diff --git a/doc/source/install/deploy-in-production.rst b/doc/source/install/deploy-in-production.rst index b5cf74a05b..4974f70dd6 100644 --- a/doc/source/install/deploy-in-production.rst +++ b/doc/source/install/deploy-in-production.rst @@ -126,286 +126,64 @@ Dans ``/opt/zdsenv/gunicorn_config.py`` : Nginx ~~~~~ -Installer nginx. Sous Debian, la configuration est splittée par site. Pour Zeste de Savoir, elle se fait dans ``/etc/nginx/sites-available/zestedesavoir`` : +Installer nginx. La configuration nginx de Zeste de Savoir est séparée en plusieurs fichiers, en plus des quelques fichiers de configuration par défaut de nginx: .. code:: text - upstream zdsappserver { - server unix:/opt/zdsenv/bin/gunicorn.sock fail_timeout=0; - } - server { - listen [::]:80; - listen [::]:443; - listen 80; - listen 443 ssl; - ssl_certificate /etc/ssl/certs/zds/ssl_2015_unified.crt; - ssl_certificate_key /etc/ssl/certs/zds/ssl_2015.key; - # ssl_certificate /etc/ssl/certs/zds/selfgenerated.pem; - # ssl_certificate_key /etc/ssl/certs/zds/selfgenerated.key; - ssl_session_timeout 1d; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:50m; - ssl_dhparam /etc/nginx/dhparam.pem; - - server_name www.zestedesavoir.com; - rewrite ^(.*) $scheme://zestedesavoir.com$1 permanent; - } - server { - listen [::]:80 ipv6only=on; - listen [::]:443 ssl ipv6only=on; - listen 80; - listen 443 ssl; - ssl_certificate /etc/ssl/certs/zds/ssl_2015_unified.crt; - ssl_certificate_key /etc/ssl/certs/zds/ssl_2015.key; - # ssl_certificate /etc/ssl/certs/zds/selfgenerated.pem; - # ssl_certificate_key /etc/ssl/certs/zds/selfgenerated.key; - ssl_session_timeout 1d; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:50m; - ssl_dhparam /etc/nginx/dhparam.pem; - - server_name zestedesavoir.com; - gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - server_tokens off; - access_log /opt/zdsenv/logs/nginx-access.log; - error_log /opt/zdsenv/logs/nginx-error.log; - - location /author-files/ { - index index.html index.php; - alias /home/zds/tutos_sdzv3/script/; - #include php.fast.conf; - } + /etc/nginx + |- nginx.conf # Fichier de configuration principal + |- sites-available/ + | |- prod-redirect # Redirection de www.zestedesavoir.com -> zestedesavoir.com en prod + | \- zestedesavoir # Configuration propre au site + \- snippets/ # Dossier contenant des configurations incluses dans différents fichiers + |- antispam.conf # Incluse dans zestedesavoir + |- headers.conf # Headers type HSTS, CSP (et X-Robots-Tags sur la beta) + |- ssl.conf # Définition des protocoles SSL à utiliser + conf. des certificats + |- gzip.conf # Configuration pour la compression + |- proxy.conf # Headers à passer au proxy (gunicorn) + \- static-cache.conf # Headers à rajouter pour les contenus statiques (cache) - location = /robots.txt { - alias /opt/zdsenv/ZesteDeSavoir/robots.txt; - } - # Gandi - location = /D6BA7D30872A8A72ED225D5601248024.txt { - alias /opt/zdsenv/ZesteDeSavoir/D6BA7D30872A8A72ED225D5601248024.txt; - } - location /static/ { - alias /opt/zdsenv/ZesteDeSavoir/static/; - expires 1y; - add_header Pragma public; - add_header Cache-Control "public, must-revalidate, proxy-revalidate"; - } +.. literalinclude:: nginx/nginx.conf + :language: nginx + :caption: :download:`nginx/nginx.conf` - location /media/ { - alias /opt/zdsenv/ZesteDeSavoir/media/; - expires 1y; - add_header Pragma public; - add_header Cache-Control "public, must-revalidate, proxy-revalidate"; - } +.. literalinclude:: nginx/sites-available/prod-redirect + :language: nginx + :caption: :download:`nginx/sites-available/prod-redirect` - location / { - if ($uri !~ \. ){ - rewrite ^(.