diff --git a/Dockerfile b/Dockerfile index 844c0529..ab173c72 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,6 +19,7 @@ RUN apt-get -y update && \ libwww-perl \ libdigest-whirlpool-perl \ pwgen \ + curl \ openssl \ cpanminus \ build-essential \ @@ -59,5 +60,5 @@ RUN chmod 777 /var/www/fic-server/onyx/cache/ /var/www/fic-server/onyx/cache/tem # ENVIRONNEMENT ####################################################### EXPOSE 80/tcp 443/tcp -VOLUME ["/var/www/fic-server/out","/var/www/fic-server/files","/var/www/fic-server/submissions"] -CMD ["sh", "-c", "chown -R www-data:www-data /var/www/fic-server/misc /var/www/fic-server/submission; cd /var/www/fic-server/misc; if ! [ -f server.crt ]; then bash ./CA.sh -newserver; fi; service nginx start && service php5-fpm start && service mysql start && mkdir files && ../gen_hash_link_files.sh --copy ../files-in ../files && (../launch_local.sh &); /bin/bash"] +VOLUME ["/var/www/fic-server/out","/var/www/fic-server/files","/var/www/fic-server/submission","/var/www/fic-server/misc/shared"] +CMD ["sh", "-c", "chown -R www-data:www-data /var/www/fic-server/misc /var/www/fic-server/submission; cd /var/www/fic-server/misc; if ! [ -f server.crt ]; then ./CA.sh -newserver; fi; ./CA.sh -gencrl && service nginx start && service php5-fpm start && service mysql start && ../gen_hash_link_files.sh --copy ../files-in ../files && ../nginx_gen_team.sh > ../misc/shared/nginx-teams.conf && (../launch_local.sh &); /bin/bash"] diff --git a/README.md b/README.md index 44b4a67d..f82ac010 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,14 @@ environment, you can run the following command: mysql -u root fic < /var/www/fic-server/db/feed.sql +### Frontend container + +To run the frontend on the same machine as the backend (but in another +container), run the following command: + + docker run -P -ti --volumes-from BACKEND_CNTNR_NAME FRONTEND_IMG + + Production Environnement ------------------------ diff --git a/front/Dockerfile b/front/Dockerfile new file mode 100644 index 00000000..833e9d89 --- /dev/null +++ b/front/Dockerfile @@ -0,0 +1,30 @@ +# DOCKER-VERSION 1.1.0 + +# /!\ WARNING: the container generated through this Dockerfile is made only for development purpose; it is NOT SAFE or production ready. + +FROM debian:wheezy +MAINTAINER Pierre-Olivier Mercier + +# Install packages #################################################### + +RUN apt-get -y update && \ + apt-get install -y \ + nginx-full \ + php5-fpm \ + php5-mcrypt \ + && \ + apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Copying files ####################################################### + +ADD . /var/www/fic-server/front/ + +# Configure softwares ################################################# + +RUN ln -sf /var/www/fic-server/front/nginx.conf /etc/nginx/sites-enabled/default +RUN ln -sf /var/www/fic-server/front/php-fpm.conf /etc/php5/fpm/pool.d/www.conf + +# ENVIRONNEMENT ####################################################### + +EXPOSE 80/tcp 443/tcp +CMD ["sh", "-c", "service nginx start && service php5-fpm start && /bin/bash"] diff --git a/front/nginx.conf b/front/nginx.conf new file mode 100644 index 00000000..2760600e --- /dev/null +++ b/front/nginx.conf @@ -0,0 +1,108 @@ +server_tokens off; +client_header_buffer_size 512; +client_max_body_size 512; + +server { + listen 80 default; + listen [::]:80 ipv6only=on default; + + rewrite ^ https://$host$uri; +} + +server { + listen 443 ssl; + listen [::]:443 ipv6only=on ssl; + + root /var/www/fic-server/out/htdocs/; + + access_log /var/log/nginx/fic.access_log; + error_log /var/log/nginx/fic.error_log; + + ssl_certificate /var/www/fic-server/misc/shared/server.crt; + ssl_certificate_key /var/www/fic-server/misc/shared/server.