Updating WebServer deployment
This commit is contained in:
parent
81b9a0a190
commit
12d2ca9a1d
@ -4,28 +4,14 @@ Having some information be publicly accessible is useful to the network -- it's
|
||||
The WebServer serves content on the Web -- its name is simple to match the function.
|
||||
|
||||
# Relevant Files and Software
|
||||
Configuration files live in [file:///etc/lighttpd/lighttpd.conf lighttpd.conf], including ciphersuites, URI redirection, and pathing. It can be validated with the following.
|
||||
<pre>lighttpd -t -f /etc/lighttpd/lighttpd.conf</pre>
|
||||
Configuration files live in [/opt/openresty/nginx/](file:///opt/openresty/nginx), including ciphersuites, URI redirection, and pathing. It can be validated with the `openresty -t` command. Webserver isn't meant to hold files itself -- it generally proxies and SSL-terminates connections for other apps, using location-based hosting and fastcgi.
|
||||
|
||||
Most notably, our lighttpd.conf is set to set specific headers to prevent XSS vulnerabilities. We allow the plaintext listener for a better user experience, but we restrict scripts and style resources from loading from plaintext links via Content-Security-Policy. Our X-Frame options are also set to be restrictive against XSS vulnerabilities. We pin the [[Category:SSL|Let's Encrypt]] sha-256 public key signature, and require strict transport security.
|
||||
|
||||
Data files live in [file:///srv/http/ the http directory]. Each domain is virtually hosted by the AniNIX and pathing is set up in configuration. Sites in the WebServer are designed to be as sparse and lightweight as possible for rapidly disseminating information; this comes at a cost of beauty.
|
||||
|
||||
The WebServer uses six PHP child processes to handle the processing of pages. Both the WebServer and [[Wiki]] are built on PHP engines to reduce code sprawl and edit times. We will install a custom php.ini to handle things like disabling expose_php and configuring open_basedir.
|
||||
Of security note are the default.csp.conf and sec.conf files in [the conf folder](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf). These files include our security remediations, as we have been able to get them to work with our apps.
|
||||
|
||||
**Please note:** We offer a redirect on www.aninix.net and http://aninix.net:80/ only as a legacy convenience as browsers do not yet support 443 by default -- no data is transmitted on these. When the webhosting community acknowledges the death of the empty www. subdomain and the necessity of encryption, we will drop these. However, for usability, we include them for now.
|
||||
|
||||
# Available Clients
|
||||
* Windows users should use [http://google.com/chrome/browser/desktop/ Chrome] or Firefox. A copy of Chrome is stored in [https://aninix.net/wolfpack WolfPack].
|
||||
* Privacy-conscious users may be interested in [http://www.seamonkey-project.org/ Seamonkey], also stored in WolfPack. This browser includes mail and IRC clients and can be installed on a [[Holocron|flash drive]]. It can be set to silently purge privacy information on closing, and it is lighter on the OS.
|
||||
* [[ShadowArch]] users should use Seamonkey; chromium can be used to support custom Chrome extensions and bleeding-edge services, like Pushbullet or Netflix.
|
||||
[[Category:CachedClient]]
|
||||
* Mac users should use Safari or Chrome.
|
||||
* Mobile users should use the built-in browser.
|
||||
Users should use [Chrome](http://google.com/chrome/browser/desktop/) where possible, though other standard browsers will work. [AniNIX/Maat](https://maat.aninix.net) builds google-chrome as a package for ArchLinux.
|
||||
|
||||
# Equivalents or Competition
|
||||
Hosting services like [https://godaddy.com GoDaddy] and [http://freehostia.com/ FreeHostia] will provide hosting services for web pages. Content management can be done with systems like WordPress.
|
||||
}}
|
||||
|
||||
[[Category:Public_Service]]
|
||||
[[Category:SSL]]
|
||||
Hosting services like [GoDaddy](https://godaddy.com) and [FreeHostia](http://freehostia.com/) will provide hosting services for web pages. Content management can be done with systems like WordPress, but these solutions are wildly insecure, even if they can be convenient.
