Add configuration for prod

2018-01-21 17:03:45 +01:00 · 2018-01-21 17:03:45 +01:00 · 3e29e1324b
commit 3e29e1324b
parent fe9d0941e2
8 changed files with 725 additions and 9 deletions
--- a/configs/authorized_keys
+++ b/configs/authorized_keys
@ -0,0 +1,6 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDO/3qKhSUbGYZBVraFo68oScJahRDNQfG+uwDQlLv7g nemunaire@khonsou
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDqEniilVnT/hKEpxe59KvbUoCdGvEUMoVLzwkwpzSr2MIFTddQHXDcxL7+YQhiKrd3veZgR8IWGsuCDy8lEZumpY60omgaQYbpFQHeybC/tFefsMWoHqEeV69CmriNBtVoBPQyLRWZCt0exvJ269POHfyWOJixI3yf9J1En9JV1TzEvU6J7+GV6bLXEd5WghuXxcwRVQHzwnBFXOXOkiGuOqnDix0F5WZTxo5BsM2tbK6kbsT9k4TyfBYl1gA2dqB+swrKk83F9skbPTWZAX7Z5dmJ/ZBV7u+t4lk6vbjVhjSpcD3LhoqgIVb6HfM3Pidkm5E/tA0TxCubLb+k/hZL nico.chari@gmail.com
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmSDalpcOjMVeQhhs8TOBbE36gkADj30lNMvmHncVzGZMQOjcLDC6dnkCuwLyEo+Ne/OAyeLLvv8YyCQpj4Ib2nqARdZYOeh622pwkUfEqlKT9umeju+TQrFNBUhkqN49vbTEbgmpxCsoRonPFgFgRncldQFD7vsNdnkGmf1KcRk5UbGI4AYWPDRJ+0uEOKjxY+GAL+r1DyeII53OXaFp+AOqGtDqaS6JrmUVk1Zj/7hX+3WZ3F1xcpYnUr6bnyU1rh7cbU+3ZEU/CYYVSJGLzm6V3ymgLas/mAAFlopXwjhiYRQgwcXKRCnijEeHwOUlDShKIYfLoMh/he0xi/R8eVLfH0HV5JDhnf2n3UxDQ5Mfl1Mbsjt2OTl4Gmd01rhQHAoWmhjPDDlGPQoGOSTdOYS5HDlv4yhfxq0QAMsTcT6uOT1gajEmbv/36KTOWc7EyT1rdg/qxHVF7UVz9EYo/gIaeMZfLaqX2gkRndFStIWVQ+kJLPZmveqIH2MVtPc0YuDvd3H6TLNrHZzMvX6+YbeP0NDU726hjwFQSeBtjEfVHib+EffVNUHRNoKhzq6IVh7/7pTILrh4dnjUvEUiZg6XEa97VYO9/ixe8ci6qBeO2HtovZh4IX1zaXSKJqcXeOBOXfhyA2BXDD/XXzLIWyV2JoojGMBiRMThs8jCYKw== panev_s@epita.fr
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsi6Kpm8hpYxqDlfyjjs/iWfegzXJuJUecJ+Dpl+8ZWYvKjoyU+vwSx4cqOOlduMQF4pYOgf35OywgeUXS/GuwZo86hAr1yzRBl6/SzC+K+vkQ7Ye/0E6eRUDHqq4t6eqWHqsCafm11PhCj53ibyTH6NYNBRS85Z3DKFj4SwMuIhFX6tpLoXCQFLY0zB3JzQymaX/FK48Am5rZ9BLoZFM+9jbr5yvb4u/nijdfYmcFNom0AjZOzYE3RVGAil63LyvibVHkfbJj/DAvCCtkU7B6q8YpwjFm1kbGcb4sORLAzBNv/ayJOYVxAKK3kHDxR5MBYZQ9DsYB5Tn4qU+VtRSd sysy@archlinux
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFyNF5TSmgyQLopCFs1+PvGnQM2P9GaERC087gbWueBvEP0s5NkPW5u10fhBHk+eUo2M/yXSgjG9+vtETddSITzoRABoXTEXnSP1REcjAeWbp3oS6+QrJQ6Fy4CR/9V5pd74d86NZ+f0nldFXgHOLk4Y2XxAOnxZZCzQPOXL8ChBEmb9vK/MxyOq4sWEPjJLQIzn/Bj/BHqBpoDmKfzq3sp9mxjXTYCcH9FDwDU0vvtPZ25r6EKtRQuVbFviTAkSawvLJtj25NEX1hrGE7oZSahbng4oSgkd/gCjsivptE5DeFLQRTqvdv6H9QyIRvT+mq1KNCBsuaCBjGwdDgWxe8nRyWAe3bUbha87rpkGRz5/+HaokKVt0cnXD1wjapByvTQDwAYVLEfpsodruGuZl26nEJqkKRH7Oxp9YxBGUO9xGJHoXJTCZUdCuKDH8QuPHYiAXZH8aqKD8EmgwTrvgFvKzDE6zF88Eb9WBPbr5MpLX2nj5UpZEyb2KDOtYAz9379dRD3jgBl7EY0OdqrfRitk3sucmgDpMQHV3C1vCW4OdZ6Pydg4LarGSTNz6cUCzRZehfxJh4XoLhHxwtGVdgAEapd9uVFDrIJAVnpW0le778x29SpPLRg0mEFCHBg0VEHLA8N8vct9QIAMf+tR/Tno89/ESNag5x7SPtOlb5Tw== vincae@vincae-Aspire-V5-561G
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEO91xtu/9jLPjEqFChQ7hB8jgDldN07Qh5Du35aqwFIvsKbF5RDsRDom/IxvrX+gVm2faTtxECEu+xRahw+19OsE7VPSCBr8IfvuuzoiR0zXaiGLubzx1nmAZdHESRuhPO6UqWX1FbcPkKeUDkwfKkCEUThYA600SKrPbYd+2jhFM7zw65OQq6RyLc+57ySodG+O8TjZo999kBGuhsJx+t/U9B6bjP5htDPk35eahReDeDZrAO9BYuFilyYFgd2ckf9LvqS/UHQZgj1kXFAqzZjsA9hVejN1hMJdKo9OrU9CTIiJDqEqKxGSzjguXBYa7MjpYfOcMdvdxwVRuerUl mathilde@debian
--- a/configs/dhcpd.conf
+++ b/configs/dhcpd.conf
@ -0,0 +1,12 @@
