nginx conf

init-server.py

@@ -253,7 +253,7 @@ def tile_gen(hostname, user, port):
 def debug(hostname, user, port):
     c = get_connection(hostname, user, port)
 
-    upload_http_host_config(c)
+    # upload_http_host_config(c)
 
     upload_https_host_files(c)
     # run_http_host_sync(c)

scripts/http_host/http_host_lib/nginx.py

@@ -15,8 +15,11 @@ def write_nginx_config():
 
         cf_template = cf_template.replace('__LOCATION_BLOCKS__', location_str)
         cf_template = cf_template.replace('__DOMAIN__', HOST_CONFIG['domain_cf'])
+        cf_template = cf_template.replace('__LOCAL__', 'ofm_cf')
 
-        curl_text_mix += curl_text.replace('__DOMAIN__', HOST_CONFIG['domain_cf'])
+        curl_text_mix += curl_text.replace('__DOMAIN__', HOST_CONFIG['domain_cf']).replace(
+            '__LOCAL__', 'ofm_cf'
+        )
 
         with open('/data/nginx/sites/cf.conf', 'w') as fp:
             fp.write(cf_template)
@@ -41,7 +44,7 @@ def create_location_blocks():
         if not curl_text:
             curl_text = (
                 '\ntest with:\n'
-                f'curl -H "Host: ofm" -I http://localhost/{area}/{version}/14/8529/5975.pbf\n'
+                f'curl -H "Host: __LOCAL__" -I http://localhost/{area}/{version}/14/8529/5975.pbf\n'
                 f'curl -I https://__DOMAIN__/{area}/{version}/14/8529/5975.pbf'
             )
 

scripts/http_host/http_host_lib/nginx/cf.conf

@@ -1,5 +1,5 @@
 server {
-    server_name ofm __DOMAIN__;
+    server_name __LOCAL__ __DOMAIN__;
 
     # ssl: https://ssl-config.mozilla.org / modern config
     # to be used with the Cloudflare proxied endpoint
@@ -11,9 +11,12 @@ server {
 
     ssl_certificate /data/nginx/certs/cf.cert;
     ssl_certificate_key /data/nginx/certs/cf.key;
+
     ssl_session_timeout 1d;
-    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
     ssl_session_tickets off;
+
+    # modern configuration
     ssl_protocols TLSv1.3;
     ssl_prefer_server_ciphers off;
 

scripts/http_host/http_host_lib/nginx/le.conf

@@ -0,0 +1,33 @@
+server {
+    server_name __LOCAL__ __DOMAIN__;
+
+    # ssl: https://ssl-config.mozilla.org / intermediate config
+
+    listen 80;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    ssl_certificate /data/nginx/certs/cf.cert;
+    ssl_certificate_key /data/nginx/certs/cf.key;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    ssl_dhparam /etc/nginx/ffdhe2048.txt;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_prefer_server_ciphers off;
+
+    # access log disabled by default
+    #access_log /data/ofm/http_host/logs_nginx/cf-access.log access_json buffer=32k;
+    access_log off;
+
+    error_log /data/ofm/http_host/logs_nginx/cf-error.log;
+
+    __LOCATION_BLOCKS__
+}
+

ssh_lib/nginx.py

@@ -50,6 +50,8 @@ def nginx(c):
     put(c, f'{ASSETS_DIR}/nginx/default_disable.conf', '/data/nginx/sites')
     put(c, f'{ASSETS_DIR}/nginx/cloudflare.conf', '/data/nginx/config')
 
+    sudo_cmd(c, 'curl https://ssl-config.mozilla.org/ffdhe2048.txt -o /etc/nginx/ffdhe2048.txt')
+
     c.sudo('nginx -t')
     c.sudo('service nginx restart')