_certificate_key /root/le/keys/domain.key;
+        ssl_session_timeout 5m;
+        ssl_session_cache shared:SSL:50m;
+        client_max_body_size 10m;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+	root /var/www/webcam;
+        location / {
+		return 301 http://stream.tg16.gathering.org/;
+		#try_files $uri $uri/ =404;
+        }
+}
+
+# Stream
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        access_log /var/log/nginx/stream.tg16.gathering.org_ssl_access.log;
+        error_log /var/log/nginx/stream.tg16.gathering.org_ssl_error.log error;
+	server_name stream.tg16.gathering.org streams.tg16.gathering.org;
+        #add_header Strict-Transport-Security max-age=15768000;
+        add_header Strict-Transport-Security max-age=0;
+	#add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains';
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+        ssl_prefer_server_ciphers on;
+        ssl_certificate     /root/le/prodcerts/yoda.prod.pem;
+        ssl_certificate_key /root/le/keys/domain.key;
+        ssl_session_timeout 5m;
+        ssl_session_cache shared:SSL:50m;
+        client_max_body_size 10m;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+	root /var/www/stream/;
+#	index index.pl index.html;
+	index index.pl index.py index.html;
+        location /hls {
+            types {
+                #application/vnd.apple.mpegurl m3u8;
+                application/x-mpegURL m3u8;
+                video/mp2t ts;
+                text/html htm;
+            }
+            root /var/www/;
+            add_header Cache-Control no-cache;
+        }
+        location /stat {
+	        allow 185.110.150.0/25;
+	        allow 2a06:5841:150a::/64;
+	        allow 185.110.149.0/26;
+	        allow 2a06:5841:149a::/64;
+	        allow 185.110.148.0/26;
+   		allow 2a06:5841:1337::/64;
+	        allow 185.110.151.0/27;
+	        allow 2a06:5841:151a::/64;
+	        deny all;
+                rtmp_stat all;
+                rtmp_stat_stylesheet /stat.xsl;
+        }
+        location /stat.xsl {
+	        allow 185.110.150.0/25;
+	        allow 2a06:5841:150a::/64;
+	        allow 185.110.149.0/26;
+	        allow 2a06:5841:149a::/64;
+	        allow 185.110.148.0/26;
+   		allow 2a06:5841:1337::/64;
+	        allow 185.110.151.0/27;
+	        allow 2a06:5841:151a::/64;
+	        deny all;
+        }
+	location ~ \.py {
+		try_files $uri =404;
+		fastcgi_pass unix:/tmp/index-fcgi.sock;
+		fastcgi_index index.py;
+		fastcgi_param PATH_INFO $fastcgi_path_info;
+		include fastcgi_params;
+	}
+	location ~ \.pl|cgi$ {
+		try_files $uri =404;
+		gzip off;
+		fastcgi_pass  127.0.0.1:8999;
+		fastcgi_index index.pl;
+		fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+		include fastcgi_params;
+        }
+	location / {
+		return 301 http://$host$request_uri;
+		#try_files $uri $uri/ =404;
+	}
+}
+
+# Stream
+server {
+	listen 80;
+        listen [::]:80; 
+        access_log /var/log/nginx/stream.tg16.gathering.org_access.log;
+        error_log /var/log/nginx/stream.tg16.gathering.org_error.log error;
+	server_name stream.tg16.gathering.org streams.tg16.gathering.org;
+        add_header Strict-Transport-Security max-age=0;
+        client_max_body_size 10m;
+	root /var/www/stream/;
+#	index index.pl index.html;
+	index index.pl index.py index.html;
+        location /hls {
+            types {
+                #application/vnd.apple.mpegurl m3u8;
+                application/x-mpegURL m3u8;
+                video/mp2t ts;
+                text/html htm;
+            }
+            root /var/www/;
+            add_header Cache-Control no-cache;
+        }
+        location /stat {
+	        allow 185.110.150.0/25;
+	        allow 2a06:5841:150a::/64;
+	        allow 185.110.149.0/26;
+	        allow 2a06:5841:149a::/64;
+	        allow 185.110.148.0/26;
+   		allow 2a06:5841:1337::/64;
+	        allow 185.110.151.0/27;
+	        allow 2a06:5841:151a::/64;
+	        deny all;
+                rtmp_stat all;