+default-lease-time 600;
+max-lease-time 7200;
+option subnet-mask 255.255.255.0;
+option broadcast-address 172.23.42.255;
+option routers 172.23.42.254;
+option rfc3442-classless-static-routes code 121 = array of integer 8;
+option ms-classless-static-routes code 249 = array of integer 8;
+option rfc3442-classless-static-routes 32, 163, 5, 55, 58, 172, 23, 42, 1;
+option ms-classless-static-routes 32, 163, 5, 55, 58, 172, 23, 42, 1;
+subnet 172.23.42.0 netmask 255.255.255.0 {
+  range  172.23.42.10  172.23.42.254;
+}
--- a/configs/fic-auth.conf
+++ b/configs/fic-auth.conf
@ -0,0 +1,6 @@
+if ($ssl_client_verify != "SUCCESS") {
+    return 401;
+}
+if ($ssl_client_verify = "SUCCESS") {
+    set $team "_AUTH_ID_$ssl_client_serial";
+}
--- a/configs/nginx-fic-static.conf
+++ b/configs/nginx-fic-static.conf
@ -0,0 +1,34 @@
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+	server_name fic.srs.epita.fr;
+
+        access_log /var/log/nginx/fic2016.access_log main;
+        error_log /var/log/nginx/fic2016.error_log info;
+
+        root /srv/www/fic2016-static/;
+
+        error_page 403 404 /e404.html;
+        error_page 413 404 /e413.html;
+        error_page 500 502 504 /e500.html;
+
+        location /.htaccess {
+            return 404;
+        }
+        location /chbase.sh {
+            return 404;
+        }
+
+        location ~ ^/[0-9] {
+            rewrite ^/.*$ /index.html;
+        }
+
+        location /edit {
+            rewrite ^/.*$ /index.html;
+        }
+
+        location /rank {
+            rewrite ^/.*$ /index.html;
+        }
+}
--- a/configs/nginx-prod.conf
+++ b/configs/nginx-prod.conf
@ -0,0 +1,175 @@
+proxy_cache_path  /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;
+proxy_connect_timeout 1s;
+
+server {
+        listen 80 default;
+
+        rewrite ^ https://$server_name$request_uri permanent;
+}
+
+server {
+        listen 443 default ssl http2;
+
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_dhparam /etc/nginx/ssl/dhparams-4096.pem;
+	ssl_prefer_server_ciphers on;
+
+        ssl_certificate /etc/nginx/ssl/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+	ssl_client_certificate /srv/PKI/shared/ca.pem;
+	ssl_trusted_certificate /srv/PKI/shared/ca.pem;
+	ssl_verify_client optional;
+
+        root /srv/htdocs-frontend/;
+
+        error_page 401 /welcome.html;
+        error_page 403 404 /e404.html;
+        error_page 413 /e413.html;
+        error_page 500 502 504 /e500.html;
+
+        add_header Strict-Transport-Security max-age=31536000;
+
+        location = / {
+            include fic-auth.conf;
+        }
+        location = /index.html {
+            include fic-auth.conf;
+        }
+        location ~ ^/public[0-9].html {
+            rewrite ^ /public.html;
+        }
+	location = /welcome.html {
+	    internal;
+        }
+	location = /e404.html {
+	    internal;
+        }
+	location = /e413.html {
+	    internal;
+        }
+	location = /e500.html {
+	    internal;
+        }
+
+        location ~ ^/[A-Z] {
+            include fic-auth.conf;
+
+            rewrite ^/.*$ /index.html;
+        }
+
+        location /edit {
+            include fic-auth.conf;
+
