2018-12-19 22:05:42 +00:00
|
|
|
Server
|
|
|
|
======
|
|
|
|
|
|
|
|
Hardware
|
|
|
|
--------
|
|
|
|
|
2018-12-19 22:33:02 +00:00
|
|
|
=== ================================
|
|
|
|
BHS KS-12
|
|
|
|
CPU Intel Xeon W3530 4c/8t @ 2.8 GHz
|
|
|
|
RAM 32 GB DDR3 ECC @ 1333 MHz
|
|
|
|
HDD 2 × 2 TB
|
2019-07-18 18:46:31 +00:00
|
|
|
MAC 00:25:90:7b:d4:38
|
2019-08-15 08:37:33 +00:00
|
|
|
WAN 100 Mbps
|
2018-12-19 22:33:02 +00:00
|
|
|
=== ================================
|
|
|
|
|
2019-07-15 10:49:21 +00:00
|
|
|
Network
|
|
|
|
-------
|
|
|
|
|
|
|
|
+-----+---------+-------------------------------+
|
2019-08-15 08:37:33 +00:00
|
|
|
| IP4 | address | 192.99.14.98 /24 |
|
2019-07-15 10:49:21 +00:00
|
|
|
| +---------+-------------------------------+
|
|
|
|
| | gateway | 192.99.14.254 |
|
|
|
|
+-----+---------+-------------------------------+
|
|
|
|
| IP6 | address | 2607:5300:60:3f62::1 |
|
|
|
|
| +---------+-------------------------------+
|
|
|
|
| | gateway | 2607:5300:60:3fff:ff:ff:ff:ff |
|
|
|
|
+-----+---------+-------------------------------+
|
|
|
|
|
2019-07-14 14:24:36 +00:00
|
|
|
Rescue
|
|
|
|
------
|
|
|
|
|
|
|
|
.. code:: shell
|
|
|
|
|
2019-07-17 20:08:07 +00:00
|
|
|
ssh-keygen -R rwx.work
|
|
|
|
ssh-keygen -R 192.99.14.98
|
2019-07-14 14:24:36 +00:00
|
|
|
scp /home/user/.ssh/id_ecdsa.pub root@rwx.work:/root/.ssh/authorized_keys
|
|
|
|
scp /etc/bash.bashrc root@rwx.work:/etc/
|
|
|
|
|
2018-12-19 22:33:02 +00:00
|
|
|
Partitions
|
|
|
|
----------
|
2018-12-19 22:05:42 +00:00
|
|
|
|
|
|
|
.. code:: shell
|
|
|
|
|
|
|
|
parted
|
|
|
|
|
|
|
|
select /dev/sda
|
|
|
|
mktable gpt
|
2019-07-14 07:12:58 +00:00
|
|
|
mkpart boot 1 2
|
|
|
|
mkpart raid 2 2000399
|
|
|
|
toggle 1 bios_grub
|
2018-12-19 22:05:42 +00:00
|
|
|
|
|
|
|
select /dev/sdb
|
|
|
|
mktable gpt
|
2019-07-14 07:12:58 +00:00
|
|
|
mkpart boot 1 2
|
|
|
|
mkpart raid 2 2000399
|
|
|
|
toggle 1 bios_grub
|
2018-12-19 22:05:42 +00:00
|
|
|
|
|
|
|
q
|
|
|
|
|
|
|
|
.. code:: shell
|
|
|
|
|
|
|
|
mdadm --create /dev/md0 \
|
2019-07-14 07:24:07 +00:00
|
|
|
--level 0 --raid-devices 2 /dev/sd[ab]2
|
2018-12-19 22:05:42 +00:00
|
|
|
|
|
|
|
.. code:: shell
|
|
|
|
|
|
|
|
parted /dev/md0
|
|
|
|
|
|
|
|
mktable gpt
|
2019-07-14 16:24:40 +00:00
|
|
|
mkpart data 1 3966966
|
|
|
|
mkpart swap 3966966 4000523
|
2018-12-19 22:05:42 +00:00
|
|
|
|
|
|
|
q
|
|
|
|
|
|
|
|
.. code:: shell
|
|
|
|
|
2019-07-14 16:29:32 +00:00
|
|
|
mkswap --label swap \
|
|
|
|
-U d8ee4260-4652-7192-7bb3-ebbadeb835a7 \
|
|
|
|
/dev/md0p2
|
2019-07-14 15:36:51 +00:00
|
|
|
mkfs.ext4 -L data \
|
|
|
|
-U 46527192-7bb3-ebba-deb8-35a7e8606808 \
|
|
|
|
/dev/md0p1
|
2019-07-13 14:56:06 +00:00
|
|
|
|
2019-07-13 14:43:15 +00:00
|
|
|
Boot
|
|
|
|
----
|
|
|
|
|
2019-07-14 19:59:56 +00:00
|
|
|
.. warning:: no ESP boot available!