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; +# ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS; + ssl_ciphers AES256+EECDH:AES256+EDH; + ssl_client_certificate /var/www/fic-server/misc/shared/cacert.crt; + ssl_verify_client optional; + ssl_crl /var/www/fic-server/misc/shared/crl.pem; + + add_header Strict-Transport-Security "max-age=2592000; includeSubdomains"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + + error_page 400 /errors/400/index.html; + error_page 403 /errors/403/index.html; + error_page 404 /errors/404/index.html; + error_page 413 414 /errors/413/index.html; + error_page 500 503 /errors/500/index.html; + error_page 502 504 /errors/502/index.html; + + location / + { + default_type text/html; + expires epoch; + + set $team 0; + + include /var/www/fic-server/misc/shared/nginx-teams.conf; + + if ($team) { + root /var/www/fic-server/out/teams/$team$1; + rewrite ^/([0-9]+-?[a-zA-Z0-9_-]*)/([a-zA-Z0-9_]+)/submission$ /submission.php?team=$team&theme=$1&exercice=$2 last; + } + if ($team = 0) { + root /var/www/fic-server/out/htdocs/; + } + } + + location /errors + { + root /var/www/fic-server/out/; + } + + location /connected + { + return 403; + } + + location /files + { + root /var/www/fic-server/; + + # option to accelerate file delivery, require a custom nginx + #aio on; + directio 512; + output_buffers 1 128k; + } + + location ~* \favicon.ico$ { + root /var/www/fic-server/out/htdocs/; + access_log off; + expires 1d; + add_header Cache-Control public; + } + + location ~ ^/(assets|img|js|css|fonts)/ { + root /var/www/fic-server/out/htdocs/; + access_log off; + expires 7d; + add_header Cache-Control public; + } + + location ~ /(\.ht|\.git|\.svn|\.onyx) { + return 403; + } + + location /submission.php + { + root /var/www/fic-server/front/; + + limit_rate 4k; + + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/php-fpm.sock; + break; + } +} diff --git a/front/php-fpm.conf b/front/php-fpm.conf new file mode 100644 index 00000000..e972ebe8 --- /dev/null +++ b/front/php-fpm.conf @@ -0,0 +1,81 @@ +; Start a new pool named 'www'. +; the variable $pool can we used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +user = www-data +group = www-data + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses on a +; specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /var/run/php-fpm.sock + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. +; Default Values: user and group are set as the running user +; mode is set to 0666 +listen.owner = www-data +listen.group = www-data +listen.mode = 0640 + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 200 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 10 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 5 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 10 diff --git a/submission.php b/front/submission.php similarity index 88% rename from submission.php rename to front/submission.php index f99d2386..7897d759 100644 --- a/submission.php +++ b/front/submission.php @@ -5,15 +5,15 @@ if (!function_exists("show_submission_result")) { function show_submission_result($path) { - if (file_exists(__DIR__."/teams/".$path."/index.html")) - print file_get_contents(__DIR__."/teams/".$path."/index.html"); + if (file_exists(__DIR__."/../out/teams/".$path."/index.html")) + print file_get_contents(__DIR__."/../out/teams/".