Merge branch 'master' of ssh://nout/fic2014-server

2013-12-11 18:11:21 +01:00 · 2013-12-11 18:11:21 +01:00 · c9cc7b36a9
commit c9cc7b36a9
parent bc877802cc c7d0f7d1e1
9 changed files with 120 additions and 39 deletions
--- a/gen_site.sh
+++ b/gen_site.sh
@ -7,4 +7,4 @@ cd `dirname "$0"`
 mkdir -p out
 cd out

-wget -c -m http://$BASEURL/ http://$BASEURL/connected/
+wget -c -m https://$BASEURL/ https://$BASEURL/connected/
--- a/htdocs/index.php
+++ b/htdocs/index.php
@ -2,8 +2,9 @@
 //Inclusion de l'API Onyx
 require_once(trim(file_get_contents('./.onyx')));

-define("SALT_USER", "connected");
-define("SALT_ADMIN", "admin");
+define("SALT_PUBLIC", $VAR["prefix_public"]);
+define("SALT_USER", $VAR["prefix_teams"]);
+define("SALT_ADMIN", $VAR["prefix_admin"]);

 //On active le débogage si l'on est sur le domaine de debug

@ -13,6 +14,8 @@ if ($_SERVER["SERVER_NAME"] == "localhost" || $_SERVER["SERVER_NAME"] == "fic" |
 //Chargement de tout le nécessaire pour le site
 require_once("common.php");

+$template->assign("SALT_CDN",SALT_PUBLIC);
+$template->assign("SALT_PUBLIC",SALT_PUBLIC);
 $template->assign("SALT_USER",SALT_USER);
 $template->assign("SALT_ADMIN",SALT_ADMIN);

--- a/misc/openssl.cnf
+++ b/misc/openssl.cnf
@ -39,7 +39,7 @@ default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]

-dir		= fic_pki #DIR 		# Where everything is kept
+dir		= /srv/fic2014-server/misc//pki #DIR 		# Where everything is kept
 certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
@ -147,7 +147,7 @@ organizationalUnitName		= Organizational Unit Name (eg, section)
 organizationalUnitName_default	= SRS

 commonName			= Common Name (e.g. server FQDN or YOUR name)
-commonName_default		= toto#COMMONNAME
+commonName_default		= FIC2014 Server #COMMONNAME
 commonName_max			= 64

 emailAddress			= Email Address
@ -176,7 +176,7 @@ basicConstraints=CA:FALSE
 # the certificate can be used for anything *except* object signing.

 # This is OK for an SSL server.
-nsCertType			= client #CERTTYPE
+nsCertType			= server #CERTTYPE

 # For an object signing certificate this would be used.
 # nsCertType = objsign
--- a/nginx-server-common.conf
+++ b/nginx-server-common.conf
@ -0,0 +1,43 @@
+    access_log /var/log/nginx/fic.access_log;
+    error_log /var/log/nginx/fic.error_log;
+
+    root /var/www/fic2014-server/htdocs;
+    index index.php;
+
+    add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";
+
+    location / {
+      if (-f $request_filename) {
+        break;
+      }
+      if (-d $request_filename) {
+        break;
+      }
+
+      rewrite ^/(.*)$ /index.php?p=$1 last;
+    }
+
+    location ~* \favicon.ico$ {
+      access_log off;
+      expires 1d;
+      add_header Cache-Control public;
+    }
+
+    location ~ ^/(img|js|css)/ {
+      access_log off;
+      expires 7d;
+      add_header Cache-Control public;
+    }
+
+    location ~ /(\.ht|\.git|\.svn|\.onyx) {
+      return 403;
+    }
+
+    location ~ .*.php$
+    {
+	if (!-e $document_root$document_uri) { return 404; }
+        include /etc/nginx/fastcgi.conf;
+        fastcgi_pass  unix:/var/run/fastcgi/php-fpm.sock;
+        fastcgi_index index.php;
+	break;
+    }
--- a/nginx-server.conf
+++ b/nginx-server.conf
@ -0,0 +1,18 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ipv6only=on ssl;
+
+    ssl_certificate /var/www/fic2014-server/misc/server.crt;
+    ssl_certificate_key /var/www/fic2014-server/misc/server.key;
+#    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
+#    ssl_prefer_server_ciphers on;
+#    ssl_ciphers		 ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS;
+
+    include /var/www/fic2014-server/nginx-server-common.conf;
+}
+
+server {
+    listen [::1]:80 ipv6only=on;
+
+    include /var/www/fic2014-server/nginx-server-common.conf;
+}
--- a/nginx.conf
+++ b/nginx.conf
@ -1,46 +1,58 @@
 server {
-    listen 80;
-    listen [::]:80;
-    server_name fic fic.p0m.fr fic.nemunai.re;
+    listen 443 ssl;
+    listen [::]:443 ipv6only=on ssl;
+
+    root /var/www/fic2014-server/htdocs/;

    access_log /var/log/nginx/fic.access_log;
-    error_log /var/log/nginx/fic.error_log debug;
+    error_log /var/log/nginx/fic.error_log;

