From 9bf9cd8bf0d52f07e7bcb8a1f4d8b792c3274729 Mon Sep 17 00:00:00 2001 From: Kristian Lyngstol Date: Mon, 21 Mar 2016 19:10:45 +0100 Subject: FIX FAX APACHE NMS PUBLIC --- web/etc/apache2/nms-public.tg15.gathering.org.conf | 21 --------------------- web/etc/apache2/nms.tg16.gathering.org.conf | 2 +- web/etc/varnish/nms.vcl | 3 --- 3 files changed, 1 insertion(+), 25 deletions(-) delete mode 100644 web/etc/apache2/nms-public.tg15.gathering.org.conf (limited to 'web/etc') diff --git a/web/etc/apache2/nms-public.tg15.gathering.org.conf b/web/etc/apache2/nms-public.tg15.gathering.org.conf deleted file mode 100644 index 6ca255d..0000000 --- a/web/etc/apache2/nms-public.tg15.gathering.org.conf +++ /dev/null @@ -1,21 +0,0 @@ - - ServerAdmin drift@gathering.org - ServerName nms-public.tg15.gathering.org - - DocumentRoot /root/tgmanage/web/nms-public.gathering.org - AddHandler cgi-script .cgi .sh .pl .py - - LogLevel warn - ErrorLog /var/log/apache2/error-nms-public.tg15.gathering.org.log - CustomLog /var/log/apache2/access-nms-public.tg15.gathering.org.log combined - - - AllowOverride None - Options Indexes FollowSymLinks ExecCGI MultiViews - - Require all granted - - - ServerSignature On - - diff --git a/web/etc/apache2/nms.tg16.gathering.org.conf b/web/etc/apache2/nms.tg16.gathering.org.conf index 9a6d7cd..1c1d7e3 100644 --- a/web/etc/apache2/nms.tg16.gathering.org.conf +++ b/web/etc/apache2/nms.tg16.gathering.org.conf @@ -1,7 +1,7 @@ ServerAdmin drift@gathering.org ServerName nms.tg16.gathering.org - ServerAlias einstein.tg16.gathering.org + ServerAlias nms.tg16.gathering.org DocumentRoot /srv/tgmanage/web/nms.gathering.org ScriptAlias /api/private/ /srv/tgmanage/web/nms.gathering.org/api/private/ diff --git a/web/etc/varnish/nms.vcl b/web/etc/varnish/nms.vcl index 6349238..93da9de 100644 --- a/web/etc/varnish/nms.vcl +++ b/web/etc/varnish/nms.vcl @@ -22,9 +22,6 @@ sub vcl_recv { return (synth(418,"LOLOLOL")); } - # Hardcoded for testing - set req.http.host = "nms.tg16.gathering.org"; - if (req.method != "GET" && req.method != "HEAD") { /* We only deal with GET and HEAD by default */ return (pass); -- cgit v1.2.3 From 727e4ab31aa6d1a754711d4cd29dbcefae2e952a Mon Sep 17 00:00:00 2001 From: Kristian Lyngstol Date: Mon, 21 Mar 2016 20:11:55 +0100 Subject: NMS: NMS Public --- web/etc/apache2/nms-public.tg16.gathering.org.conf | 30 ++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 web/etc/apache2/nms-public.tg16.gathering.org.conf (limited to 'web/etc') diff --git a/web/etc/apache2/nms-public.tg16.gathering.org.conf b/web/etc/apache2/nms-public.tg16.gathering.org.conf new file mode 100644 index 0000000..7e24b5c --- /dev/null +++ b/web/etc/apache2/nms-public.tg16.gathering.org.conf @@ -0,0 +1,30 @@ + + ServerAdmin drift@gathering.org + ServerName nms-public.tg16.gathering.org + ServerAlias nms-public.tg16.gathering.org + + DocumentRoot /srv/tgmanage/web/nms-public.gathering.org + ScriptAlias /api/public/ /srv/tgmanage/web/nms-public.gathering.org/api/public/ + + AllowOverride None + Options +ExecCGI -MultiViews +Indexes +SymLinksIfOwnerMatch + Require all granted + + + AllowOverride None + Options Indexes FollowSymLinks MultiViews + Require all granted + + AddDefaultCharset UTF-8 + + + ErrorLog /var/log/apache2/error-nms-public.tg16.gathering.org.