From a154e0c476fb9933ac695874bb7aa507af7b5d4b Mon Sep 17 00:00:00 2001 From: Martin Ness Date: Sat, 21 May 2016 14:04:13 +0200 Subject: [PATCH 1/6] gzip for any proxied requests --- conf.d/gzip.conf | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/conf.d/gzip.conf b/conf.d/gzip.conf index 1af43b1..2b647cb 100644 --- a/conf.d/gzip.conf +++ b/conf.d/gzip.conf @@ -1,7 +1,6 @@ - gzip on; - gzip_min_length 1100; - gzip_comp_level 6; - gzip_http_version 1.0; - gzip_proxied expired no-cache no-store private auth; - gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss application/xhtml+xml text/javascript image/svg+xml application/x-graphviz text/x-graphviz; - +gzip on; +gzip_min_length 1100; +gzip_comp_level 6; +gzip_http_version 1.0; +gzip_proxied any; +gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss application/xhtml+xml text/javascript image/svg+xml application/x-graphviz text/x-graphviz; From 683d847405d5ec5c40f0237850076bda8fd3fa99 Mon Sep 17 00:00:00 2001 From: Martin Ness Date: Sat, 21 May 2016 14:10:36 +0200 Subject: [PATCH 2/6] log_format configuration moved --- conf.d/log.conf | 23 +++++++++++++++++++++++ nginx.conf | 24 ------------------------ 2 files changed, 23 insertions(+), 24 deletions(-) create mode 100644 conf.d/log.conf diff --git a/conf.d/log.conf b/conf.d/log.conf new file mode 100644 index 0000000..18a4322 --- /dev/null +++ b/conf.d/log.conf @@ -0,0 +1,23 @@ +# definiere mehrere Formate für logfiles +# Format main bindet gegenüber dem Default von nginx http_x_forwarded_for, gzip_ratio, request_time, upstream_response_time und pipe ein +log_format main '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $bytes_sent ' + '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' + '"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"'; + +# das selbe Format nochmal nur mit ausgetauschter IP-Adresse +log_format ano '0.0.0.0 - $remote_user [$time_local] ' + '"$request" $status $bytes_sent ' + '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' + '"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"'; + +# dieses Format ist für revers-proxy gedacht um mehr informationen über den Cache Zustand bei der Anfrage zu erhalten +log_format cache '$time_local $upstream_cache_status ' + 'Cache-Control: $upstream_http_cache_control ' + 'Expires: $upstream_http_expires ' + '"$request" ($status) "$gzip_ratio" ' + '"$request_time" "$upstream_response_time" "$pipe"'; + +access_log /var/log/nginx/access.log main; +error_log /var/log/nginx/error.log warn; + diff --git a/nginx.conf b/nginx.conf index e80e34f..f1937aa 100644 --- a/nginx.conf +++ b/nginx.conf @@ -15,30 +15,6 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - - # definiere mehrere Formate für logfiles - # Format main bindet gegen über dem Default http_x_forwarded_for, gzip_ratio, zeiten und pipe usw. - log_format main '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $bytes_sent ' - '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' - '"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"'; - - # das selbe Format nochmal nur mit ausgtauschter Fake IP - log_format ano '0.0.0.0 - $remote_user [$time_local] ' - '"$request" $status $bytes_sent ' - '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' - '"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"'; - - # dieses Format ist für revers-proxy gedacht um mehr informationen über den Cache Zustand bei der Anfrage zu erhalten - log_format cache '$time_local $upstream_cache_status ' - 'Cache-Control: $upstream_http_cache_control ' - 'Expires: $upstream_http_expires ' - '"$request" ($status) "$gzip_ratio" ' - '"$request_time" "$upstream_response_time" "$pipe"'; - - - access_log /var/log/nginx/access.log main; - upstream ro01 { server [2001:470:6c:655::2] weight=10; server local.krautspace.de weight=1; From 6704842cb70319fc2589e7cc4c86437c3f7bd79b Mon Sep 17 00:00:00 2001 From: Martin Ness Date: Sat, 21 May 2016 14:27:40 +0200 Subject: [PATCH 3/6] moved ssl configuration --- conf.d/ssl.conf | 12 ++++++++++++ nginx.conf | 13 ------------- 2 files changed, 12 insertions(+), 13 deletions(-) create mode 100644 conf.d/ssl.conf diff --git a/conf.d/ssl.conf b/conf.d/ssl.conf new file mode 100644 index 0000000..4de6d82 --- /dev/null +++ b/conf.d/ssl.conf @@ -0,0 +1,12 @@ +ssl_prefer_server_ciphers on; +# not possible to do exclusive +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; + +ssl_dhparam /etc/ssl/private/dhparams.pem; + +# add HSTS Header +add_header Strict-Transport-Security max-age=15768000; # six months +# Use a SSL/TLS cache for SSL session resume. +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; diff --git a/nginx.conf b/nginx.conf index f1937aa..3174048 100644 --- a/nginx.conf +++ b/nginx.conf @@ -21,19 +21,6 @@ http { } proxy_cache_path /var/lib/nginx/cache keys_zone=statusATro01:10m; - - ssl_prefer_server_ciphers on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive - ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES2\ -56:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-\ -SHA:CAMELLIA128-SHA:AES128-SHA'; - ssl_dhparam /etc/ssl/private/dhparams.pem; - - add_header Strict-Transport-Security max-age=15768000; # six months - ## Use a SSL/TLS cache for SSL session resume. - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - # setzt die Variable php_https abhängig davon ob es sich um eine https Verbindung handelt, ist für die Weitergabe an php map $scheme $php_https { default off; https on; } From a54dd4345a49acabedbd9531ec32a74fe5035861 Mon Sep 17 00:00:00 2001 From: Martin Ness Date: Thu, 26 May 2016 23:05:38 +0200 Subject: [PATCH 4/6] fastcgi_param SCRIPT_FILENAME moved --- fastcgi_params | 4 ---- sites-available/kraut.space.conf | 1 + 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/fastcgi_params b/fastcgi_params index 8c6e8bb..28decb9 100644 --- a/fastcgi_params +++ b/fastcgi_params @@ -23,7 +23,3 @@ fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; - -# ----- Add by Martin89 ----- -fastcgi_param SCRIPT_FILENAME $request_filename; - diff --git a/sites-available/kraut.space.conf b/sites-available/kraut.space.conf index 4c07bd1..2568535 100644 --- a/sites-available/kraut.space.conf +++ b/sites-available/kraut.space.conf @@ -65,6 +65,7 @@ server { include fastcgi_params; fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; + fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param HTTPS $php_https; # DW checks $_SERVER['HTTPS'] fastcgi_intercept_errors on; fastcgi_pass unix:/var/run/php5-fpm.sock; From da943b71f1221090447b9841a4cbe90c8de3ad76 Mon Sep 17 00:00:00 2001 From: Martin Ness Date: Thu, 26 May 2016 23:08:13 +0200 Subject: [PATCH 5/6] fastcgi_param HTTPS not more requierd in this section --- nginx.conf | 3 --- sites-available/kraut.space.conf | 1 - 2 files changed, 4 deletions(-) diff --git a/nginx.conf b/nginx.conf index 3174048..c018b93 100644 --- a/nginx.conf +++ b/nginx.conf @@ -21,9 +21,6 @@ http { } proxy_cache_path /var/lib/nginx/cache keys_zone=statusATro01:10m; - # setzt die Variable php_https abhängig davon ob es sich um eine https Verbindung handelt, ist für die Weitergabe an php - map $scheme $php_https { default off; https on; } - sendfile on; #tcp_nopush on; diff --git a/sites-available/kraut.space.conf b/sites-available/kraut.space.conf index 2568535..356a9f4 100644 --- a/sites-available/kraut.space.conf +++ b/sites-available/kraut.space.conf @@ -66,7 +66,6 @@ server { fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; fastcgi_param SCRIPT_FILENAME $request_filename; - fastcgi_param HTTPS $php_https; # DW checks $_SERVER['HTTPS'] fastcgi_intercept_errors on; fastcgi_pass unix:/var/run/php5-fpm.sock; # entferne Header "X-Powered-By: PHP/5.4.40-1~dotdeb+wheezy.1" From 041b2ece7a9d1a1c8f2990cc58147e985872ec92 Mon Sep 17 00:00:00 2001 From: Martin Ness Date: Fri, 15 Jul 2016 21:29:24 +0200 Subject: [PATCH 6/6] enable http2 --- sites-available/hackspace-jena.de | 4 ++-- sites-available/kraut.space.conf | 4 ++-- sites-available/krautspace.de | 4 ++-- sites-available/lpd.kraut.space.conf | 4 ++-- sites-available/media.hackspace-jena.de | 4 ++-- sites-available/media.krautspace.de | 4 ++-- sites-available/status.hackspace-jena.de | 4 ++-- sites-available/status.krautspace.de | 4 ++-- sites-available/wiki.hackspace-jena.de | 4 ++-- sites-available/www.krautspace.de | 4 ++-- 10 files changed, 20 insertions(+), 20 deletions(-) diff --git a/sites-available/hackspace-jena.de b/sites-available/hackspace-jena.de index 214e089..8299321 100644 --- a/sites-available/hackspace-jena.de +++ b/sites-available/hackspace-jena.