|
|
|
|
|
2019-07-13 14:43:15 +00:00
|
|
|
Prepare a grub.cfg
|
|
|
|
|
|
|
|
.. code:: shell
|
|
|
|
|
2019-07-14 07:07:55 +00:00
|
|
|
insmod biosdisk
|
2019-07-13 14:43:15 +00:00
|
|
|
insmod part_gpt
|
|
|
|
insmod mdraid1x
|
|
|
|
insmod ext2
|
|
|
|
insmod search
|
|
|
|
insmod squash4
|
|
|
|
insmod loopback
|
|
|
|
insmod linux
|
|
|
|
|
2019-07-14 15:36:51 +00:00
|
|
|
search --set data --fs-uuid 46527192-7bb3-ebba-deb8-35a7e8606808
|
2019-07-18 18:28:48 +00:00
|
|
|
lmp=/fs/up
|
2019-07-13 14:43:15 +00:00
|
|
|
sfs=filesystem.squashfs
|
|
|
|
|
|
|
|
loopback loop (${data})${lmp}/${sfs}
|
|
|
|
|
|
|
|
linux (loop)/vmlinuz \
|
|
|
|
boot=live \
|
|
|
|
elevator=deadline \
|
|
|
|
ip=frommedia \
|
|
|
|
live-media-path=${lmp} \
|
|
|
|
toram=${sfs}
|
|
|
|
|
|
|
|
initrd (loop)/initrd.img
|
|
|
|
|
2019-07-13 17:18:07 +00:00
|
|
|
boot
|
|
|
|
|
2019-07-14 01:06:20 +00:00
|
|
|
.. code:: shell
|
|
|
|
|
|
|
|
grub-mkstandalone \
|
|
|
|
--verbose \
|
|
|
|
--compress xz \
|
|
|
|
--format i386-pc \
|
|
|
|
--output core.img \
|
|
|
|
--themes "" \
|
|
|
|
boot/grub/grub.cfg=grub.cfg \
|
|
|
|
--fonts "" \
|
|
|
|
--locales "" \
|
|
|
|
--install-modules "\
|
2019-07-14 07:07:55 +00:00
|
|
|
biosdisk \
|
2019-07-14 01:06:20 +00:00
|
|
|
part_gpt \
|
|
|
|
mdraid1x \
|
|
|
|
ext2 \
|
|
|
|
search \
|
|
|
|
squash4 \
|
|
|
|
loopback \
|
|
|
|
linux \
|
|
|
|
"
|
|
|
|
|
2019-07-17 20:08:07 +00:00
|
|
|
.. todo:: move to public grub
|
2019-07-14 01:06:20 +00:00
|
|
|
|
2019-07-13 14:43:15 +00:00
|
|
|
.. code:: shell
|
|
|
|
|
2019-07-13 14:56:06 +00:00
|
|
|
grub-mkstandalone \
|
|
|
|
--verbose \
|
|
|
|
--compress xz \
|
|
|
|
--format x86_64-efi \
|
|
|
|
--output bootx64.efi \
|
|
|
|
--themes "" \
|
|
|
|
boot/grub/grub.cfg=grub.cfg
|
|
|
|
|
|
|
|
.. code:: shell
|
|
|
|
|
2019-07-14 01:06:20 +00:00
|
|
|
scp core.img root@rwx.work:
|
|
|
|
cp /usr/lib/grub/i386-pc/boot.img . \
|
|
|
|
/usr/lib/grub/i386-pc/grub-bios-setup \
|
|
|
|
--directory . /dev/sda
|
|
|
|
/usr/lib/grub/i386-pc/grub-bios-setup \
|
|
|
|
--directory . /dev/sdb
|
2019-07-13 15:11:23 +00:00
|
|
|
|
2019-07-17 20:14:44 +00:00
|
|
|
* debootstrap
|
|
|
|
* apt
|
2019-08-15 12:59:30 +00:00
|
|
|
* user account and home directory
|
2019-07-17 20:14:44 +00:00
|
|
|
* fstab /d
|
|
|
|
* systemd
|
|
|
|
* linux-image
|
|
|
|
* tops
|
|
|
|
* hardware
|
|
|
|
* completion
|
|
|
|
* network
|