-    root /var/www/fic2014-server/htdocs;
+    ssl_certificate		/var/www/fic2014-server/misc/server.crt;
+    ssl_certificate_key		/var/www/fic2014-server/misc/server.key;
+    ssl_protocols		TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers	on;
+    ssl_ciphers			ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS;
+    ssl_client_certificate	/var/www/fic2014-server/misc/pki/cacert.crt;
+    ssl_verify_client		on;
+    add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";

-    location / {
-      if (-f $request_filename) {
-        break;
-      }
-      if (-d $request_filename) {
-        break;
-      }
+    location /
+    {
+	default_type text/html;
+        if ($ssl_client_s_dn !~ "/C=FR/ST=France/O=Epita/OU=SRS/")
+        {
+	    return 401;	
+        }

-      rewrite ^/(.*)$ /index.php?p=$1 last;
+        if ($ssl_client_s_dn ~ "/C=FR/ST=France/O=Epita/OU=SRS/CN=Team1/") {
+            root /var/www/fic2014-server/htdocs/connected/166$1;
+
+	    rewrite ^/submission-([0-9]+)-([0-9]+).html$ /submission.php?team=166&theme=$1&exercice=$2 last;
+        }
    }

    location ~* \favicon.ico$ {
-      access_log off;
-      expires 1d;
-      add_header Cache-Control public;
+        access_log off;
+        expires 1d;
+        add_header Cache-Control public;
    }

    location ~ ^/(img|js|css)/ {
-      access_log off;
-      expires 7d;
-      add_header Cache-Control public;
+        access_log off;
+        expires 7d;
+        add_header Cache-Control public;
    }

    location ~ /(\.ht|\.git|\.svn|\.onyx) {
-      deny  all;
+        return 403;
    }

-    location ~ .*.php$
+    location /submission.php
    {
-	if (!-e $document_root$document_uri) { return 404; }
-        include /etc/nginx/fastcgi.conf;
-        fastcgi_pass  127.0.0.1:9000;
-        fastcgi_index index.php;
+	root	      /var/www/fic2014-server/;
+        include       /etc/nginx/fastcgi.conf;
+        fastcgi_pass  unix:/var/run/fastcgi/php-fpm.sock;
 	break;
    }
+
 }
--- a/onyx/config/sample.root.xml
+++ b/onyx/config/sample.root.xml
@ -1,7 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<configs active="1" root="/var/www/jacobdelafon/htdocs/" cache="1">
+<configs active="1" root="/var/www/fic2014-server/htdocs/" cache="1">
  <config match="index.php">
-    <var name="end_challenge">1381441316</var>
+    <var name="end_challenge">1386827772</var>
+    <var name="misc_dir">/var/www/fic2014-server/misc/</var>
+    <var name="submission_dir">/var/www/fic2014-server/submission/</var>
+    <var name="prefix_public">challenge-public</var>
+    <var name="prefix_teams">challenge</var>
+    <var name="prefix_admin">challenge-admin</var>
    <var name="chrono"><![CDATA[<!--Page générée en: $ secondes.-->]]></var>
  </config>
  <config match="*">
--- a/onyx/tpl/bootstrap/clock.tpl
+++ b/onyx/tpl/bootstrap/clock.tpl
@ -1,11 +1,11 @@
    <div class="clock">
      <div id="ficlogo">
-        <a href="/">
-          <img src="/img/challenge.jpg" alt="Forum International de la Cybersécurité">
+        <a href="{$SALT_PUBLIC}/">
+          <img src="{$SALT_CDN}/img/challenge.jpg" alt="Forum International de la Cybersécurité">
 	</a>
      </div>
      <div id="epitalogo">
-          <img src="/img/epita.png" alt="Epita">
+          <img src="{$SALT_CDN}/img/epita.png" alt="Epita">
      </div>
      <div id="Date"></div>
      <ul>
--- a/onyx/tpl/bootstrap/layout.tpl
+++ b/onyx/tpl/bootstrap/layout.tpl
@ -5,7 +5,7 @@
    <title>{block name=title}Challenge FIC2014{/block}</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <!-- Bootstrap -->
-    <link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
+    <link href="{$SALT_CDN}/css/bootstrap.min.css" rel="stylesheet" media="screen">

    <!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
    <!--[if lt IE 9]>
@ -13,7 +13,7 @@
      <script src="../../assets/js/respond.min.js"></script>
    <![endif]-->

-    <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico">
+    <link rel="shortcut icon" type="image/x-icon" href="{$SALT_CDN}/favicon.ico">
    <meta name="author" content="EPITA Laboratoire SRS">
    <meta name="robots" content="all">
    <meta name="language" content="{$smarty.const.LANG}">
@ -38,7 +38,7 @@
    </footer>

    <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
-    <script src="/js/jquery.min.js"></script>
+    <script src="{$SALT_CDN}/js/jquery.min.js"></script>
    <!-- Include all compiled plugins (below), or include individual files as needed -->
    <script src="/js/bootstrap.min.js"></script>
  {block name=end}{/block}