*[^/])$ $1/ permanent; - } - rewrite ^/teasing/$ / permanent; - client_max_body_size 100M; - sendfile on; - keepalive_timeout 0; - proxy_read_timeout 1000s; - proxy_connect_timeout 1000s; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_intercept_errors on; - - add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"'; - add_header Strict-Transport-Security max-age=15768000; - add_header Access-Control-Allow-Origin *; - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - - if (!-f $request_filename) { - proxy_pass http://zdsappserver; - break; - } - - } - # Error pages - error_page 500 502 503 504 /errors/500.html; - #location = /500.html { - # root /opt/zdsenv/ZesteDeSavoir/templates/; - #} - location /errors/ { - alias /opt/zdsenv/ZesteDeSavoir/errors/; - } +.. literalinclude:: nginx/sites-enabled/zestedesavoir + :language: nginx + :caption: :download:`nginx/sites-enabled/zestedesavoir` +.. literalinclude:: nginx/snippets/antispam.conf + :language: nginx + :caption: :download:`nginx/snippets/antispam.conf` - # Conf anti-exploit, source : https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc - ## Block SQL injections - set $block_sql_injections 0; - if ($query_string ~ "union.*select.*\(") { - set $block_sql_injections 1; - } - if ($query_string ~ "union.*all.*select.*") { - set $block_sql_injections 1; - } - if ($query_string ~ "concat.*\(") { - set $block_sql_injections 1; - } - if ($block_sql_injections = 1) { - return 403; - } - ## Block file injections - set $block_file_injections 0; - if ($query_string ~ "[a-zA-Z0-9_]=http://") { - set $block_file_injections 1; - } - if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { - set $block_file_injections 1; - } - if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { - set $block_file_injections 1; - } - if ($block_file_injections = 1) { - return 403; - } +.. literalinclude:: nginx/snippets/gzip.conf + :language: nginx + :caption: :download:`nginx/snippets/gzip.conf` - ## Block common exploits - set $block_common_exploits 0; - if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { - set $block_common_exploits 1; - } - if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { - set $block_common_exploits 1; - } - if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { - set $block_common_exploits 1; - } - if ($query_string ~ "proc/self/environ") { - set $block_common_exploits 1; - } - if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { - set $block_common_exploits 1; - } - if ($query_string ~ "base64_(en|de)code\(.*\)") { - set $block_common_exploits 1; - } - if ($block_common_exploits = 1) { - return 403; - } - - ## Block spam - set $block_spam 0; - if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { - set $block_spam 1; - } - if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { - set $block_spam 1; - } - if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { - set $block_spam 1; - } - if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { - set $block_spam 1; - } - if ($block_spam = 1) { - return 403; - } - - ## Block user agents - set $block_user_agents 0; - - # Don't disable wget if you need it to run cron jobs! - #if ($http_user_agent ~ "Wget") { - # set $block_user_agents 1; - #} - - # Disable Akeeba Remote Control 2.5 and earlier - if ($http_user_agent ~ "Indy Library") { - set $block_user_agents 1; - } - - # Common bandwidth hoggers and hacking tools. - if ($http_user_agent ~ "libwww-perl") { - set $block_user_agents 1; - } - if ($http_user_agent ~ "GetRight") { - set $block_user_agents 1; - } - if ($http_user_agent ~ "GetWeb!") { - set $block_user_agents 1; - } - if ($http_user_agent ~ "Go!Zilla") { - set $block_user_agents 1; - } - if ($http_user_agent ~ "Download Demon") { - set $block_user_agents 1; - } - if ($http_user_agent ~ "Go-Ahead-Got-It") { - set $block_user_agents 1; - } - if ($http_user_agent ~ "TurnitinBot") { - set $block_user_agents 1; - } - if ($http_user_agent ~ "GrabNet") { - set $block_user_agents 1; - } - # SpaceFox: adds HTTrack - if ($http_user_agent ~ "HTTrack") { - set $block_user_agents 1; - } +.. literalinclude:: nginx/snippets/headers.conf + :language: nginx + :caption: :download:`nginx/snippets/headers.conf` - if ($block_user_agents = 1) { - return 403; - } - - } - server{ - server_name uploads.zestedesavoir.com; - root /home/zds/tutos_sdzv3/images_distantes; - index index.html index.htm; - } +.. literalinclude:: nginx/snippets/proxy.conf + :language: nginx + :caption: :download:`nginx/snippets/proxy.conf` -La configuration de la page de maintenance, quant à elle, se fait dans ``/etc/nginx/sites-available/zds-maintenance`` : +.. literalinclude:: nginx/snippets/ssl.conf + :language: nginx + :caption: :download:`nginx/snippets/ssl.conf` -.. code:: text - server { - listen [::]:80 ipv6only=on; - listen [::]:443 ssl ipv6only=on; - listen 80; - listen 443 ssl; - ssl_certificate /etc/ssl/certs/zds/ssl_2015_unified.crt; - ssl_certificate_key /etc/ssl/certs/zds/ssl_2015.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; - - server_name zestedesavoir.com www.zestedesavoir.com; - gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - access_log off; - access_log /opt/zdsenv/logs/nginx-access.log; - error_log /opt/zdsenv/logs/nginx-error.log; - root /opt/zdsenv/ZesteDeSavoir; - - location /errors/css { - } - - location /errors/images { - } - - location / { - return 503; - } - - error_page 503 @maintenance; - location @maintenance { - rewrite ^.*$ /errors/maintenance.html break; - } - } +.. literalinclude:: nginx/snippets/static-cache.conf + :language: nginx + :caption: :download:`nginx/snippets/static-cache.conf` Solr diff --git a/doc/source/install/nginx/nginx.conf b/doc/source/install/nginx/nginx.conf new file mode 100644 index 0000000000..408f0a0561 --- /dev/null +++ b/doc/source/install/nginx/nginx.conf @@ -0,0 +1,42 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Virtual Host Configs + ## + include sites-enabled/*; + + include snippets/ssl.conf; + include snippets/gzip.conf; +} diff --git a/doc/source/install/nginx/sites-available/prod-redirect b/doc/source/install/nginx/sites-available/prod-redirect new file mode 100644 index 0000000000..e6a760fd19 --- /dev/null +++ b/doc/source/install/nginx/sites-available/prod-redirect @@ -0,0 +1,9 @@ +server { + listen 80; + listen [::]:80; + listen 443 ssl spdy; + listen [::]:443 ssl spdy; + + server_name www.zestedesavoir.com; + rewrite ^(.*) $scheme://zestedesavoir.com$1 permanent; +} diff --git a/doc/source/install/nginx/sites-available/zestedesavoir b/doc/source/install/nginx/sites-available/zestedesavoir new file mode 100644 index 0000000000..05e8aebfbe --- /dev/null +++ b/doc/source/install/nginx/sites-available/zestedesavoir @@ -0,0 +1,64 @@ +upstream zdsappserver { + server unix:/opt/zdsenv/bin/gunicorn.sock fail_timeout=0; +} + +# Active le header X-Robots-Tag sur la beta pour éviter d'indexer la beta +map $http_host $robots_tag_header { + hostnames; + default ''; + beta.zestedesavoir.com 'none'; +} + +server { + listen 80 default_server; + listen [::]:80 default_server; + listen 443 ssl spdy default_server; + listen [::]:443 ssl spdy default_server; + + try_files $uri @proxy; + server_tokens off; + client_max_body_size 100M; + + ssl_certificate /etc/ssl/certs/zds-live.crt; + ssl_certificate_key /etc/ssl/private/zds-live.key; + + # Logging + access_log /opt/zdsenv/logs/nginx-access.log; + error_log /opt/zdsenv/logs/nginx-error.log; + + # Rewrite de l'ancienne page de teasing + rewrite ^/teasing/$ / permanent; + + root /opt/zdsenv/webroot; + + location @proxy { + # 503 si la maintenance est active + if (-f $document_root/maintenance.html) { + return 503; + } + + # Ajout d'un trailing slash sur les URLs + if ($uri !