$path."/index.html"); else header("HTTP/1.1 403 Forbidden"); } } $filename = intval($_GET["team"])."-".intval($_GET["theme"])."-".urlencode($_GET["exercice"]); -$file = __DIR__."/submission/".$filename; +$file = __DIR__."/../submission/".$filename; if (file_exists($file)) diff --git a/misc/CA.sh b/misc/CA.sh index 45fd2f7f..d5248ce7 100755 --- a/misc/CA.sh +++ b/misc/CA.sh @@ -10,10 +10,15 @@ if [ -z "${OPENSSL_CONF}" ]; then OPENSSL_CONF=openssl.cnf fi -CAKEY=./cakey.key -CAREQ=./careq.csr -CACERT=./cacert.crt +CAKEY=${TOP_DIR}/private/cakey.key +CAREQ=${TOP_DIR}/careq.csr +CACRT=./shared/cacert.crt +SRVKEY=./shared/server.key +SRVREQ=./shared/server.csr +SRVCRT=./shared/server.crt + +# Generate certificates valid for: DAYS=2 if [ -z "$PS1" ] @@ -42,12 +47,13 @@ usage() clean() { if [ "$1" = "ca" ]; then - rm -rf ${TOP_DIR} + rm -rf ${TOP_DIR} ./shared/* mkdir -p ${TOP_DIR}/certs mkdir -p ${TOP_DIR}/crl mkdir -p ${TOP_DIR}/newcerts mkdir -p ${TOP_DIR}/private mkdir -p ${TOP_DIR}/pkcs + mkdir -p ./shared echo "01" > ${TOP_DIR}/crlnumber elif [ "$1" = "client" ]; then rm -rf ${TOP_DIR}/${2}.key ${TOP_DIR}/${2}.csr @@ -57,10 +63,10 @@ clean() gen_crl() { - echo $ECHO_OPTS "${GREEN}Generate crl.pem${COLOR_RST}" - openssl ca -config ${OPENSSL_CONF} -gencrl -out ${TOP_DIR}/crl.pem > $OUTPUT 2>&1 - if [ $? -ne 0 ]; then - echo $ECHO_OPTS "${RED}Generate crl.pem failed" + echo $ECHO_OPTS "${GREEN}Generate shared/crl.pem${COLOR_RST}" + if ! openssl ca -config ${OPENSSL_CONF} -gencrl -out shared/crl.pem > $OUTPUT 2>&1 + then + echo $ECHO_OPTS "${RED}Generate shared/crl.pem failed" cat $OUTPUT exit 5 fi @@ -72,9 +78,7 @@ OUTPUT=$(mktemp) case $1 in "-newca" ) - echo -n $ECHO_OPTS "${GREEN}Create the directories, take care this will delete" - echo $ECHO_OPTS " the old directories ${COLOR_RST}" -# sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3" + echo $ECHO_OPTS "${GREEN}Create the directories, take care this will delete the old directories ${COLOR_RST}" clean "ca" touch ${TOP_DIR}/index.txt @@ -92,30 +96,30 @@ case $1 in fi pass=`pwgen -n -B -y 12 1` - openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \ - -out ${TOP_DIR}/${CAREQ} -passout pass:$pass \ - -config $OPENSSL_CONF -extensions CORE_CA > $OUTPUT 2>&1 - if [ $? -ne 0 ]; then + if ! openssl req -batch -new -keyout ${CAKEY} \ + -out ${CAREQ} -passout pass:$pass \ + -config ${OPENSSL_CONF} -extensions CORE_CA > $OUTPUT 2>&1 + then cat $OUTPUT clean "ca" exit 4 fi # This line deleted the passphase for the FIC 2014 automatisation - openssl rsa -passin pass:$pass -in ${TOP_DIR}/private/${CAKEY} \ - -out ${TOP_DIR}/private/${CAKEY} > $OUTPUT 2>&1 - if [ $? -ne 0 ]; then + if ! openssl rsa -passin pass:$pass -in ${CAKEY} \ + -out ${CAKEY} > $OUTPUT 2>&1 + then cat $OUTPUT clean "ca" exit 4 fi echo $ECHO_OPTS "${GREEN}Self signes the CA certificate${COLOR_RST}" - openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \ - -days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \ - -selfsign -extensions CORE_CA -config ${OPENSSL_CONF} \ - -infiles ${TOP_DIR}/${CAREQ} > $OUTPUT 2>&1 - if [ $? -ne 0 ]; then + if ! openssl ca -batch -create_serial -out ${CACRT} \ + -days ${DAYS} -keyfile ${CAKEY} \ + -selfsign -extensions CORE_CA -config ${OPENSSL_CONF} \ + -infiles ${CAREQ} > $OUTPUT 2>&1 + then cat $OUTPUT clean "ca" exit 4 @@ -124,46 +128,45 @@ case $1 in "-newserver" ) echo $ECHO_OPTS "${GREEN}Making the Server key and cert${COLOR_RST}" - if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then + if ! [ -f ${CAKEY} ]; then echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}" exit 2 fi sed -i 's/=.