+            rewrite ^/.*$ /index.html;
+        }
+        location /rank {
+            include fic-auth.conf;
+
+            rewrite ^/.*$ /index.html;
+        }
+        location /register {
+            include fic-auth.conf;
+
+            rewrite ^/.*$ /index.html;
+        }
+        location /rules {
+            include fic-auth.conf;
+
+            rewrite ^/.*$ /index.html;
+        }
+
+        location /files/ {
+            alias /srv/FILES/;
+	    sendfile    on;
+            tcp_nodelay on;
+        }
+
+        location /wait.json {
+            include fic-auth.conf;
+
+            root /srv/TEAMS/$team/;
+            expires epoch;
+            add_header Cache-Control no-cache;
+        }
+        location ~ /public[0-9].json {
+             root /srv/TEAMS/public/;
+             expires epoch;
+             add_header Cache-Control no-cache;
+        }
+        location /stats.json {
+             root /srv/TEAMS/;
+             expires epoch;
+             add_header Cache-Control no-cache;
+        }
+        location /my.json {
+            include fic-auth.conf;
+
+            root /srv/TEAMS/$team/;
+            expires epoch;
+            add_header Cache-Control no-cache;
+
+            if (!-f /srv/startingblock/started) {
+                rewrite ^/.* /wait.json;
+            }
+        }
+        location = /events.json {
+            root /srv/TEAMS/;
+            expires epoch;
+            add_header Cache-Control no-cache;
+        }
+        location = /teams.json {
+            root /srv/TEAMS/;
+            expires epoch;
+            add_header Cache-Control no-cache;
+        }
+        location = /themes.json {
+            root /srv/TEAMS/;
+            expires epoch;
+            add_header Cache-Control no-cache;
+        }
+        location = /settings.json {
+            root /srv/SETTINGS/;
+            expires epoch;
+            add_header Cache-Control no-cache;
+        }
+
+        location /submit/ {
+            include fic-auth.conf;
+
+            rewrite ^/submit/(.*)$ /submission/$team/$1 break;
+
+            proxy_pass        http://frontend:8080/;
+            proxy_set_header  X-Forwarded-For  $remote_addr;
+            proxy_redirect    off;
+        }
+        location /submit/name {
+            include fic-auth.conf;
+
+            rewrite ^/submit/.*$ /chname/$team break;
+
+            proxy_pass        http://frontend:8080/;
+            proxy_set_header  X-Forwarded-For  $remote_addr;
+            proxy_redirect    off;
+        }
+	location /openhint/ {
+	    include    fic-auth.conf;
+
+	    rewrite ^/openhint/(.*)$ /openhint/$team/$1 break;
+
+	    proxy_pass        http://frontend:8080/;
+	    proxy_set_header  X-Forwarded-For  $remote_addr;
+	    proxy_redirect    off;
+	}
+
+        location = /time.json {
+            proxy_pass        http://frontend:8080/time.json;
+            proxy_method GET;
+            proxy_pass_request_body off;
+            proxy_set_header Content-Length "";
+            proxy_set_header  X-Forwarded-For  $remote_addr;
+            proxy_redirect    off;
+            proxy_cache       STATIC;
+            proxy_cache_valid 1s;
+        }
+}