|
|
|
* interfaces
|
2019-08-15 12:54:23 +00:00
|
|
|
* iputils-ping
|
2019-07-17 20:14:44 +00:00
|
|
|
* basics
|
|
|
|
* openssh-server fixes (sshd user, /run/sshd)
|
|
|
|
* live-boot
|
|
|
|
* root
|
|
|
|
* inception
|
|
|
|
* bridge
|
2019-07-18 18:35:04 +00:00
|
|
|
* grub-pc-bin
|
2019-07-18 20:58:02 +00:00
|
|
|
* apparmor
|
2019-07-18 21:00:33 +00:00
|
|
|
* unbound
|
2019-07-18 21:04:16 +00:00
|
|
|
* tree
|
2019-07-18 21:08:30 +00:00
|
|
|
* net.ipv4.ip_forward=1
|
|
|
|
* net.ipv6.conf.all.forwarding=1
|
2019-07-18 21:33:50 +00:00
|
|
|
* nftables
|
2019-08-13 08:49:06 +00:00
|
|
|
* nginx-extras
|
2019-07-21 15:35:05 +00:00
|
|
|
* root/user authorized_keys
|
|
|
|
* curl
|
2019-07-21 15:55:50 +00:00
|
|
|
* swap,swappiness
|
2019-07-21 18:01:04 +00:00
|
|
|
* enable nftables.service
|
2019-08-05 10:56:22 +00:00
|
|
|
* enable lxc.service
|
|
|
|
* sources.list file:/
|
|
|
|
* syslog-ng
|
2019-08-05 11:00:31 +00:00
|
|
|
* ssh on port 80
|
|
|
|
* domain certificate private key
|
2019-08-05 11:58:40 +00:00
|
|
|
* domain certificate bundle
|
|
|
|
* /etc/ssl/openssl.cnf tls 1.3 suites
|
|
|
|
* nginx configuration
|
2019-08-05 12:16:16 +00:00
|
|
|
* nginx in container
|
2019-08-05 12:35:33 +00:00
|
|
|
* nginx host sites
|
2019-08-15 13:27:01 +00:00
|
|
|
* python3-sphinx-rtd-theme
|
2019-08-15 17:24:44 +00:00
|
|
|
* uwsgi-plugin-python3
|
2019-07-17 20:14:44 +00:00
|
|
|
|
2019-07-15 20:38:11 +00:00
|
|
|
* /etc/bash.bashrc
|
|
|
|
* /etc/fstab (/d)
|
2019-07-13 15:12:14 +00:00
|
|
|
* /etc/locale.gen
|
|
|
|
* locale-gen
|
|
|
|
* /etc/resolv.conf
|
2019-07-15 20:11:45 +00:00
|
|
|
* /etc/apt/apt.conf
|
2019-07-13 20:31:28 +00:00
|
|
|
* /etc/apt/sources.list
|
2019-07-13 15:11:23 +00:00
|
|
|
* apt update
|
|
|
|
* apt upgrade
|
2019-07-15 20:38:11 +00:00
|
|
|
* live-boot
|
|
|
|
* update-initramfs ← update-initramfs.orig
|
|
|
|
* openssh-server
|
|
|
|
* parted
|
|
|
|
* squashfs-tools
|
|
|
|
* tree
|
2019-07-13 15:11:23 +00:00
|
|
|
* apt clean
|
|
|
|
* /etc/ssh/sshd_config
|
|
|
|
* mkdir /root/.ssh
|
2019-08-12 07:23:27 +00:00
|
|
|
* echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZAs76kQJ0/Et2NGzhxurK2wE0VhYsG9wl85iCmR9xH" > /root/.ssh/authorized_keys
|
2019-07-15 20:11:45 +00:00
|
|
|
* lxc
|
2019-07-13 20:31:28 +00:00
|
|
|
* /etc/network/interfaces.d/setup
|
|
|
|
|
2019-07-14 19:57:33 +00:00
|
|
|
.. warning:: inet6 dhcp hangs!