~ (\.|^/api)) { + rewrite ^(.*[^/])$ $1/ permanent; + } + + include snippets/proxy.conf; + proxy_pass http://zdsappserver; + } + + location @maintenance { + rewrite ^(.*)$ /maintenance.html break; + } + + # Cache headers on static resources + location ~* /(static|media|errors)/ { + include snippets/static-cache.conf; + } + + # Error pages + error_page 500 502 504 /errors/500.html; + error_page 503 @maintenance; + + include snippets/headers.conf; + include snippets/antispam.conf; +} diff --git a/doc/source/install/nginx/sites-enabled/zestedesavoir b/doc/source/install/nginx/sites-enabled/zestedesavoir new file mode 100644 index 0000000000..a2bb0f941b --- /dev/null +++ b/doc/source/install/nginx/sites-enabled/zestedesavoir @@ -0,0 +1,61 @@ +upstream zdsappserver { + server unix:/opt/zdsenv/bin/gunicorn.sock fail_timeout=0; +} + +# Active le header X-Robots-Tag sur la beta pour éviter d'indexer la beta +map $http_host $robots_tag_header { + hostnames; + default ''; + beta.zestedesavoir.com 'none'; +} + +server { + listen 80 default_server; + listen [::]:80 default_server; + listen 443 ssl spdy default_server; + listen [::]:443 ssl spdy default_server; + + try_files $uri @proxy; + server_tokens off; + client_max_body_size 100M; + + # Logging + access_log /opt/zdsenv/logs/nginx-access.log; + error_log /opt/zdsenv/logs/nginx-error.log; + + # Rewrite de l'ancienne page de teasing + rewrite ^/teasing/$ / permanent; + + root /opt/zdsenv/webroot; + + location @proxy { + # 503 si la maintenance est active + if (-f $document_root/maintenance.html) { + return 503; + } + + # Ajout d'un trailing slash sur les URLs + if ($uri !~ (\.|^/api)) { + rewrite ^(.*[^/])$ $1/ permanent; + } + + include snippets/proxy.conf; + proxy_pass http://zdsappserver; + } + + location @maintenance { + rewrite ^(.*)$ /maintenance.html break; + } + + # Cache headers on static resources + location ~* /(static|media|errors)/ { + include snippets/static-cache.conf; + } + + # Error pages + error_page 500 502 504 /errors/500.html; + error_page 503 @maintenance; + + include snippets/headers.conf; + include snippets/antispam.conf; +} diff --git a/doc/source/install/nginx/snippets/antispam.conf b/doc/source/install/nginx/snippets/antispam.conf new file mode 100644 index 0000000000..139fb08abc --- /dev/null +++ b/doc/source/install/nginx/snippets/antispam.conf @@ -0,0 +1,67 @@ +# Conf anti-exploit, source : https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc +# +## Block spam +set $block_spam 0; +if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { + set $block_spam 1; +} +if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { + set $block_spam 1; +} +if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { + set $block_spam 1; +} +if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { + set $block_spam 1; +} +if ($block_spam = 1) { + return 403; +} + +## Block user agents +set $block_user_agents 0; + +# Don't disable wget if you need it to run cron jobs! +#if ($http_user_agent ~ "Wget") { +# set $block_user_agents 1; +#} + +# Disable Akeeba Remote Control 2.5 and earlier +if ($http_user_agent ~ "Indy Library") { + set $block_user_agents 1; +} + +# Common