diff options
Diffstat (limited to 'web/etc')
| -rw-r--r-- | web/etc/apache2/munin.tg15.gathering.org.conf | 120 | ||||
| -rw-r--r-- | web/etc/apache2/nms-public.tg15.gathering.org.conf | 21 | ||||
| -rw-r--r-- | web/etc/apache2/nms-public.tg16.gathering.org.conf | 30 | ||||
| -rw-r--r-- | web/etc/apache2/nms.tg16.gathering.org.conf | 26 | ||||
| -rw-r--r-- | web/etc/apache2/stats.tg15.gathering.org.conf | 21 | ||||
| -rw-r--r-- | web/etc/apache2/stream.tg15.gathering.org.conf | 25 | ||||
| -rw-r--r-- | web/etc/cron/einstein.cron | 39 | ||||
| -rw-r--r-- | web/etc/nginx/default.conf | 339 | ||||
| -rw-r--r-- | web/etc/varnish/nms.vcl | 11 |
9 files changed, 394 insertions, 238 deletions
diff --git a/web/etc/apache2/munin.tg15.gathering.org.conf b/web/etc/apache2/munin.tg15.gathering.org.conf deleted file mode 100644 index aaa3848..0000000 --- a/web/etc/apache2/munin.tg15.gathering.org.conf +++ /dev/null @@ -1,120 +0,0 @@ -<VirtualHost *:8080> - ServerAdmin drift@gathering.org - ServerName munin.tg15.gathering.org - - # Enable this for template generation - Alias /munin /var/cache/munin/www - - # Enable this for cgi-based templates - #Alias /munin-cgi/static /var/cache/munin/www/static - #ScriptAlias /munin-cgi /usr/lib/munin/cgi/munin-cgi-html - #<Location /munin-cgi> - # Order allow,deny - # Allow from localhost 127.0.0.0/8 ::1 - # AuthUserFile /etc/munin/munin-htpasswd - # AuthName "Munin" - # AuthType Basic - # require valid-user - #</Location> - - DocumentRoot /var/cache/munin/www - <Directory /var/cache/munin/www> - AllowOverride None - Order allow,deny - Allow from all - Options Indexes - #Require all granted - - # This file can be used as a .htaccess file, or a part of your apache - # config file. - # - # For the .htaccess file option to work the munin www directory - # (/var/cache/munin/www) must have "AllowOverride all" or something - # close to that set. - # - - # AuthUserFile /etc/munin/munin-htpasswd - # AuthName "Munin" - # AuthType Basic - # require valid-user - - # This next part requires mod_expires to be enabled. - # - - # Set the default expiration time for files to 5 minutes 10 seconds from - # their creation (modification) time. There are probably new files by - # that time. - # - - SetEnvIF ^X-Forwarded-For$ "^185\.12\.59\.12$" AllowIP - SetEnvIF ^X-Forwarded-For$ "^2a02:ed02:1337::12$" AllowIP - - <RequireAny> - AuthUserFile /root/tgmanage/web/.htpasswd - AuthName "Tech:Server Secret Volcano Lair" - AuthType Basic - Require valid-user - - Require env AllowIP - </RequireAny> - - <IfModule mod_expires.c> - ExpiresActive On - ExpiresDefault M310 - </IfModule> - - </Directory> - - # Enables fastcgi for munin-cgi-html if present - #<Location /munin-cgi> - # <IfModule mod_fastcgi.c> - # SetHandler fastcgi-script - # </IfModule> - #</Location> - - #<Location /munin-cgi/static> - # SetHandler None - #</Location> - - # Enables fastcgi for munin-cgi-graph if present - ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph - <Location /munin-cgi/munin-cgi-graph> - Order allow,deny - Allow from localhost 127.0.0.0/8 ::1 - # AuthUserFile /etc/munin/munin-htpasswd - # AuthName "Munin" - # AuthType Basic - # require valid-user - <IfModule mod_fcgid.c> - SetHandler fcgid-script - </IfModule> - <IfModule !mod_fcgid.c> - SetHandler cgi-script - </IfModule> - </Location> - - ScriptAlias /munin-cgi/munin-cgi-html /usr/lib/munin/cgi/munin-cgi-html - <Location /munin-cgi/munin-cgi-html> - Order allow,deny - Allow from localhost 127.0.0.0/8 ::1 - # AuthUserFile /etc/munin/munin-htpasswd - # AuthName "Munin" - # AuthType Basic - # require valid-user - <IfModule mod_fcgid.c> - SetHandler fcgid-script - </IfModule> - <IfModule !mod_fcgid.c> - SetHandler cgi-script - </IfModule> - </Location> - - ErrorLog /var/log/apache2/error-munin.tg15.gathering.org.log - - # Possible values include: debug, info, notice, warn, error, crit, - # alert, emerg. - LogLevel