|
|
|
|
|
2019-07-13 20:31:28 +00:00
|
|
|
::
|
|
|
|
|
2019-07-13 22:04:54 +00:00
|
|
|
auto lo
|
2019-07-13 20:31:28 +00:00
|
|
|
iface lo inet loopback
|
|
|
|
iface lo inet6 loopback
|
|
|
|
|
2019-07-18 20:58:02 +00:00
|
|
|
auto br0
|
|
|
|
iface br0 inet static
|
|
|
|
address 10.0.0.254/24
|
|
|
|
bridge_fd 0
|
|
|
|
bridge_maxwait 0
|
|
|
|
bridge_ports enp1s0
|
|
|
|
bridge_stp on
|
|
|
|
iface br0 inet static
|
2019-07-13 20:31:28 +00:00
|
|
|
address 192.99.14.98/24
|
|
|
|
gateway 192.99.14.254
|
2019-07-18 20:58:02 +00:00
|
|
|
iface br0 inet6 static
|
2019-07-13 20:31:28 +00:00
|
|
|
address 2607:5300:60:3f62::1/64
|
|
|
|
gateway 2607:5300:60:3fff:ff:ff:ff:ff
|
2019-07-18 20:58:02 +00:00
|
|
|
|
2019-07-20 20:38:39 +00:00
|
|
|
.. warning::
|
|
|
|
|
|
|
|
reboot from container doesn't reload config file
|
|
|
|
|
|
|
|
/var/lib/lxc/config
|
|
|
|
|
2019-07-18 20:58:02 +00:00
|
|
|
::
|
|
|
|
|
2019-07-20 20:38:39 +00:00
|
|
|
lxc.include = /usr/share/lxc/config/common.conf
|
|
|
|
lxc.mount.entry = /d/mirrors/apt-mirror/debian deb none bind,create=dir,ro 0 0
|
|
|
|
lxc.start.auto = 1
|
2019-07-18 20:58:02 +00:00
|
|
|
lxc.net.0.type = veth
|
|
|
|
lxc.net.0.flags = up
|
|
|
|
lxc.net.0.link = br0
|
2019-07-20 20:38:39 +00:00
|
|
|
|
|
|
|
/var/lib/lxc/name/config
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
lxc.include = /var/lib/lxc/config
|
2019-07-21 15:35:05 +00:00
|
|
|
lxc.mount.entry = /d/d/buster d none bind,create=dir,rw 0 0
|
2019-07-20 20:38:39 +00:00
|
|
|
lxc.rootfs.path = dir:/var/lib/lxc/buster
|
2019-07-18 21:58:31 +00:00
|
|
|
lxc.net.0.veth.pair = buster
|
2019-07-18 20:58:02 +00:00
|
|
|
lxc.net.0.ipv4.address = 10.0.0.1/24
|
|
|
|
lxc.net.0.ipv4.gateway = 10.0.0.254
|
2019-07-21 15:35:05 +00:00
|
|
|
|
|
|
|
/etc/nftables.conf
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
#! /usr/sbin/nft --file
|
|
|
|
|
|
|
|
flush ruleset
|
|
|
|
|
|
|
|
table inet filter {
|
|
|
|
chain input {
|
|
|
|
type filter hook input priority 0; policy accept;
|
|
|
|
iifname "lo" accept
|
|
|
|
ip protocol icmp accept
|
2019-07-21 17:44:03 +00:00
|
|
|
ip6 nexthdr icmp accept
|
2019-07-21 15:35:05 +00:00
|
|
|
tcp dport ssh accept
|
|
|
|
tcp dport domain accept
|
|
|
|
tcp dport http accept
|
|
|
|
tcp dport https accept
|
|
|
|
}
|
|
|
|
chain forward {
|
|
|
|
type filter hook forward priority 0; policy accept;
|
|
|
|
}
|
|
|
|
chain output {
|
|
|
|
type filter hook output priority 0; policy accept;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
table ip nat {
|
|
|
|
chain prerouting {
|
|
|
|
type nat hook prerouting priority 0; policy accept;
|
|
|
|
tcp dport 65001 dnat to 10.0.0.1:ssh
|
|
|
|
}
|
|
|
|
chain postrouting {
|
|
|
|
type nat hook postrouting priority 0; policy accept;
|
|
|
|
masquerade
|
|
|
|
}
|
|
|
|
}
|
2019-08-04 14:17:16 +00:00
|
|
|
|
2019-08-04 14:22:15 +00:00
|
|
|
Web
|
|
|
|
---
|
|
|
|
|
2019-08-06 19:39:18 +00:00
|
|
|
Configuration
|
|
|
|
^^^^^^^^^^^^^
|
|
|
|
|
|
|
|
* /etc/nginx/nginx.conf
|
|
|
|
|
|
|
|
::
|
|
|
|
|
2019-08-15 19:07:16 +00:00