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog /var/log/apache2/access-nms-public.tg16.gathering.org.log combined + ServerSignature On + + -- cgit v1.2.3 From e3a11ccb7f67d036c1556f51efc509ee8038ca8a Mon Sep 17 00:00:00 2001 From: Kristian Lyngstol Date: Tue, 22 Mar 2016 13:18:52 +0100 Subject: NMS: Implement read/write separation in frontend --- web/etc/apache2/nms.tg16.gathering.org.conf | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) (limited to 'web/etc') diff --git a/web/etc/apache2/nms.tg16.gathering.org.conf b/web/etc/apache2/nms.tg16.gathering.org.conf index 1c1d7e3..08471e0 100644 --- a/web/etc/apache2/nms.tg16.gathering.org.conf +++ b/web/etc/apache2/nms.tg16.gathering.org.conf @@ -4,18 +4,29 @@ ServerAlias nms.tg16.gathering.org DocumentRoot /srv/tgmanage/web/nms.gathering.org - ScriptAlias /api/private/ /srv/tgmanage/web/nms.gathering.org/api/private/ + ScriptAlias /api/write/ /srv/tgmanage/web/nms.gathering.org/api/write/ + ScriptAlias /api/read/ /srv/tgmanage/web/nms.gathering.org/api/read/ ScriptAlias /api/public/ /srv/tgmanage/web/nms.gathering.org/api/public/ - + AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch - AuthUserFile /srv/tgmanage/web/.htpasswd + AuthUserFile /srv/tgmanage/web/htpasswd-write AuthName "Tech:Server Secret Volcano Lair" AuthType Basic Require valid-user + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + + AuthUserFile /srv/tgmanage/web/htpasswd-read + AuthName "The Gathering Network Management System" + AuthType Basic + Require valid-user + + AllowOverride None Options +ExecCGI -MultiViews +Indexes +SymLinksIfOwnerMatch @@ -24,16 +35,13 @@ AllowOverride None Options Indexes FollowSymLinks MultiViews - AddDefaultCharset UTF-8 - - AuthUserFile /srv/tgmanage/web/.htpasswd - AuthName "Tech:Server Secret Volcano Lair" + AuthUserFile /srv/tgmanage/web/htpasswd-read + AuthName "The Gathering Network Management System" AuthType Basic Require valid-user - ErrorLog /var/log/apache2/error-nms.tg16.gathering.org.log -- cgit v1.2.3 From e4f3bbbaffcc7315f73ecf55a52ad61814d96100 Mon Sep 17 00:00:00 2001 From: Kristian Lyngstol Date: Wed, 23 Mar 2016 02:52:26 +0100 Subject: NMS: Fix cache invalidation etc --- web/etc/varnish/nms.vcl | 3 +++ 1 file changed, 3 insertions(+) (limited to 'web/etc') diff --git a/web/etc/varnish/nms.vcl b/web/etc/varnish/nms.vcl index 93da9de..0cddebd 100644 --- a/web/etc/varnish/nms.vcl +++ b/web/etc/varnish/nms.vcl @@ -11,6 +11,9 @@ backend default { # Sort magi. sub vcl_recv { + if (req.url ~ "^/where" || req.url ~ "^/location") { + set req.url = "/api/public/location"; + } if (req.method != "GET" && req.method != "HEAD" && req.method != "PUT" && -- cgit v1.2.3 From dff176ae0469bc60604ddae2e9f651881c7026de Mon Sep 17 00:00:00 2001 From: Kristian Lyngstol Date: Fri, 25 Mar 2016 15:49:37 +0100 Subject: NMS: Tweak colors for DHCP map --- web/etc/varnish/nms.vcl | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'web/etc') diff --git a/web/etc/varnish/nms.vcl b/web/etc/varnish/nms.vcl index 0cddebd..53a9444 100644 --- a/web/etc/varnish/nms.vcl +++ b/web/etc/varnish/nms.vcl @@ -37,6 +37,7 @@ sub vcl_recv { return (hash); } + # Rosa magi sub vcl_hash { # Wheee. Legg til authorization-headeren i hashen. @@ -50,4 +51,8 @@ sub vcl_backend_response { if (beresp.http.x-ban) { ban("obj.http.x-url ~ " + beresp.http.x-ban); } + if (beresp.status != 200) { + set beresp.uncacheable = false; + set beresp.ttl = 5s; + } } -- cgit v1.2.3 From 8a7803625d47d375d79beb6968c1905a4f235384 Mon Sep 17 00:00:00 2001 From: Joachim Tingvold Date: Sat, 26 Mar 2016 14:45:02 +0100 Subject: Cleaning. --- web/etc/apache2/munin.tg15.gathering.org.conf | 120 ------------------------- web/etc/apache2/stats.tg15.gathering.org.conf | 21 ----- web/etc/apache2/stream.tg15.gathering.org.conf | 25 ------ web/etc/cron/einstein.cron | 39 -------- 4 files changed, 205 deletions(-) delete mode 100644 web/etc/apache2/munin.tg15.gathering.org.conf delete mode 100644 web/etc/apache2/stats.tg15.gathering.org.conf delete mode 100644 web/etc/apache2/stream.tg15.gathering.org.conf delete mode 100644 web/etc/cron/einstein.cron (limited to 'web/etc') diff --git a/web/etc/apache2/munin.tg15.gathering.org.conf b/web/etc/apache2/munin.tg15.gathering.org.conf deleted file mode 100644 index aaa3848..0000000 --- a/web/etc/apache2/munin.tg15.gathering.org.conf +++ /dev/null @@ -1,120 +0,0 @@ - - ServerAdmin drift@gathering.org - ServerName munin.tg15.gathering.org - - # Enable this for template generation - Alias /munin /var/cache/munin/www - - # Enable this for cgi-based templates - #Alias /munin-cgi/static /var/cache/munin/www/static - #ScriptAlias /munin-cgi /usr/lib/munin/cgi/munin-cgi-html - # - # Order allow,deny - # Allow from localhost 127.0.0.0/8 ::1 - # AuthUserFile /etc/munin/munin-htpasswd - # AuthName "Munin" - # AuthType Basic - # require valid-user - # - - DocumentRoot /var/cache/munin/www - - AllowOverride None - Order allow,deny - Allow from all - Options Indexes - #Require all granted - - # This file can be used as a .htaccess file, or a part of your apache - # config file. - # - # For the .htaccess file option to work the munin www directory - # (/var/cache/munin/www) must have "AllowOverride all" or something - # close to that set. - # - - # AuthUserFile /etc/munin/munin-htpasswd - # AuthName "Munin" - # AuthType Basic - # require valid-user - - # This next part requires mod_expires to be enabled. - # - - # Set the default expiration time for files to 5 minutes 10 seconds from - # their creation (modification) time. There are probably new files by - # that time. - # - - SetEnvIF ^X-Forwarded-For$ "^185\.12\.59\.12$" AllowIP - SetEnvIF ^X-Forwarded-For$ "^2a02:ed02:1337::12$" AllowIP - - - AuthUserFile /root/tgmanage/web/.htpasswd - AuthName "Tech:Server Secret Volcano Lair" - AuthType Basic - Require valid-user - - Require env AllowIP - - - - ExpiresActive On - ExpiresDefault M310 - - - - - # Enables fastcgi for munin-cgi-html if present - # - # - # SetHandler fastcgi-script - # - # - - # - # SetHandler None - # - - # Enables fastcgi for munin-cgi-graph if present - ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph - - Order allow,deny - Allow from localhost 127.0.0.0/8 ::1 - # AuthUserFile /etc/munin/munin-htpasswd - # AuthName "Munin" - # AuthType Basic - # require valid-user - - SetHandler fcgid-script - - - SetHandler cgi-script - - - - ScriptAlias /munin-cgi/munin-cgi-html /usr/lib/munin/cgi/munin-cgi-html - - Order allow,deny - Allow from localhost 127.0.0.0/8 ::1 - # AuthUserFile /etc/munin/munin-htpasswd - # AuthName "Munin" - # AuthType Basic - # require valid-user - - SetHandler fcgid-script - - - SetHandler cgi-script - - - - ErrorLog /var/log/apache2/error-munin.tg15.gathering.org.log - - # Possible values include: debug, info, notice, warn, error, crit, - # alert, emerg. - LogLevel debug - - CustomLog /var/log/apache2/access-munin.tg15.gathering.org.log combined - ServerSignature On - diff --git a/web/etc/apache2/stats.tg15.gathering.org.conf b/web/etc/apache2/stats.tg15.gathering.org.conf deleted file mode 100644 index 