*#COMMONNAME/=10.226.3.70#COMMONNAME/' $OPENSSL_CONF - openssl req -batch -new -keyout server.key -out server.csr \ - -days ${DAYS} -config ${OPENSSL_CONF} -extensions SERVER_SSL > $OUTPUT 2>&1 - if [ $? -ne 0 ]; then + if ! openssl req -batch -new -keyout ${SRVKEY} -out ${SRVREQ} \ + -days ${DAYS} -config ${OPENSSL_CONF} -extensions SERVER_SSL > $OUTPUT 2>&1 + then cat $OUTPUT exit 4 fi echo $ECHO_OPTS "${GREEN}Signing the Server crt${COLOR_RST}" - openssl ca -policy policy_match -config ${OPENSSL_CONF} \ - -out server.crt -extensions SERVER_SSL -infiles server.csr - if [ $? -ne 0 ]; then + if ! openssl ca -policy policy_match -config ${OPENSSL_CONF} \ + -out ${SRVCRT} -extensions SERVER_SSL -infiles ${SRVREQ} + then echo $ECHO_OPTS "${RED}Signing failed for new server${COLOR_RST}" - rm -rf server.key server.crt server.csr + rm -f ${SRVKEY} ${SRVREQ} ${SRVCRT} cat $OUTPUT exit 3 else - rm server.csr # remove ? - echo $ECHO_OPTS "${GREEN}Signed certificate is in server.crt${COLOR_RST}" + rm ${SRVREQ} + echo $ECHO_OPTS "${GREEN}Signed certificate is in ${SRVCRT}${COLOR_RST}" fi ;; "-revokeserver" ) echo $ECHO_OPTS "${GREEN}Revocate server certificate${COLOR_RST}" - if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then + if ! [ -f ${CAKEY} ]; then echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}" exit 2 fi - openssl ca -revoke server.crt -config ${OPENSSL_CONF}\ - -keyfile ${TOP_DIR}/private/${CAKEY} \ - -cert ${TOP_DIR}/${CACERT} > $OUTPUT 2>&1 - if [ $? -ne 0 ]; then + if ! openssl ca -revoke ${SRVCRT} -config ${OPENSSL_CONF} \ + -keyfile ${CAKEY} -cert ${CACRT} > $OUTPUT 2>&1 + then echo $ECHO_OPTS "${RED}Server certificate revocation failed${COLOR_RST}" cat $OUTPUT exit 4 fi - rm server.crt server.key + rm ${SRVKEY} ${SRVCRT} gen_crl ;; @@ -173,13 +176,20 @@ case $1 in echo "Usage: $0 -newclient NAME" exit 1 fi + + CLTNAM=$2 + CLTREQ=${TOP_DIR}/${CLTNAM}.csr + CLTCRT=${TOP_DIR}/${CLTNAM}.crt + CLTKEY=${TOP_DIR}/${CLTNAM}.key + CLTP12=${TOP_DIR}/pkcs/${CLTNAM}.p12 + echo "==============================================================" echo $ECHO_OPTS "${GREEN}Making the client key and csr of ${BOLD}${2}${END_BOLD}${COLOR_RST}" ESCAPED=$(echo "${TOP_DIR}" | sed 's/[\/\.]/\\&/g') sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF - if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then + if ! [ -f ${CAKEY} ]; then echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}" exit 2 fi @@ -193,39 +203,39 @@ case $1 in pass=`pwgen -n -B -y 12 1` - openssl req -batch -new -keyout ${TOP_DIR}/${2}.key -out ${TOP_DIR}/${2}.csr \ - -config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} -extensions CLIENT_SSL > $OUTPUT 2>&1 - if [ $? -ne 0 ]; then + if ! openssl req -batch -new -keyout "${CLTKEY}" -out "${CLTREQ}" \ + -config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} -extensions CLIENT_SSL > $OUTPUT 2>&1 + then cat $OUTPUT - clean "client" $2 + clean "client" ${CLTNAM} exit 4 fi echo $ECHO_OPTS "${GREEN}Signing the Client crt${COLOR_RST}" - openssl ca -batch -policy policy_match -out ${TOP_DIR}/${2}.crt \ - -config ${OPENSSL_CONF} -extensions CLIENT_SSL -infiles ${TOP_DIR}/${2}.csr > $OUTPUT 2>&1 - if [ $? -ne 0 ]; then + if ! openssl ca -batch -policy policy_match -out "${CLTCRT}" \ + -config ${OPENSSL_CONF} -extensions CLIENT_SSL -infiles "${CLTREQ}" > $OUTPUT 2>&1 + then echo $ECHO_OPTS "${RED}Signing failed for $2 ${COLOR_RST}" cat $OUTPUT - clean "client" $2 + clean "client" ${CLTNAM} exit 3 fi echo $ECHO_OPTS "${GREEN}Export the Client files to pkcs12${COLOR_RST}" - openssl pkcs12 -export -inkey ${TOP_DIR}/${2}.key -in ${TOP_DIR}/${2}.crt -name ${2} \ - -passin pass:$pass -out ${TOP_DIR}/pkcs/${2}.p12 \ - -passout pass:$pass > $OUTPUT 2>&1 - if [ $? -ne 0 ]; then + if ! openssl pkcs12 -export -inkey "${CLTKEY}" -in "${CLTCRT}" -name ${2} \ + -passin pass:$pass -out "${CLTP12}" \ + -passout pass:$pass > $OUTPUT 2>&1 + then echo $ECHO_OPTS "${RED}pkcs12 export failed for ${BOLD}$2${END_BOLD}${COLOR_RST}" cat $OUTPUT - clean "client" $2 + clean "client" ${CLTNAM} exit 4 else - echo $ECHO_OPTS "Exported pkcs12 file is ${2}.p12" + echo $ECHO_OPTS "Exported pkcs12 file is ${CLTP12}" fi - mv ${TOP_DIR}/${2}.crt ${TOP_DIR}/certs - echo "$2:$pass" >> ${TOP_DIR}/../teams.pass - echo "$pass" - clean "client" $2 + mv ${CLTCRT} ${TOP_DIR}/certs + echo "$CLTNAM:$pass" >> ${TOP_DIR}/../teams.pass + echo "$CLTNAM:$pass" + clean "client" ${CLTNAM} ;; "-revoke" ) @@ -233,17 +243,20 @@ case $1 in echo "Usage: $0 -revoke NAME" exit 1 fi - echo $ECHO_OPTS "${GREEN}Revocate ${BOLD}${2}${END_BOLD}${COLOR_RST}" - openssl ca -revoke ${TOP_DIR}/certs/${2}.crt -config ${OPENSSL_CONF}\ - -keyfile ${TOP_DIR}/private/${CAKEY} \ - -cert ${TOP_DIR}/${CACERT} > $OUTPUT 2>&1 - if [ $? -ne 0 ]; then - echo $ECHO_OPTS "${RED}Revocation failed for ${BOLD}${2}${END_BOLD}${COLOR_RST}" + + CLTNAM=$2 + CLTCRT=${TOP_DIR}/${CLTNAM}.crt + CLTP12=${TOP_DIR}/pkcs/${CLTNAM}.p12 + + echo $ECHO_OPTS "${GREEN}Revocate ${BOLD}${CLTNAM}${END_BOLD}${COLOR_RST}" + if ! openssl ca -revoke ${CLTCRT} -config ${OPENSSL_CONF}\ + -keyfile ${CAKEY} -cert ${CACRT} > $OUTPUT 2>&1 + then + echo $ECHO_OPTS "${RED}Revocation failed for ${BOLD}${CLTNAM}${END_BOLD}${COLOR_RST}" cat $OUTPUT exit 4 fi - rm ${TOP_DIR}/certs/${2}.crt - rm ${TOP_DIR}/pkcs/${2}.p12 + rm "${CLTCRT}" "${CLTP12}" gen_crl ;; diff --git a/misc/openssl.cnf b/misc/openssl.cnf index 1fc532fd..a90cd294 100644 --- a/misc/openssl.cnf +++ b/misc/openssl.cnf @@ -47,11 +47,11 @@ database = $dir/index.txt # database index file. # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. -certificate = $dir/cacert.crt # The CA certificate +certificate = $dir/../shared/cacert.crt # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL -crl = $dir/crl.pem # The current CRL +crl = $dir/../shared/crl.pem # The current CRL private_key = $dir/private/cakey.key # The private key RANDFILE = $dir/private/.rand # private random number file diff --git a/nginx-server.conf b/nginx-server.conf index 3e8e0cc3..250949e9 100644 --- a/nginx-server.conf +++ b/nginx-server.conf @@ -2,11 +2,12 @@ server { listen 443 ssl; listen [::]:443 ipv6only=on ssl; - ssl_certificate /var/www/fic-server/misc/server.crt; - ssl_certificate_key /var/www/fic-server/misc/server.key; -# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -# ssl_prefer_server_ciphers on; -# ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS; + ssl_certificate /var/www/fic-server/misc/shared/server.crt; + ssl_certificate_key /var/www/fic-server/misc/shared/server.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; +# ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS; + ssl_ciphers AES256+EECDH:AES256+EDH; include /var/www/fic-server/nginx-server-common.conf; } diff --git a/nginx.conf b/nginx.conf deleted file mode 100644 index 170fd8f3..00000000 --- a/nginx.conf +++ /dev/null @@ -1,131 +0,0 @@ -server_tokens off; -client_header_buffer_size 512; -client_max_body_size 512; - -server { - listen 80 default; - listen [::]:80 ipv6only=on default; - - rewrite ^ https://$host$uri; -} - -server { - listen 443 ssl; - listen [::]:443 ipv6only=on ssl; - - root /var/www/fic-server/htdocs/; - - server_tokens off; - - access_log /var/log/nginx/fic.access_log; - error_log /var/log/nginx/fic.error_log; - - ssl_certificate /var/www/fic-server/server.crt; - ssl_certificate_key /var/www/fic-server/server.