|
|
|
load_module modules/ngx_http_fancyindex_module.so;
|
2019-08-13 08:49:06 +00:00
|
|
|
load_module modules/ngx_http_headers_more_filter_module.so;
|
|
|
|
|
2019-08-06 19:39:18 +00:00
|
|
|
pid /run/nginx.pid;
|
|
|
|
user user;
|
|
|
|
worker_processes auto;
|
|
|
|
|
|
|
|
events {
|
|
|
|
multi_accept off;
|
|
|
|
worker_connections 512;
|
|
|
|
}
|
|
|
|
|
|
|
|
http {
|
|
|
|
|
|
|
|
# General
|
|
|
|
|
|
|
|
keepalive_timeout 60;
|
|
|
|
sendfile on;
|
|
|
|
server_tokens off;
|
|
|
|
tcp_nopush on;
|
|
|
|
tcp_nodelay on;
|
|
|
|
types_hash_max_size 2048;
|
|
|
|
|
|
|
|
# Names
|
|
|
|
|
|
|
|
server_name_in_redirect off;
|
|
|
|
server_names_hash_bucket_size 128;
|
|
|
|
|
|
|
|
# File types
|
|
|
|
|
|
|
|
include mime.types;
|
|
|
|
default_type application/octet-stream;
|
|
|
|
|
|
|
|
# Security
|
|
|
|
|
|
|
|
ssl_buffer_size 8k;
|
2019-08-14 20:09:17 +00:00
|
|
|
ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ARIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384";
|
|
|
|
ssl_ecdh_curve "X448:X25519:P-521";
|
2019-08-06 19:39:18 +00:00
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
ssl_protocols TLSv1.3 TLSv1.2;
|
|
|
|
ssl_session_cache shared:ssl_session_cache:16m;
|
2019-08-08 09:49:14 +00:00
|
|
|
ssl_session_tickets off;
|
2019-08-06 19:39:18 +00:00
|
|
|
ssl_session_timeout 15m;
|
|
|
|
|
|
|
|
# Log
|
|
|
|
|
|
|
|
access_log /var/log/nginx/access.log;
|
|
|
|
error_log /var/log/nginx/error.log;
|
|
|
|
|
|
|
|
# Compression
|
|
|
|
|
|
|
|
gzip off;
|
|
|
|
|
|
|
|
# Misc
|
|
|
|
|
|
|
|
client_max_body_size 16m;
|
|
|
|
index index.html;
|
2019-08-15 10:36:13 +00:00
|
|
|
|
|
|
|
# Proxy
|
|
|
|
|
2019-08-06 19:39:18 +00:00
|
|
|
proxy_pass_request_body on;
|
|
|
|
proxy_pass_request_headers on;
|
|
|
|
proxy_redirect off;
|
|
|
|
|
2019-08-13 08:49:06 +00:00
|
|
|
# Headers
|
|
|
|
|
|
|
|
more_clear_headers Server;
|
|
|
|
|
2019-08-06 19:39:18 +00:00
|
|
|
# Includes
|
|
|
|
|
|
|
|
include sites-enabled/*;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2019-08-14 13:29:44 +00:00
|
|
|
.. warning:: almost 1 minute to start the service
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
|
|
|
|
2019-08-06 18:18:09 +00:00
|
|
|
Security
|
|
|
|
^^^^^^^^
|
|
|
|
|
|
|
|
* /etc/nginx/https.conf
|
|
|
|
|
|
|
|
::
|
|
|
|
|
2019-08-06 19:44:09 +00:00
|
|
|
listen 443 ssl http2;
|
|
|
|
listen [::]:443 ssl http2;
|
2019-08-15 11:01:07 +00:00
|
|
|
add_header Expect-CT "enforce,max-age=0" always;
|
2019-08-15 11:20:13 +00:00
|
|
|
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
2019-08-15 11:01:07 +00:00
|
|
|
add_header Strict-Transport-Security "max-age=31557600;includeSubDomains;preload" always;
|
2019-08-15 11:13:37 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2019-08-15 11:10:08 +00:00
|
|
|
add_header X-Frame-Options "DENY" always;
|
2019-08-12 21:04:45 +00:00
|
|
|
set $fp "";
|
2019-08-15 12:02:42 +00:00
|
|
|
set $fp "${fp}accelerometer 'none';";
|
|
|
|
set $fp "${fp}ambient-light-sensor 'none';";
|
2019-08-15 12:36:20 +00:00
|
|
|
set $fp "${fp}animations 'self';";