debug - - CustomLog /var/log/apache2/access-munin.tg15.gathering.org.log combined - ServerSignature On -</VirtualHost> diff --git a/web/etc/apache2/nms-public.tg15.gathering.org.conf b/web/etc/apache2/nms-public.tg15.gathering.org.conf deleted file mode 100644 index 6ca255d..0000000 --- a/web/etc/apache2/nms-public.tg15.gathering.org.conf +++ /dev/null @@ -1,21 +0,0 @@ -<VirtualHost *:8080> - ServerAdmin drift@gathering.org - ServerName nms-public.tg15.gathering.org - - DocumentRoot /root/tgmanage/web/nms-public.gathering.org - AddHandler cgi-script .cgi .sh .pl .py - - LogLevel warn - ErrorLog /var/log/apache2/error-nms-public.tg15.gathering.org.log - CustomLog /var/log/apache2/access-nms-public.tg15.gathering.org.log combined - - <Directory "/root/tgmanage/web/nms-public.gathering.org"> - AllowOverride None - Options Indexes FollowSymLinks ExecCGI MultiViews - - Require all granted - </Directory> - - ServerSignature On - -</VirtualHost> diff --git a/web/etc/apache2/nms-public.tg16.gathering.org.conf b/web/etc/apache2/nms-public.tg16.gathering.org.conf new file mode 100644 index 0000000..7e24b5c --- /dev/null +++ b/web/etc/apache2/nms-public.tg16.gathering.org.conf @@ -0,0 +1,30 @@ +<VirtualHost *:8080> + ServerAdmin drift@gathering.org + ServerName nms-public.tg16.gathering.org + ServerAlias nms-public.tg16.gathering.org + + DocumentRoot /srv/tgmanage/web/nms-public.gathering.org + ScriptAlias /api/public/ /srv/tgmanage/web/nms-public.gathering.org/api/public/ + <Directory "/srv/tgmanage/web/nms-public.gathering.org/api/public/"> + AllowOverride None + Options +ExecCGI -MultiViews +Indexes +SymLinksIfOwnerMatch + Require all granted + </Directory> + <Directory "/srv/tgmanage/web/nms-public.gathering.org"> + AllowOverride None + Options Indexes FollowSymLinks MultiViews + Require all granted + + AddDefaultCharset UTF-8 + </Directory> + + ErrorLog /var/log/apache2/error-nms-public.tg16.gathering.org.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog /var/log/apache2/access-nms-public.tg16.gathering.org.log combined + ServerSignature On + +</VirtualHost> diff --git a/web/etc/apache2/nms.tg16.gathering.org.conf b/web/etc/apache2/nms.tg16.gathering.org.conf index 9a6d7cd..08471e0 100644 --- a/web/etc/apache2/nms.tg16.gathering.org.conf +++ b/web/etc/apache2/nms.tg16.gathering.org.conf @@ -1,21 +1,32 @@ <VirtualHost *:8080> ServerAdmin drift@gathering.org ServerName nms.tg16.gathering.org - ServerAlias einstein.tg16.gathering.org + ServerAlias nms.tg16.gathering.org DocumentRoot /srv/tgmanage/web/nms.gathering.org - ScriptAlias /api/private/ /srv/tgmanage/web/nms.gathering.org/api/private/ + ScriptAlias /api/write/ /srv/tgmanage/web/nms.gathering.org/api/write/ + ScriptAlias /api/read/ /srv/tgmanage/web/nms.gathering.org/api/read/ ScriptAlias /api/public/ /srv/tgmanage/web/nms.gathering.org/api/public/ - <Directory "/srv/tgmanage/web/nms.gathering.org/api/private/"> + <Directory "/srv/tgmanage/web/nms.gathering.org/api/write/"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch <RequireAny> - AuthUserFile /srv/tgmanage/web/.htpasswd + AuthUserFile /srv/tgmanage/web/htpasswd-write AuthName "Tech:Server Secret Volcano Lair" AuthType Basic Require valid-user </RequireAny> </Directory> + <Directory "/srv/tgmanage/web/nms.gathering.org/api/read/"> + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + <RequireAny> + AuthUserFile /srv/tgmanage/web/htpasswd-read + AuthName "The Gathering Network Management System" + AuthType Basic + Require valid-user + </RequireAny> + </Directory> <Directory "/srv/tgmanage/web/nms.gathering.org/api/public/"> AllowOverride None Options +ExecCGI -MultiViews +Indexes +SymLinksIfOwnerMatch @@ -24,16 +35,13 @@ <Directory "/srv/tgmanage/web/nms.gathering.org"> AllowOverride None Options Indexes FollowSymLinks MultiViews - AddDefaultCharset UTF-8 - <RequireAny> - AuthUserFile /srv/tgmanage/web/.htpasswd - AuthName "Tech:Server Secret Volcano Lair" + AuthUserFile /srv/tgmanage/web/htpasswd-read + AuthName "The Gathering Network Management System" AuthType Basic Require valid-user </RequireAny> - </Directory> ErrorLog /var/log/apache2/error-nms.tg16.gathering.org.log diff --git a/web/etc/apache2/stats.tg15.gathering.org.conf b/web/etc/apache2/stats.tg15.gathering.org.conf deleted file mode 100644 index 2dc99a4..0000000 --- a/web/etc/apache2/stats.tg15.gathering.org.conf +++ /dev/null @@ -1,21 +0,0 @@ -<VirtualHost *:8080> - ServerAdmin drift@gathering.org - ServerName stats.tg15.gathering.org - - DocumentRoot /root/tgmanage/web/stats.gathering.org - <Directory "/root/tgmanage/web/stats.gathering.org"> - AllowOverride None - Options Indexes FollowSymLinks ExecCGI MultiViews - - Require all granted - </Directory> - - ErrorLog /var/log/apache2/error-stats.tg15.gathering.org.log - - # Possible values include: debug, info, notice, warn, error, crit, - # alert, emerg. - LogLevel warn - - CustomLog /var/log/apache2/access-stats.tg15.gathering.org.log combined - ServerSignature On -</VirtualHost> diff --git a/web/etc/apache2/stream.tg15.gathering.org.conf b/web/etc/apache2/stream.tg15.gathering.org.conf deleted file mode 100644 index 1f92f47..0000000 --- a/web/etc/apache2/stream.tg15.gathering.org.conf +++ /dev/null @@ -1,25 +0,0 @@ - <VirtualHost *:8080> - ServerAdmin drift@gathering.org - ServerName stream.tg15.gathering.org - ServerAlias krosus.tg15.gathering.org - - DocumentRoot /root/tgmanage/web/stream.gathering.org - <Directory "/root/tgmanage/web/stream.gathering.org/"> - AllowOverride None - Options Indexes FollowSymLinks ExecCGI MultiViews - Order allow,deny - Allow from all - Require all granted - AddHandler cgi-script .cgi .sh .pl .py - AddDefaultCharset UTF-8 - </Directory> - - ErrorLog /var/log/apache2/error-stream.tg15.gathering.org.log - - # Possible values include: debug, info, notice, warn, error, crit, - # alert, emerg. - LogLevel info - - CustomLog /var/log/apache2/access-stream.tg15.gathering.org.log combined - ServerSignature On -</VirtualHost> diff --git a/web/etc/cron/einstein.cron b/web/etc/cron/einstein.cron deleted file mode 100644 index 616867f..0000000 --- a/web/etc/cron/einstein.cron +++ /dev/null @@ -1,39 +0,0 @@ -# Edit this file to introduce tasks to be run by cron. -# -# Each task to run has to be defined through a single line -# indicating with different fields when the task will be run -# and what command to run for the task -# -# To define the time you can provide concrete values for -# minute (m), hour (h), day of month (dom), month (mon), -# and day of week (dow) or use '*' in these fields (for 'any').# -# Notice that tasks will be started based on the cron's system -# daemon's notion of time and timezones. -# -# Output of the crontab jobs (including errors) is sent through -# email to the user the crontab file belongs to (unless redirected). -# -# For example, you can run a backup of all your user accounts -# at 5 a.m every week with: -# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ -# -# For more information see the manual pages of crontab(5) and cron(8) -# -# m h dom mon dow command - -# hver dag kl 18:00 -0 18 * * * /bin/bash /root/tgmanage/clients/fetch-cubemap-munin.sh - -# søndag kl 06:00 -0 6 05 04 * /bin/bash /root/tgmanage/clients/fetch-cubemap-munin.sh - -*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/nettkart-trafikk.png http://tg:REMOVED@nms.tg15.gathering.org/nettkart.pl -*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/nettkart-dhcp.png http://tg:REMOVED@nms.tg15.gathering.org/dhcpkart.pl -*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/tempkart.png http://tg:REMOVED@nms.tg15.gathering.org/stempmap.pl -*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/switches.json http://tg:REMOVED@nms.tg15.gathering.org/switches-json.pl -*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/nettkart.json 'http://tg:REMOVED@nms.tg15.gathering.org/nettkart-json.pl?secret=frosk&secret2=fisk&noise=0.0000000001&phase=3&period=86400' -*/5 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/weathermap.png http://185.12.59.23/cacti/plugins/weathermap/output/962ddeea4b2d7ad5bd02.png - -24 12 * * * /bin/bash /root/backup/tg15backup.sh -13 07 05 04 * /bin/bash /root/backup/tg15backup.sh -45 08 05 04 * /bin/bash /root/backup/tg15backup.sh diff --git a/web/etc/nginx/default.conf b/web/etc/nginx/default.conf new file mode 100644 index 0000000..4335774 --- /dev/null +++ b/web/etc/nginx/default.conf @@ -0,0 +1,339 @@ +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. + +ssl_dhparam /etc/nginx/dhparam.pem; +resolver 185.110.149.2 185.110.148.2; + +# Yoda! +server { + listen 80 default_server; + listen [::]:80 default_server; + root /var/www/html; + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + add_header Strict-Transport-Security max-age=15768000; + server_name yoda.tg16.gathering.org; + + location /display { + allow 185.110.148.24; + allow 2a06:5841:1337::24; + allow 185.110.148.25; + allow 2a06:5841:1337::25; + allow 185.110.148.26; + allow 2a06:5841:1337::26; + allow 2a06:5841:150a::/64; + allow 185.110.150.0/25; + deny all; + } + #location / { + # return 301 https://$host$request_uri; + #} +} + +# Munin +server { + listen 80; + listen [::]:80; + access_log /var/log/nginx/munin.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/munin.tg16.gathering.org_ssl_error.log error; + root /var/www/html; + + server_name munin.tg16.gathering.org; + + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + + location ^~ /munin-cgi/munin-cgi-graph/ { + fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/var/run/munin/fastcgi-graph.sock; + include fastcgi_params; + } + + + location /munin/static/ { + alias /etc/munin/static/; + } + + location /munin/ { + fastcgi_split_path_info ^(/munin)(.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/var/run/munin/fastcgi-html.sock; + include fastcgi_params; + + rewrite ^/munin/(.*.png)$ /munin-cgi/munin-cgi-graph/$1; + } + + location = / { + return 301 $scheme://$server_name/munin/; + } +} + +# Yoda! +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/yoda.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/yoda.tg16.gathering.org_ssl_error.log error; + server_name yoda.tg16.gathering.org; + add_header Strict-Transport-Security max-age=0; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/html; + index index.pl index.html; + location ~ \.pl|cgi$ { + try_files $uri =404; + gzip off; + fastcgi_pass 127.0.0.1:8999; + fastcgi_index index.pl; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + location / { + try_files $uri $uri/ =404; + } +} + +# Webcam +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/webcam.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/webcam.tg16.gathering.org_ssl_error.log error; + server_name webcam.tg16.gathering.org webcams.tg16.gathering.org; + add_header Strict-Transport-Security max-age=0; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/webcam; + location / { + return 301 http://stream.tg16.gathering.org/; + #try_files $uri $uri/ =404; + } +} + +# Stream +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/stream.