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; -# ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS; - ssl_ciphers AES256+EECDH:AES256+EDH; - ssl_client_certificate /var/www/fic-server/cacert.crt; - ssl_verify_client optional; - ssl_crl /var/www/fic-server/crl.pem; - - add_header Strict-Transport-Security "max-age=2592000; includeSubdomains"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - - error_page 400 /errors/400/index.html; - error_page 403 /errors/403/index.html; - error_page 404 /errors/404/index.html; - error_page 413 414 /errors/413/index.html; - error_page 500 503 /errors/500/index.html; - error_page 502 504 /errors/502/index.html; - - location / - { - default_type text/html; - expires epoch; - - set $team 0; - - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Amin_Martin/") { set $team 343; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Bernard_Angoustures/") { set $team 344; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Cacace_Diallo/") { set $team 345; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Delaporte_Notebaert/") { set $team 346; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Dibe/") { set $team 347; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Dubief_Roccia/") { set $team 348; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Ezzahoui/") { set $team 349; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Fall/") { set $team 350; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Guerin_Chapiron/") { set $team 351; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Hugot_Hincelin/") { set $team 352; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Jawor_Giraud/") { set $team 353; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Konan/") { set $team 354; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Le_Mignan_Yadaba/") { set $team 355; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Michel-villaz_Gzenayi/") { set $team 356; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Muller_Perrin/") { set $team 357; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Pourcelot/") { set $team 358; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Quint_Kaczmarek/") { set $team 359; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Ruff_Czarny/") { set $team 360; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Sinet_Girault/") { set $team 361; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Therrode/") { set $team 362; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Sabono_Calmeji/") { set $team 363; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Renaud_Vandemeulebroucke/") { set $team 364; } - if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=De_Priest_Tjonck/") { set $team 365; } - - if ($team) { - root /var/www/fic-server/teams/$team$1; - rewrite ^/([0-9]+-?