|
2019-08-15 12:02:42 +00:00
|
|
|
set $fp "${fp}autoplay 'none';";
|
|
|
|
set $fp "${fp}camera 'none';";
|
|
|
|
set $fp "${fp}document-domain 'none';";
|
2019-08-15 12:36:20 +00:00
|
|
|
set $fp "${fp}document-write 'none';";
|
2019-08-15 12:22:40 +00:00
|
|
|
set $fp "${fp}encrypted-media 'none';";
|
2019-08-15 12:02:42 +00:00
|
|
|
set $fp "${fp}fullscreen *;";
|
2019-08-15 12:22:40 +00:00
|
|
|
set $fp "${fp}geolocation 'none';";
|
2019-08-15 12:02:42 +00:00
|
|
|
set $fp "${fp}gyroscope 'none';";
|
2019-08-15 12:36:20 +00:00
|
|
|
set $fp "${fp}legacy-image-formats 'none';";
|
2019-08-15 12:02:42 +00:00
|
|
|
set $fp "${fp}magnetometer 'none';";
|
|
|
|
set $fp "${fp}microphone 'none';";
|
|
|
|
set $fp "${fp}midi 'none';";
|
|
|
|
set $fp "${fp}payment 'self';";
|
|
|
|
set $fp "${fp}picture-in-picture 'none';";
|
2019-08-15 12:22:40 +00:00
|
|
|
set $fp "${fp}speaker 'self';";
|
2019-08-15 12:02:42 +00:00
|
|
|
set $fp "${fp}sync-xhr 'none';";
|
2019-08-15 12:36:20 +00:00
|
|
|
set $fp "${fp}unsized-media 'none';";
|
2019-08-15 12:02:42 +00:00
|
|
|
set $fp "${fp}usb 'none';";
|
2019-08-15 12:36:20 +00:00
|
|
|
set $fp "${fp}vertical-scroll 'self';";
|
2019-08-15 12:17:54 +00:00
|
|
|
set $fp "${fp}vr 'none';";
|
2019-08-12 21:04:45 +00:00
|
|
|
add_header Feature-Policy "${fp}" always;
|
2019-08-06 18:18:09 +00:00
|
|
|
|
2019-08-15 12:02:42 +00:00
|
|
|
.. todo:: find policy not blocking sphinx search
|
|
|
|
|
2019-08-15 12:41:09 +00:00
|
|
|
::
|
|
|
|
|
2019-08-15 12:02:42 +00:00
|
|
|
add_header Content-Security-Policy "default-src 'self'" always;
|
|
|
|
|
2019-08-15 21:09:10 +00:00
|
|
|
* /etc/nginx/uwsgi.conf
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
uwsgi_param client_address $remote_addr;
|
|
|
|
uwsgi_param client_port $remote_port;
|
|
|
|
uwsgi_param client_ciphers $ssl_ciphers;
|
|
|
|
uwsgi_param client_curves $ssl_curves;
|
|
|
|
|
|
|
|
uwsgi_param session_reused $ssl_session_reused;
|
|
|
|
uwsgi_param session_id $ssl_session_id;
|
|
|
|
uwsgi_param session_cipher $ssl_cipher;
|
|
|
|
uwsgi_param session_protocol $ssl_protocol;
|
|
|
|
|
|
|
|
uwsgi_param server_protocol $server_protocol;
|
|
|
|
uwsgi_param server_address $server_addr;
|
|
|
|
uwsgi_param server_port $server_port;
|
|
|
|
|
|
|
|
uwsgi_param uri_scheme $scheme;
|
|
|
|
uwsgi_param uri_name $server_name;
|
|
|
|
uwsgi_param uri_request $request_uri;
|
|
|
|
uwsgi_param uri_document $document_uri;
|
|
|
|
uwsgi_param uri_query $query_string;
|
|
|
|
uwsgi_param uri_method $request_method;
|
|
|
|
|
|
|
|
uwsgi_param content_type $content_type;
|
|
|
|
uwsgi_param content_length $content_length;
|
|
|
|
|
|
|
|
Apps
|
|
|
|
^^^^
|
|
|
|
|
|
|
|
* /etc/uwsgi/apps-enabled/root.ini
|
|
|
|
|
|
|
|
.. code:: ini
|
|
|
|
|
|
|
|
[uwsgi]
|
|
|
|
chown-socket = user
|
|
|
|
uid = user
|
|
|
|
gid = user
|
|
|
|
chdir = /d/projects/root
|
|
|
|
plugins = python3
|
|
|
|
module = __init__
|
|
|
|
callable = app
|
|
|
|
threads = 2
|
|
|
|
|
2019-08-04 14:22:15 +00:00
|
|
|
Sites
|
|
|
|
^^^^^
|
|
|
|
|
2019-08-06 18:18:09 +00:00