+                rtmp_stat_stylesheet /stat.xsl;
+        }
+        location /stat.xsl {
+	        allow 185.110.150.0/25;
+	        allow 2a06:5841:150a::/64;
+	        allow 185.110.149.0/26;
+	        allow 2a06:5841:149a::/64;
+	        allow 185.110.148.0/26;
+   		allow 2a06:5841:1337::/64;
+	        allow 185.110.151.0/27;
+	        allow 2a06:5841:151a::/64;
+	        deny all;
+        }
+	location ~ \.py {
+		try_files $uri =404;
+		fastcgi_pass unix:/tmp/index-fcgi.sock;
+		fastcgi_index index.py;
+		fastcgi_param PATH_INFO $fastcgi_path_info;
+		include fastcgi_params;
+	}
+	location ~ \.pl|cgi$ {
+		try_files $uri =404;
+		gzip off;
+		fastcgi_pass  127.0.0.1:8999;
+		fastcgi_index index.pl;
+		fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+		include fastcgi_params;
+        }
+        location / {
+		try_files $uri $uri/ =404;
+        }
+}
+
+# NMS-backend
+upstream nms {
+	server obi-wan.tg16.gathering.org;
+	keepalive 32;
+}
+
+# NMS
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        access_log /var/log/nginx/nms.tg16.gathering.org_ssl_access.log;
+        error_log /var/log/nginx/nms.tg16.gathering.org_ssl_error.log error;
+	server_name nms.tg16.gathering.org nms-public.tg16.gathering.org nms-api.tg16.gathering.org nms4.tg16.gathering.org nms6.tg16.gathering.org;
+        add_header Strict-Transport-Security max-age=15768000;
+	add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains';
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+        ssl_prefer_server_ciphers on;
+        ssl_certificate     /root/le/prodcerts/yoda.prod.pem;
+        ssl_certificate_key /root/le/keys/domain.key;
+        ssl_session_timeout 5m;
+        ssl_session_cache shared:SSL:50m;
+        client_max_body_size 10m;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        location / {
+		proxy_set_header Host            $host;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_pass http://nms;
+		proxy_http_version 1.1;
+		proxy_set_header Connection "";
+        }
+}
+
+# Stats
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        access_log /var/log/nginx/stats.tg16.gathering.org_ssl_access.log;
+        error_log /var/log/nginx/stats.tg16.gathering.org_ssl_error.log error;
+	server_name stats.tg16.gathering.org;
+        add_header Strict-Transport-Security max-age=15768000;
+	add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains';
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+        ssl_prefer_server_ciphers on;
+        ssl_certificate     /root/le/prodcerts/yoda.prod.pem;
+        ssl_certificate_key /root/le/keys/domain.key;
+        ssl_session_timeout 5m;
+        ssl_session_cache shared:SSL:50m;
+        client_max_body_size 10m;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+	root /var/www/stats;
+        location / {
+		try_files $uri $uri/ =404;
+        }
+}
diff --git a/web/etc/varnish/nms.vcl b/web/etc/varnish/nms.vcl
index 6349238..53a9444 100644
--- a/web/etc/varnish/nms.vcl
+++ b/web/etc/varnish/nms.vcl
@@ -11,6 +11,9 @@ backend default {
 
 # Sort magi.
 sub vcl_recv {
+    if (req.url ~ "^/where" || req.url ~ "^/location") {
+	set req.url = "/api/public/location";
+    }
     if (req.method != "GET" &&
         req.method != "HEAD" &&
         req.method != "PUT" &&
@@ -22,9 +25,6 @@ sub vcl_recv {
         return (synth(418,"LOLOLOL"));
     }
 
-    # Hardcoded for testing
-    set req.http.host = "nms.tg16.gathering.org"; 
-
     if (req.method != "GET" && req.method != "HEAD") {
         /* We only deal with GET and HEAD by default */
         return (pass);
@@ -37,6 +37,7 @@ sub vcl_recv {
     return (hash);
 }
 
+
 # Rosa magi
 sub vcl_hash {
     # Wheee. Legg til authorization-headeren i hashen.
@@ -50,4 +51,8 @@ sub vcl_backend_response {
     if (beresp.http.x-ban) {
         ban("obj.http.x-url ~ " + beresp.http.x-ban);
     }
+    if (beresp.status != 200) {
+        set beresp.uncacheable = false;
+        set beresp.ttl = 5s;
+    }
 }