[a-zA-Z0-9_-]*)/([a-zA-Z0-9_]+)/submission$ /submission.php?team=$team&theme=$1&exercice=$2 last; - } - if ($team = 0) { - root /var/www/fic-server/htdocs/; - } - } - - location /errors - { - root /var/www/fic-server/; - } - - location /connected - { - return 403; - } - - location /files - { - root /var/www/fic-server/; - - aio on; - directio 512; - output_buffers 1 128k; - } - - location ~* \favicon.ico$ { - root /var/www/fic-server/htdocs/; - access_log off; - expires 1d; - add_header Cache-Control public; - } - - location ~ ^/(assets|img|js|css|fonts)/ { - root /var/www/fic-server/htdocs/; - access_log off; - expires 7d; - add_header Cache-Control public; - } - - location ~ /(\.ht|\.git|\.svn|\.onyx) { - return 403; - } - - location /submission.php - { - root /var/www/fic-server/; - - limit_rate 4k; - - include /etc/nginx/fastcgi.conf; - fastcgi_pass unix:/var/run/php-fpm.sock; - break; - } -} diff --git a/nginx_gen_team.sh b/nginx_gen_team.sh old mode 100644 new mode 100755 index 6347421c..5ac57349 --- a/nginx_gen_team.sh +++ b/nginx_gen_team.sh @@ -3,4 +3,6 @@ # Generate from database (exported XML from the website) the part of nginx # configuration file authenticating teams -curl http://localhost/admin/teams/export 2> /dev/null | grep "(.*)<.*$@ if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=\2/") { set $team \1; }@' +cd $(dirname "$0") + +curl http://localhost/$(grep prefix_admin onyx/config/root.xml | sed -E 's@.*(.*).*@\1@')/teams/export 2> /dev/null | grep "(.*)<.*$@ if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=\2/") { set $team \1; }@' diff --git a/onyx/include/admin/home.php b/onyx/include/admin/home.php index 2297635a..9f1c1b71 100644 --- a/onyx/include/admin/home.php +++ b/onyx/include/admin/home.php @@ -22,7 +22,7 @@ if (is_writable($misc_dir) && !is_dir("$misc_dir/pki/")) $template->assign("cert_writable", is_writable("$misc_dir/pki/")); -$ca_file = "$misc_dir/pki/cacert.crt"; +$ca_file = "$misc_dir/shared/cacert.crt"; if (file_exists($ca_file)) { if (!is_readable($ca_file)) @@ -32,7 +32,7 @@ if (file_exists($ca_file)) openssl_x509_parse(file_get_contents($ca_file))); } -$srv_file = "$misc_dir/server.crt"; +$srv_file = "$misc_dir/shared/server.crt"; if (file_exists($srv_file)) { if (!is_readable($srv_file)) diff --git a/onyx/include/admin/import_users.php b/onyx/include/admin/import_users.php index dece7040..0a3342aa 100644 --- a/onyx/include/admin/import_users.php +++ b/onyx/include/admin/import_users.php @@ -14,7 +14,7 @@ if (!empty($_FILES["inputFile"]['tmp_name'])) return "admin/import_users"; } - if (!file_exists("$misc_dir/pki/cacert.crt")) + if (!file_exists("$misc_dir/shared/cacert.crt")) { erreur("The root certificate file not found, please create this first"); return "admin/import_users"; diff --git a/onyx/include/team/exercice.php b/onyx/include/team/exercice.php index fa6af0d0..9bc2f90c 100644 --- a/onyx/include/team/exercice.php +++ b/onyx/include/team/exercice.php @@ -51,7 +51,7 @@ if (isset($VAR['submission_dir'])) $_GET["theme"] = $p[2]; $_GET["exercice"] = $p[3]; - require("../submission.php"); + require("../front/submission.php"); } // Fallback error diff --git a/synchro.sh b/synchro.sh index 8cebbb6d..aac801eb 100755 --- a/synchro.sh +++ b/synchro.sh @@ -21,11 +21,9 @@ then fi # Synchronize HTML pages -rsync -e ssh -av $OPTS out/errors "$FRONTEND_HOSTNAME":~/ -rsync -e ssh -av $OPTS out/htdocs "$FRONTEND_HOSTNAME":~/ -rsync -e ssh -av $OPTS out/teams "$FRONTEND_HOSTNAME":~/ +rsync -e ssh -av $OPTS out "$FRONTEND_HOSTNAME":~/ rsync -e ssh -avL $OPTS files "$FRONTEND_HOSTNAME":~/ -rsync -e ssh -av $OPTS nginx.conf submission.php misc/server.crt misc/server.key misc/pki/cacert.crt misc/pki/crl.pem "$FRONTEND_HOSTNAME":~/ +rsync -e ssh -av $OPTS front/ misc/shared/ "$FRONTEND_HOSTNAME":~/ # Synchronize submissions rsync -e ssh -av "$FRONTEND_HOSTNAME":~/submission/ submission/