|
|
|
* /etc/nginx/sites-enabled/http
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
server {
|
|
|
|
listen 80 default_server;
|
|
|
|
listen [::]:80 default_server;
|
|
|
|
server_name _;
|
|
|
|
return 301 https://${host}${request_uri};
|
|
|
|
}
|
|
|
|
|
|
|
|
* /etc/nginx/sites-enabled/rwx.work
|
|
|
|
|
2019-08-04 14:22:15 +00:00
|
|
|
::
|
|
|
|
|
2019-08-06 19:25:35 +00:00
|
|
|
server {
|
|
|
|
include rwx.work.conf;
|
2019-08-15 21:09:10 +00:00
|
|
|
include uwsgi.conf;
|
2019-08-06 19:30:16 +00:00
|
|
|
server_name .rwx.work;
|
2019-08-06 19:25:35 +00:00
|
|
|
location / {
|
2019-08-15 21:09:10 +00:00
|
|
|
uwsgi_pass unix:/run/uwsgi/app/root/socket;
|
2019-08-06 19:25:35 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-08-04 14:22:15 +00:00
|
|
|
server {
|
2019-08-06 19:10:14 +00:00
|
|
|
include rwx.work.conf;
|
2019-08-04 14:22:15 +00:00
|
|
|
server_name deb.rwx.work;
|
|
|
|
root /d/mirrors/apt-mirror/debian;
|
2019-08-15 19:07:16 +00:00
|
|
|
fancyindex on;
|
2019-08-04 14:22:15 +00:00
|
|
|
}
|
|
|
|
|
2019-08-06 18:23:30 +00:00
|
|
|
server {
|
2019-08-06 19:10:14 +00:00
|
|
|
include rwx.work.conf;
|
2019-08-06 18:23:30 +00:00
|
|
|
server_name docs.rwx.work;
|
|
|
|
root /d/projects/docs/out/docs;
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
2019-08-06 19:10:14 +00:00
|
|
|
include rwx.work.conf;
|
2019-08-06 18:23:30 +00:00
|
|
|
server_name todo.rwx.work;
|
|
|
|
root /d/projects/todo;
|
|
|
|
}
|
|
|
|
|
2019-08-04 14:17:16 +00:00
|
|
|
Certificate
|
2019-08-04 14:22:15 +00:00
|
|
|
^^^^^^^^^^^
|
2019-08-04 14:17:16 +00:00
|
|
|
|
2019-08-06 19:10:14 +00:00
|
|
|
* /etc/nginx/rwx.work.conf
|
|
|
|
|
|
|
|
::
|
|
|
|
|
2019-08-15 10:39:31 +00:00
|
|
|
include https.conf;
|
2019-08-06 19:10:14 +00:00
|
|
|
ssl_certificate rwx.work.crt;
|
|
|
|
ssl_certificate_key rwx.work.key;
|
|
|
|
|
|
|
|
* /etc/nginx/rwx.work.key
|
|
|
|
|
|
|
|
* /etc/nginx/rwx.work.crt
|
2019-08-04 14:17:16 +00:00
|
|
|
|
|
|
|
::
|
|
|
|
|
2019-08-04 14:18:25 +00:00
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
MIIGVTCCBT2gAwIBAgISAxK7abRAlgNZ1QfhWkuBbd/yMA0GCSqGSIb3DQEBCwUA
|
|
|
|
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
|
|
|
|
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA4MDQxMjU2MzFaFw0x
|
|
|
|
OTExMDIxMjU2MzFaMBUxEzARBgNVBAMMCioucnd4LndvcmswggIiMA0GCSqGSIb3
|
|
|
|
DQEBAQUAA4ICDwAwggIKAoICAQDnX5lshzKsh9eiFaCxJqJ9Oh7yc9x/br2uIzdG
|
|
|
|
iBoOMVmHNB+3t67JVbFJ/RA38HZ29g2CDyJjY5z7VfdsUxs4caFKExwlXCujNtWS
|
|
|
|
Exj1LO4Y4ykvkQhhbkWgThDiREZv+FNw/D8cV6KjNFrx5QKHjKW++GRCJKl5+9dr
|
|
|
|
YXSCKld0ejFckd5WwajKCAto6ugfayLK/qf4CYj/na1UrgP3a1BSgMrDVdHIjACB
|
|
|
|
khoujVL+tTgNUPBwSR8s5whCaOKdVU4mBO36qc08hQAwqa94ye2ltDDVFULm62vF
|
|
|
|
LW5SeGpjIEaPAsk5xNdjOnm5HlIJjvmNo8m0qiWJ8rcjVxGWJzMmu8JzvZbmy/k+
|
|
|
|
G242C+ECuSAVMPBBZLn28Rc7Lr6YtmEo3phhdwSEDXTnlyluYtVq5Q6B2Iwwbdsb
|
|
|
|
WUa00unUHNDEmOTp6njy/K9vhJF82FyVxXQoCBqAbN8tSk/rshTYDYDPnjcZGi5R
|
|
|
|
okK7m7qeRfDiyLGvuF0xUKFODSuNYmnu2Q4WDNGTXXwsEloIvLflKKYz5vqbQ2f1
|
|
|
|
Il/tKEM0Ok9CUcj1Ty1GdNt3gCLucC8eI22t3QstUla/wiMtoAWeydzi3dneIrQ7