2dc99a4..0000000 --- a/web/etc/apache2/stats.tg15.gathering.org.conf +++ /dev/null @@ -1,21 +0,0 @@ - - ServerAdmin drift@gathering.org - ServerName stats.tg15.gathering.org - - DocumentRoot /root/tgmanage/web/stats.gathering.org - - AllowOverride None - Options Indexes FollowSymLinks ExecCGI MultiViews - - Require all granted - - - ErrorLog /var/log/apache2/error-stats.tg15.gathering.org.log - - # Possible values include: debug, info, notice, warn, error, crit, - # alert, emerg. - LogLevel warn - - CustomLog /var/log/apache2/access-stats.tg15.gathering.org.log combined - ServerSignature On - diff --git a/web/etc/apache2/stream.tg15.gathering.org.conf b/web/etc/apache2/stream.tg15.gathering.org.conf deleted file mode 100644 index 1f92f47..0000000 --- a/web/etc/apache2/stream.tg15.gathering.org.conf +++ /dev/null @@ -1,25 +0,0 @@ - - ServerAdmin drift@gathering.org - ServerName stream.tg15.gathering.org - ServerAlias krosus.tg15.gathering.org - - DocumentRoot /root/tgmanage/web/stream.gathering.org - - AllowOverride None - Options Indexes FollowSymLinks ExecCGI MultiViews - Order allow,deny - Allow from all - Require all granted - AddHandler cgi-script .cgi .sh .pl .py - AddDefaultCharset UTF-8 - - - ErrorLog /var/log/apache2/error-stream.tg15.gathering.org.log - - # Possible values include: debug, info, notice, warn, error, crit, - # alert, emerg. - LogLevel info - - CustomLog /var/log/apache2/access-stream.tg15.gathering.org.log combined - ServerSignature On - diff --git a/web/etc/cron/einstein.cron b/web/etc/cron/einstein.cron deleted file mode 100644 index 616867f..0000000 --- a/web/etc/cron/einstein.cron +++ /dev/null @@ -1,39 +0,0 @@ -# Edit this file to introduce tasks to be run by cron. -# -# Each task to run has to be defined through a single line -# indicating with different fields when the task will be run -# and what command to run for the task -# -# To define the time you can provide concrete values for -# minute (m), hour (h), day of month (dom), month (mon), -# and day of week (dow) or use '*' in these fields (for 'any').# -# Notice that tasks will be started based on the cron's system -# daemon's notion of time and timezones. -# -# Output of the crontab jobs (including errors) is sent through -# email to the user the crontab file belongs to (unless redirected). -# -# For example, you can run a backup of all your user accounts -# at 5 a.m every week with: -# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ -# -# For more information see the manual pages of crontab(5) and cron(8) -# -# m h dom mon dow command - -# hver dag kl 18:00 -0 18 * * * /bin/bash /root/tgmanage/clients/fetch-cubemap-munin.sh - -# søndag kl 06:00 -0 6 05 04 * /bin/bash /root/tgmanage/clients/fetch-cubemap-munin.sh - -*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/nettkart-trafikk.png http://tg:REMOVED@nms.tg15.gathering.org/nettkart.pl -*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/nettkart-dhcp.png http://tg:REMOVED@nms.tg15.gathering.org/dhcpkart.pl -*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/tempkart.png http://tg:REMOVED@nms.tg15.gathering.org/stempmap.pl -*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/switches.json http://tg:REMOVED@nms.tg15.gathering.org/switches-json.pl -*/1 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/nettkart.json 'http://tg:REMOVED@nms.tg15.gathering.org/nettkart-json.pl?secret=frosk&secret2=fisk&noise=0.0000000001&phase=3&period=86400' -*/5 * * * * wget -qO/root/tgmanage/web/nms-public.gathering.org/weathermap.png http://185.12.59.23/cacti/plugins/weathermap/output/962ddeea4b2d7ad5bd02.png - -24 12 * * * /bin/bash /root/backup/tg15backup.sh -13 07 05 04 * /bin/bash /root/backup/tg15backup.sh -45 08 05 04 * /bin/bash /root/backup/tg15backup.sh -- cgit v1.2.3 From 96a9bb4c42f4b53020302fea2a46e734c61c0319 Mon Sep 17 00:00:00 2001 From: Joachim Tingvold Date: Sat, 26 Mar 2016 14:50:18 +0100 Subject: Added web-config. --- web/etc/nginx/default.conf | 339 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 339 insertions(+) create mode 100644 web/etc/nginx/default.conf (limited to 'web/etc') diff --git a/web/etc/nginx/default.conf b/web/etc/nginx/default.conf new file mode 100644 index 0000000..4335774 --- /dev/null +++ b/web/etc/nginx/default.conf @@ -0,0 +1,339 @@ +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. + +ssl_dhparam /etc/nginx/dhparam.pem; +resolver 185.110.149.2 185.110.148.2; + +# Yoda! +server { + listen 80 default_server; + listen [::]:80 default_server; + root /var/www/html; + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + add_header Strict-Transport-Security max-age=15768000; + server_name yoda.tg16.gathering.org; + + location /display { + allow 185.110.148.24; + allow 2a06:5841:1337::24; + allow 185.110.148.25; + allow 2a06:5841:1337::25; + allow 185.110.148.26; + allow 2a06:5841:1337::26; + allow 2a06:5841:150a::/64; + allow 185.110.150.0/25; + deny all; + } + #location / { + # return 301 https://$host$request_uri; + #} +} + +# Munin +server { + listen 80; + listen [::]:80; + access_log /var/log/nginx/munin.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/munin.tg16.gathering.org_ssl_error.log error; + root /var/www/html; + + server_name munin.tg16.gathering.org; + + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + + location ^~ /munin-cgi/munin-cgi-graph/ { + fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/var/run/munin/fastcgi-graph.sock; + include fastcgi_params; + } + + + location /munin/static/ { + alias /etc/munin/static/; + } + + location /munin/ { + fastcgi_split_path_info ^(/munin)(.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/var/run/munin/fastcgi-html.sock; + include fastcgi_params; + + rewrite ^/munin/(.*.png)$ /munin-cgi/munin-cgi-graph/$1; + } + + location = / { + return 301 $scheme://$server_name/munin/; + } +} + +# Yoda! +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/yoda.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/yoda.tg16.gathering.org_ssl_error.log error; + server_name yoda.tg16.gathering.org; + add_header Strict-Transport-Security max-age=0; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/html; + index index.pl index.html; + location ~ \.pl|cgi$ { + try_files $uri =404; + gzip off; + fastcgi_pass 127.0.0.1:8999; + fastcgi_index index.pl; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + location / { + try_files $uri $uri/ =404; + } +} + +# Webcam +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/webcam.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/webcam.tg16.gathering.org_ssl_error.log error; + server_name webcam.tg16.gathering.org webcams.tg16.gathering.org; + add_header Strict-Transport-Security max-age=0; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/webcam; + location / { + return 301 http://stream.tg16.gathering.org/; + #try_files $uri $uri/ =404; + } +} + +# Stream +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/stream.