bandwidth hoggers and hacking tools. +if ($http_user_agent ~ "libwww-perl") { + set $block_user_agents 1; +} +if ($http_user_agent ~ "GetRight") { + set $block_user_agents 1; +} +if ($http_user_agent ~ "GetWeb!") { + set $block_user_agents 1; +} +if ($http_user_agent ~ "Go!Zilla") { + set $block_user_agents 1; +} +if ($http_user_agent ~ "Download Demon") { + set $block_user_agents 1; +} +if ($http_user_agent ~ "Go-Ahead-Got-It") { + set $block_user_agents 1; +} +if ($http_user_agent ~ "TurnitinBot") { + set $block_user_agents 1; +} +if ($http_user_agent ~ "GrabNet") { + set $block_user_agents 1; +} +# SpaceFox: adds HTTrack +if ($http_user_agent ~ "HTTrack") { + set $block_user_agents 1; +} + + +if ($block_user_agents = 1) { + return 403; +} diff --git a/doc/source/install/nginx/snippets/gzip.conf b/doc/source/install/nginx/snippets/gzip.conf new file mode 100644 index 0000000000..c9719c39c0 --- /dev/null +++ b/doc/source/install/nginx/snippets/gzip.conf @@ -0,0 +1,6 @@ +# GZIP compression +gzip on; +gzip_comp_level 6; +gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; +gzip_proxied any; +gzip_vary on; diff --git a/doc/source/install/nginx/snippets/headers.conf b/doc/source/install/nginx/snippets/headers.conf new file mode 100644 index 0000000000..cb97c5c9bb --- /dev/null +++ b/doc/source/install/nginx/snippets/headers.conf @@ -0,0 +1,19 @@ +# CSP +# NOTE: CSP is not ready yet, see https://github.com/zestedesavoir/zds-site/issues/3242 +# add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://www.google.com https://cdn.mathjax.org https://www.google-analytics.com https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src * ; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; connect-src 'self' ; media-src 'none' ; object-src 'none' ; child-src https://www.google.com; upgrade-insecure-requests ;"; + +# P3P +add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"'; + +# HSTS +# This forces the browsers to use HTTPS +# DO NOT use this on a subdomain without a valid certificate +add_header Strict-Transport-Security max-age=15768000; + +# CORS +# add_header Access-Control-Allow-Origin *; + +add_header X-Clacks-Overhead "GNU Terry Pratchett"; + +# Robots +add_header X-Robots-Tag $robots_tag_header; diff --git a/doc/source/install/nginx/snippets/proxy.conf b/doc/source/install/nginx/snippets/proxy.conf new file mode 100644 index 0000000000..eb0fd018ff --- /dev/null +++ b/doc/source/install/nginx/snippets/proxy.conf @@ -0,0 +1,9 @@ +# Paramètres du proxy vers gunicorn +proxy_read_timeout 1000s; +proxy_connect_timeout 1000s; +proxy_redirect off; +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_intercept_errors on; diff --git a/doc/source/install/nginx/snippets/ssl.conf b/doc/source/install/nginx/snippets/ssl.conf new file mode 100644 index 0000000000..8440c81014 --- /dev/null +++ b/doc/source/install/nginx/snippets/ssl.conf @@ -0,0 +1,7 @@ +# SSL configuration +ssl_session_timeout 1d; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:50m; +ssl_dhparam /etc/ssl/dhparam.pem; diff --git a/doc/source/install/nginx/snippets/static-cache.conf b/doc/source/install/nginx/snippets/static-cache.conf new file mode 100644 index 0000000000..537d200c4c --- /dev/null +++ b/doc/source/install/nginx/snippets/static-cache.conf @@ -0,0 +1,5 @@ +# Headers de cache pour les contenus statics +expires 1y; +add_header Pragma public; +add_header Cache-Control "public, must-revalidate, proxy-revalidate"; +include snippets/headers.conf; diff --git a/requirements-dev.txt b/requirements-dev.txt index cec6038807..077e7afef5 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -3,7 +3,7 @@ PyYAML==3.11 django-debug-toolbar==1.4 flake8==2.5.4 autopep8==1.2.2 -sphinx==1.3.6 +sphinx==1.4.1 sphinx_rtd_theme==0.1.9 fake-factory==0.5.7 -mock \ No newline at end of file +mock diff --git a/scripts/deploy.sh b/scripts/deploy.sh index 5ea42baa7b..752caf795e 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -29,9 +29,7 @@ fi cd /opt/zdsenv/ZesteDeSavoir/ # Maintenance mode -sudo rm /etc/nginx/sites-enabled/zestedesavoir -sudo ln -s /etc/nginx/sites-available/zds-maintenance /etc/nginx/sites-enabled/zds-maintenance -sudo service nginx reload +sudo ln -s errors/maintenance.html /opt/zdsenv/webroot/ # Delete old branch if exists git checkout prod @@ -60,9 +58,7 @@ deactivate sudo systemctl restart zds.{service,socket} # Exit maintenance mode -sudo rm /etc/nginx/sites-enabled/zds-maintenance -sudo ln -s /etc/nginx/sites-available/zestedesavoir /etc/nginx/sites-enabled/zestedesavoir -sudo systemctl reload nginx.service +sudo rm /opt/zdsenv/webroot/maintenance.html # Display current branch and commit git status diff --git a/update.md b/update.md index 1b80c0057c..97387c6593 100644 --- a/update.md +++ b/update.md @@ -475,6 +475,37 @@ _________ Actions à faire pour mettre en prod la version 18 ================================================= +Changements de configuration Nginx +---------------------------------- + +Une réécriture complète de la configuration Nginx a été faite en béta ; il faut donc refléter les changements en prod. + +**Ces changements sont relativement lourds, donc une sauvegarde de `/etc/nginx` avant de faire quoi que ce soit n'est pas de trop. Ces changements doivent être fait *avant* la mise en prod, et tous les changements peuvent être fait sans aucun downtime, puisque l'ancienne configuration reste active tant que nginx n'est pas `reload`** + +Créer un dossier `/opt/zdsenv/webroot`, et y symlink toutes les resources statiques: + +```sh +mkdir /opt/zdsenv/webroot +cd /opt/zdsenv/webroot +ln -s ../ZesteDeSavoir/{static,media,errors,robots.txt} ./ +``` + +**Aussi symlink toutes les autres resources qui doivent être accessibles, type les fichiers de vérification de Gandi/des Google Webmaster Tools** + +Ensuite, le fichier `dhparam.pem` a été déplacé de `/etc/nginx/dhparam.pem` à `/etc/ssl/dhparam.pem`. Il faut donc le faire en prod (ou regénérer les dhparam via `openssl dhparam -out /etc/ssl/dhparam.pem 4096` ; cette commande peut prendre 2-3min) + +Enfin, la localisation des certificats a été modifiée pour qu'elle soit la même en beta et en prod. En beta, les fichiers ont été symlink, il faut donc faire de même en prod (ou les déplacer/copier), en mettant la chaine de certificat dans `/etc/ssl/certs/zds-live.crt` et la clé dans `/etc/ssl/private/zds-live.key`. **Voir la configuration nginx actuelle pour voir de quel fichiers il s'agit.** + +Une fois que ces changements sont fait, il faut copier la nouvelle configuration nginx dans `/etc/nginx`. Elle se trouve dans le dépot dans `doc/source/install/nginx/`. + +Les anciens fichier dans `sites-{enabled,available}/` et dans `conf.d/` peuvent être virés s'il y en a ; les autres fichiers qui sont la "par défaut" doivent rester la (même si `mimes.types` semble être le seul fichier indispensable) + +Symlink le fichier `zestedesavoir`: `ln -s ../sites-enabled/zestedesavoir /etc/nginx/sites-available/` + +Enfin, **en prod uniquement**, symlink le fichier `prod-redirect`: `ln -s ../sites-enabled/prod-redirect /etc/nginx/sites-available/` + +Tester la configuration avant de la recharger: (en root) `nginx -t`. S'il n'y a aucune erreur, recharger nginx via `systemctl reload nginx.service` + Notifications -------------