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; server_name www.hackspace-jena.de hackspace-jena.de; diff --git a/sites-available/kraut.space.conf b/sites-available/kraut.space.conf index 356a9f4..ba0fac4 100644 --- a/sites-available/kraut.space.conf +++ b/sites-available/kraut.space.conf @@ -11,8 +11,8 @@ server { } server { - listen 0.0.0.0:443 ssl default; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl default; + listen 0.0.0.0:443 ssl http2 default; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2 default; ssl_certificate /etc/ssl/private/star.kraut.space.combined.crt; ssl_certificate_key /etc/ssl/private/star.kraut.space.key; server_name kraut.space www.kraut.space; diff --git a/sites-available/krautspace.de b/sites-available/krautspace.de index cebb3e9..edec093 100644 --- a/sites-available/krautspace.de +++ b/sites-available/krautspace.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; server_name krautspace.de; diff --git a/sites-available/lpd.kraut.space.conf b/sites-available/lpd.kraut.space.conf index c26ba98..f614bb0 100644 --- a/sites-available/lpd.kraut.space.conf +++ b/sites-available/lpd.kraut.space.conf @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/ssl/private/star.kraut.space.combined.crt; ssl_certificate_key /etc/ssl/private/star.kraut.space.key; server_name lpd.kraut.space; diff --git a/sites-available/media.hackspace-jena.de b/sites-available/media.hackspace-jena.de index f140b03..215e637 100644 --- a/sites-available/media.hackspace-jena.de +++ b/sites-available/media.hackspace-jena.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; server_name media.hackspace-jena.de; diff --git a/sites-available/media.krautspace.de b/sites-available/media.krautspace.de index 728bbd1..2202dc9 100644 --- a/sites-available/media.krautspace.de +++ b/sites-available/media.krautspace.de @@ -8,8 +8,8 @@ server { } server { - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; server_name media.krautspace.de; diff --git a/sites-available/status.hackspace-jena.de b/sites-available/status.hackspace-jena.de index 575dd93..40d84f3 100644 --- a/sites-available/status.hackspace-jena.de +++ b/sites-available/status.hackspace-jena.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; - listen 0.0.0.0:443 ssl; + listen 0.0.0.0:443 ssl http2; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; server_name status.hackspace-jena.de; diff --git a/sites-available/status.krautspace.de b/sites-available/status.krautspace.de index c323ddb..5357830 100644 --- a/sites-available/status.krautspace.de +++ b/sites-available/status.krautspace.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; - listen 0.0.0.0:443 ssl; + listen 0.0.0.0:443 ssl http2; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; server_name status.krautspace.de status.kraut.space; diff --git a/sites-available/wiki.hackspace-jena.de b/sites-available/wiki.hackspace-jena.de index e50b8c3..06b5f4c 100644 --- a/sites-available/wiki.hackspace-jena.de +++ b/sites-available/wiki.hackspace-jena.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; server_name wiki.hackspace-jena.de; diff --git a/sites-available/www.krautspace.de b/sites-available/www.krautspace.de index d459cf2..d887186 100644 --- a/sites-available/www.krautspace.de +++ b/sites-available/www.krautspace.de @@ -11,8 +11,8 @@ server { } server { - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; server_name www.krautspace.de;