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/stream.tg16.gathering.org_ssl_error.log error; + server_name stream.tg16.gathering.org streams.tg16.gathering.org; + #add_header Strict-Transport-Security max-age=15768000; + add_header Strict-Transport-Security max-age=0; + #add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/stream/; +# index index.pl index.html; + index index.pl index.py index.html; + location /hls { + types { + #application/vnd.apple.mpegurl m3u8; + application/x-mpegURL m3u8; + video/mp2t ts; + text/html htm; + } + root /var/www/; + add_header Cache-Control no-cache; + } + location /stat { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + rtmp_stat all; + rtmp_stat_stylesheet /stat.xsl; + } + location /stat.xsl { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + } + location ~ \.py { + try_files $uri =404; + fastcgi_pass unix:/tmp/index-fcgi.sock; + fastcgi_index index.py; + fastcgi_param PATH_INFO $fastcgi_path_info; + include fastcgi_params; + } + location ~ \.pl|cgi$ { + try_files $uri =404; + gzip off; + fastcgi_pass 127.0.0.1:8999; + fastcgi_index index.pl; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + location / { + return 301 http://$host$request_uri; + #try_files $uri $uri/ =404; + } +} + +# Stream +server { + listen 80; + listen [::]:80; + access_log /var/log/nginx/stream.tg16.gathering.org_access.log; + error_log /var/log/nginx/stream.tg16.gathering.org_error.log error; + server_name stream.tg16.gathering.org streams.tg16.gathering.org; + add_header Strict-Transport-Security max-age=0; + client_max_body_size 10m; + root /var/www/stream/; +# index index.pl index.html; + index index.pl index.py index.html; + location /hls { + types { + #application/vnd.apple.mpegurl m3u8; + application/x-mpegURL m3u8; + video/mp2t ts; + text/html htm; + } + root /var/www/; + add_header Cache-Control no-cache; + } + location /stat { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + rtmp_stat all; + rtmp_stat_stylesheet /stat.xsl; + } + location /stat.xsl { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + } + location ~ \.py { + try_files $uri =404; + fastcgi_pass unix:/tmp/index-fcgi.sock; + fastcgi_index index.py; + fastcgi_param PATH_INFO $fastcgi_path_info; + include fastcgi_params; + } + location ~ \.pl|cgi$ { + try_files $uri =404; + gzip off; + fastcgi_pass 127.0.0.1:8999; + fastcgi_index index.pl; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + location / { + try_files $uri $uri/ =404; + } +} + +# NMS-backend +upstream nms { + server obi-wan.tg16.gathering.org; + keepalive 32; +} + +# NMS +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/nms.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/nms.tg16.gathering.org_ssl_error.log error; + server_name nms.tg16.gathering.org nms-public.tg16.gathering.org nms-api.tg16.gathering.org nms4.tg16.gathering.org nms6.tg16.gathering.org; + add_header Strict-Transport-Security max-age=15768000; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://nms; + proxy_http_version 1.1; + proxy_set_header Connection ""; + } +} + +# Stats +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/stats.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/stats.tg16.gathering.org_ssl_error.log error; + server_name stats.tg16.gathering.org; + add_header Strict-Transport-Security max-age=15768000; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/stats; + location / { + try_files $uri $uri/ =404; + } +} diff --git a/web/etc/varnish/nms.vcl b/web/etc/varnish/nms.vcl index 6349238..53a9444 100644 --- a/web/etc/varnish/nms.vcl +++ b/web/etc/varnish/nms.vcl @@ -11,6 +11,9 @@ backend default { # Sort magi. sub vcl_recv { + if (req.url ~ "^/where" || req.url ~ "^/location") { + set req.url = "/api/public/location"; + } if (req.method != "GET" && req.method != "HEAD" && req.method != "PUT" && @@ -22,9 +25,6 @@ sub vcl_recv { return (synth(418,"LOLOLOL")); } - # Hardcoded for testing - set req.http.host = "nms.tg16.gathering.org"; - if (req.method != "GET" && req.method != "HEAD") { /* We only deal with GET and HEAD by default */ return (pass); @@ -37,6 +37,7 @@ sub vcl_recv { return (hash); } + # Rosa magi sub vcl_hash { # Wheee. Legg til authorization-headeren i hashen. @@ -50,4 +51,8 @@ sub vcl_backend_response { if (beresp.http.x-ban) { ban("obj.http.x-url ~ " + beresp.http.x-ban); } + if (beresp.status != 200) { + set beresp.uncacheable = false; + set beresp.ttl = 5s; + } } |