From c7d0f7d1e126f5085a5f671c47c96d3204aabb47 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Wed, 11 Dec 2013 17:20:26 +0100 Subject: [PATCH] Modification for two servers --- nginx-server-common.conf | 43 ++++++++++++++++++++++++ nginx-server.conf | 18 ++++++++++ nginx.conf | 66 ++++++++++++++++++------------------- onyx/config/sample.root.xml | 10 +++--- 4 files changed, 98 insertions(+), 39 deletions(-) create mode 100644 nginx-server-common.conf create mode 100644 nginx-server.conf diff --git a/nginx-server-common.conf b/nginx-server-common.conf new file mode 100644 index 00000000..c5d27bc7 --- /dev/null +++ b/nginx-server-common.conf @@ -0,0 +1,43 @@ + access_log /var/log/nginx/fic.access_log; + error_log /var/log/nginx/fic.error_log; + + root /var/www/fic2014-server/htdocs; + index index.php; + + add_header Strict-Transport-Security "max-age=2592000; includeSubdomains"; + + location / { + if (-f $request_filename) { + break; + } + if (-d $request_filename) { + break; + } + + rewrite ^/(.*)$ /index.php?p=$1 last; + } + + location ~* \favicon.ico$ { + access_log off; + expires 1d; + add_header Cache-Control public; + } + + location ~ ^/(img|js|css)/ { + access_log off; + expires 7d; + add_header Cache-Control public; + } + + location ~ /(\.ht|\.git|\.svn|\.onyx) { + return 403; + } + + location ~ .*.php$ + { + if (!-e $document_root$document_uri) { return 404; } + include /etc/nginx/fastcgi.conf; + fastcgi_pass unix:/var/run/fastcgi/php-fpm.sock; + fastcgi_index index.php; + break; + } diff --git a/nginx-server.conf b/nginx-server.conf new file mode 100644 index 00000000..ba338775 --- /dev/null +++ b/nginx-server.conf @@ -0,0 +1,18 @@ +server { + listen 443 ssl; + listen [::]:443 ipv6only=on ssl; + + ssl_certificate /var/www/fic2014-server/misc/server.crt; + ssl_certificate_key /var/www/fic2014-server/misc/server.key; +# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +# ssl_prefer_server_ciphers on; +# ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS; + + include /var/www/fic2014-server/nginx-server-common.conf; +} + +server { + listen [::1]:80 ipv6only=on; + + include /var/www/fic2014-server/nginx-server-common.conf; +} diff --git a/nginx.conf b/nginx.conf index b7fc7845..796a8d48 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,60 +1,58 @@ server { listen 443 ssl; - listen [::]:443 ipv6only=on; + listen [::]:443 ipv6only=on ssl; + + root /var/www/fic2014-server/htdocs/; access_log /var/log/nginx/fic.access_log; error_log /var/log/nginx/fic.error_log; - root /srv/fic2014-server/htdocs; - index index.php; - - ssl_certificate /srv/fic2014-server/misc/server.crt; - ssl_certificate_key /srv/fic2014-server/misc/server.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS; - ssl_client_certificate /srv/fic2014-server/misc/pki/cacert.crt; - ssl_verify_client on; + ssl_certificate /var/www/fic2014-server/misc/server.crt; + ssl_certificate_key /var/www/fic2014-server/misc/server.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS; + ssl_client_certificate /var/www/fic2014-server/misc/pki/cacert.crt; + ssl_verify_client on; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains"; - if ($ssl_client_s_dn !~ "/C=FR/ST=France/O=Epita/OU=SRS/") + location / { - return 401; - } + default_type text/html; + if ($ssl_client_s_dn !~ "/C=FR/ST=France/O=Epita/OU=SRS/") + { + return 401; + } - location / { - if (-f $request_filename) { - break; - } - if (-d $request_filename) { - break; - } + if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Team1/") { + root /var/www/fic2014-server/htdocs/connected/166$1; - rewrite ^/(.*)$ /index.php?p=$1 last; + rewrite ^/submission-([0-9]+)-([0-9]+).html$ /submission.php?team=166&theme=$1&exercice=$2 last; + } } location ~* \favicon.ico$ { - access_log off; - expires 1d; - add_header Cache-Control public; + access_log off; + expires 1d; + add_header Cache-Control public; } location ~ ^/(img|js|css)/ { - access_log off; - expires 7d; - add_header Cache-Control public; + access_log off; + expires 7d; + add_header Cache-Control public; } location ~ /(\.ht|\.git|\.svn|\.onyx) { - deny all; + return 403; } - location ~ .*.php$ + location /submission.php { - if (!-e $document_root$document_uri) { return 404; } - include /etc/nginx/fastcgi.conf; - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_index index.php; + root /var/www/fic2014-server/; + include /etc/nginx/fastcgi.conf; + fastcgi_pass unix:/var/run/fastcgi/php-fpm.sock; break; } + } diff --git a/onyx/config/sample.root.xml b/onyx/config/sample.root.xml index 0491002f..d94fd659 100644 --- a/onyx/config/sample.root.xml +++ b/onyx/config/sample.root.xml @@ -1,13 +1,13 @@ - + - 1381441316 - /srv/fic2014-server/misc/ - /srv/fic2014-server/submission/ - ]]> + 1386827772 + /var/www/fic2014-server/misc/ + /var/www/fic2014-server/submission/ challenge-public challenge challenge-admin + ]]> 0