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/stream.tg16.gathering.org_ssl_error.log error; + server_name stream.tg16.gathering.org streams.tg16.gathering.org; + #add_header Strict-Transport-Security max-age=15768000; + add_header Strict-Transport-Security max-age=0; + #add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/stream/; +# index index.pl index.html; + index index.pl index.py index.html; + location /hls { + types { + #application/vnd.apple.mpegurl m3u8; + application/x-mpegURL m3u8; + video/mp2t ts; + text/html htm; + } + root /var/www/; + add_header Cache-Control no-cache; + } + location /stat { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + rtmp_stat all; + rtmp_stat_stylesheet /stat.xsl; + } + location /stat.xsl { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + } + location ~ \.py { + try_files $uri =404; + fastcgi_pass unix:/tmp/index-fcgi.sock; + fastcgi_index index.py; + fastcgi_param PATH_INFO $fastcgi_path_info; + include fastcgi_params; + } + location ~ \.pl|cgi$ { + try_files $uri =404; + gzip off; + fastcgi_pass 127.0.0.1:8999; + fastcgi_index index.pl; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + location / { + return 301 http://$host$request_uri; + #try_files $uri $uri/ =404; + } +} + +# Stream +server { + listen 80; + listen [::]:80; + access_log /var/log/nginx/stream.tg16.gathering.org_access.log; + error_log /var/log/nginx/stream.tg16.gathering.org_error.log error; + server_name stream.tg16.gathering.org streams.tg16.gathering.org; + add_header Strict-Transport-Security max-age=0; + client_max_body_size 10m; + root /var/www/stream/; +# index index.pl index.html; + index index.pl index.py index.html; + location /hls { + types { + #application/vnd.apple.mpegurl m3u8; + application/x-mpegURL m3u8; + video/mp2t ts; + text/html htm; + } + root /var/www/; + add_header Cache-Control no-cache; + } + location /stat { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + rtmp_stat all; + rtmp_stat_stylesheet /stat.xsl; + } + location /stat.xsl { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + } + location ~ \.py { + try_files $uri =404; + fastcgi_pass unix:/tmp/index-fcgi.sock; + fastcgi_index index.py; + fastcgi_param PATH_INFO $fastcgi_path_info; + include fastcgi_params; + } + location ~ \.pl|cgi$ { + try_files $uri =404; + gzip off; + fastcgi_pass 127.0.0.1:8999; + fastcgi_index index.pl; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + location / { + try_files $uri $uri/ =404; + } +} + +# NMS-backend +upstream nms { + server obi-wan.tg16.gathering.org; + keepalive 32; +} + +# NMS +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/nms.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/nms.tg16.gathering.org_ssl_error.log error; + server_name nms.tg16.gathering.org nms-public.tg16.gathering.org nms-api.tg16.gathering.org nms4.tg16.gathering.org nms6.tg16.gathering.org; + add_header Strict-Transport-Security max-age=15768000; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://nms; + proxy_http_version 1.1; + proxy_set_header Connection ""; + } +} + +# Stats +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/stats.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/stats.tg16.gathering.org_ssl_error.log error; + server_name stats.tg16.gathering.org; + add_header Strict-Transport-Security max-age=15768000; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/stats; + location / { + try_files $uri $uri/ =404; + } +} -- cgit v1.2.3