diff --git a/init-server.py b/init-server.py index aac3541..3540dda 100755 --- a/init-server.py +++ b/init-server.py @@ -253,7 +253,7 @@ def tile_gen(hostname, user, port): def debug(hostname, user, port): c = get_connection(hostname, user, port) - upload_http_host_config(c) + # upload_http_host_config(c) upload_https_host_files(c) # run_http_host_sync(c) diff --git a/scripts/http_host/http_host_lib/nginx.py b/scripts/http_host/http_host_lib/nginx.py index db644f6..bcee045 100644 --- a/scripts/http_host/http_host_lib/nginx.py +++ b/scripts/http_host/http_host_lib/nginx.py @@ -15,8 +15,11 @@ def write_nginx_config(): cf_template = cf_template.replace('__LOCATION_BLOCKS__', location_str) cf_template = cf_template.replace('__DOMAIN__', HOST_CONFIG['domain_cf']) + cf_template = cf_template.replace('__LOCAL__', 'ofm_cf') - curl_text_mix += curl_text.replace('__DOMAIN__', HOST_CONFIG['domain_cf']) + curl_text_mix += curl_text.replace('__DOMAIN__', HOST_CONFIG['domain_cf']).replace( + '__LOCAL__', 'ofm_cf' + ) with open('/data/nginx/sites/cf.conf', 'w') as fp: fp.write(cf_template) @@ -41,7 +44,7 @@ def create_location_blocks(): if not curl_text: curl_text = ( '\ntest with:\n' - f'curl -H "Host: ofm" -I http://localhost/{area}/{version}/14/8529/5975.pbf\n' + f'curl -H "Host: __LOCAL__" -I http://localhost/{area}/{version}/14/8529/5975.pbf\n' f'curl -I https://__DOMAIN__/{area}/{version}/14/8529/5975.pbf' ) diff --git a/scripts/http_host/http_host_lib/nginx/cf.conf b/scripts/http_host/http_host_lib/nginx/cf.conf index 378811b..eaa8a89 100644 --- a/scripts/http_host/http_host_lib/nginx/cf.conf +++ b/scripts/http_host/http_host_lib/nginx/cf.conf @@ -1,5 +1,5 @@ server { - server_name ofm __DOMAIN__; + server_name __LOCAL__ __DOMAIN__; # ssl: https://ssl-config.mozilla.org / modern config # to be used with the Cloudflare proxied endpoint @@ -11,9 +11,12 @@ server { ssl_certificate /data/nginx/certs/cf.cert; ssl_certificate_key /data/nginx/certs/cf.key; + ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; + + # modern configuration ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; diff --git a/scripts/http_host/http_host_lib/nginx/le.conf b/scripts/http_host/http_host_lib/nginx/le.conf new file mode 100644 index 0000000..1a2cd40 --- /dev/null +++ b/scripts/http_host/http_host_lib/nginx/le.conf @@ -0,0 +1,33 @@ +server { + server_name __LOCAL__ __DOMAIN__; + + # ssl: https://ssl-config.mozilla.org / intermediate config + + listen 80; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + + ssl_certificate /data/nginx/certs/cf.cert; + ssl_certificate_key /data/nginx/certs/cf.key; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/ffdhe2048.txt; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + # access log disabled by default + #access_log /data/ofm/http_host/logs_nginx/cf-access.log access_json buffer=32k; + access_log off; + + error_log /data/ofm/http_host/logs_nginx/cf-error.log; + + __LOCATION_BLOCKS__ +} + diff --git a/ssh_lib/nginx.py b/ssh_lib/nginx.py index 5257496..ba46915 100644 --- a/ssh_lib/nginx.py +++ b/ssh_lib/nginx.py @@ -50,6 +50,8 @@ def nginx(c): put(c, f'{ASSETS_DIR}/nginx/default_disable.conf', '/data/nginx/sites') put(c, f'{ASSETS_DIR}/nginx/cloudflare.conf', '/data/nginx/config') + sudo_cmd(c, 'curl https://ssl-config.mozilla.org/ffdhe2048.txt -o /etc/nginx/ffdhe2048.txt') + c.sudo('nginx -t') c.sudo('service nginx restart')