|
|
|
|
SmJ6rfBIxVUXGUFKlsRVBPbFbDj9kEsIUY5pUfUnDYIYVCjqm1F+XGMgGt+nMkaV
|
|
|
|
exuI0QIDAQABo4ICaDCCAmQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
|
|
|
|
AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRf3Sg57QsE
|
|
|
|
XePyTwCeSEZ7YyA0BDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBv
|
|
|
|
BggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5s
|
|
|
|
ZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5s
|
|
|
|
ZXRzZW5jcnlwdC5vcmcvMB8GA1UdEQQYMBaCCioucnd4LndvcmuCCHJ3eC53b3Jr
|
|
|
|
MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH
|
|
|
|
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB
|
|
|
|
9ASB8QDvAHYAKTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9HgAAAFsXOrd
|
|
|
|
qgAABAMARzBFAiEAwlPkETp6PtvOY2LgY4j2SAjCRYWgTLwVLVtZs+cQHGcCICk6
|
|
|
|
O3HBqxEugr/onac7MudZow4YhRBCwVIOYsq8q42sAHUAdH7agzGtMxCRIZzOJU9C
|
|
|
|
cMK//V5CIAjGNzV55hB7zFYAAAFsXOrfgQAABAMARjBEAiBMJwKp49s6GmgCkn0I
|
|
|
|
It+05HN8zYhde6Rw5F3KS16r/QIgWL5LHcjdi5pkrEhyr6vWCQg3oO3T/oZusPDu
|
|
|
|
Z3NSsNgwDQYJKoZIhvcNAQELBQADggEBADHetLlUkXFuxk0Yb/PPeErezRCFuwrj
|
|
|
|
34mzb4Rbgzv5vmSCPhNKqVC//j6ocrF+oA0VFbYncgX4Wugi7SXNR9vOhMxg0a//
|
|
|
|
SkjveXQQ7zAm52NvjGm0Lc25sLXszVvef2T4haBNgB9osIFiLfOHewyFBFOnIvWS
|
|
|
|
yu3Alrwo6xuxZSPLvrCJZlXpiNmJN684KJEvDT8Y9tlWTBHxQl+sP8IpF8EuV9oA
|
|
|
|
Jbrdj7ZhE9guk/y0D/evYU4irV+8sC7pWPdZDLCcqk9X2WLsbyWYqbTQb5c9cLZn
|
|
|
|
OOA0WMwsL9Ly8AAbk1c41mJOKOuvv2+XzVY/NPU3uZCWOXlhqtWyusw=
|
|
|
|
-----END CERTIFICATE-----
|
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
|
|
|
|
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
|
|
|
|
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
|
|
|
|
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
|
|
|
|
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
|
|
|
|
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
|
|
|
|
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
|
|
|
|
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
|
|
|
|
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
|
|
|
|
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
|
|
|
|
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
|
|
|
|
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
|
|
|
|
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
|
|
|
|
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
|
|
|
|
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
|
|
|
|
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
|
|
|
|
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
|
|
|
|
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
|
|
|
|
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
|
|
|
|
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
|
|
|
|
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
|
|
|
|
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
|
|
|
|
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
|
|
|
|
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
|
|
|
|
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
|
|
|
|
-----END CERTIFICATE-----
|