|
||||
|
@ -8,6 +8,8 @@ server {
|
||||
location /
|
||||
{
|
||||
rewrite ^/martialarts(\/*)$ /assets/martialarts/index.html;
|
||||
rewrite /shadowarch /AniNIX/ShadowArch/raw/branch/main/EtcFiles/shadowarch
|
||||
|
||||
location /aninix.xml {
|
||||
proxy_hide_header Content-Type;
|
||||
add_header content-type "application/atom+xml";
|
||||
@ -39,7 +41,7 @@ server {
|
||||
root /usr/share/webapps/aninix/;
|
||||
try_files $uri /blackpage.html;
|
||||
}
|
||||
|
||||
|
||||
include letsencrypt.conf;
|
||||
|
||||
}
|
22
roles/WebServer/files/conf.d/Core/cyberbrain.conf
Executable file
22
roles/WebServer/files/conf.d/Core/cyberbrain.conf
Executable file
@ -0,0 +1,22 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name cyberbrain.aninix.net;
|
||||
|
||||
include sec.conf;
|
||||
include default.csp.conf;
|
||||
include letsencrypt.conf;
|
||||
|
||||
location /
|
||||
{
|
||||
auth_basic "Cyberbrain";
|
||||
auth_basic_user_file ../passwords/cyberbrain.htpasswd;
|
||||
proxy_pass http://127.0.0.1:8822;
|
||||
proxy_http_version 1.1;
|
||||
proxy_read_timeout 300;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Real-PORT $remote_port;
|
||||
}
|
||||
}
|
1
roles/WebServer/files/conf/default.csp.conf
Normal file
1
roles/WebServer/files/conf/default.csp.conf
Normal file
@ -0,0 +1 @@
|
||||
add_header "Content-Security-Policy" "default-src data: 'self' aninix.net foundation.aninix.net; script-src foundation.aninix.net www.gstatic.com www.google.com js.stripe.com unsafe-inline ssl.google-analytics.com 'self' aninix.net foundation.aninix.net data: 'unsafe-inline' 'unsafe-eval'; style-src foundation.aninix.net 'self' aninix.net foundation.aninix.net 'unsafe-inline' fonts.googleapis.com fonts.gstatic.com; img-src foundation.aninix.net 'self' aninix.net foundation.aninix.net upload.wikimedia.org commons.wikimedia.org creativecommons.org www.w3.org stripe.com ssl.google-analytics.com; font-src fonts.gstatic.com data: 'self' aninix.net foundation.aninix.net; connect-src ssl.google-analytics.com js.stripe.com mb3admin.com 'self' aninix.net foundation.aninix.net; media-src blob: 'self' aninix.net foundation.aninix.net ; child-src blob: 'self' js.stripe.com aninix.net foundation.aninix.net www.google.com; form-action 'self' aninix.net foundation.aninix.net; upgrade-insecure-requests;";
|
6
roles/WebServer/files/conf/letsencrypt.conf
Normal file
6
roles/WebServer/files/conf/letsencrypt.conf
Normal file
@ -0,0 +1,6 @@
|
||||
location ~ ^/.well-known/acme-challenge
|
||||
{
|
||||
allow all;
|
||||
root /var/lib/letsencrypt/;
|
||||
default_type "text/plain";
|
||||
}
|
2
roles/WebServer/files/conf/local.conf
Normal file
2
roles/WebServer/files/conf/local.conf
Normal file
@ -0,0 +1,2 @@
|
||||
allow 10.0.1.0/24;
|
||||
deny all;
|
22
roles/WebServer/files/conf/sec.conf
Normal file
22
roles/WebServer/files/conf/sec.conf
Normal file
@ -0,0 +1,22 @@
|
||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
|
||||
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";
|
||||
add_header "X-Content-Type-Options" "nosniff";
|
||||
add_header "Public-Key-Pins" "pin-sha256=\"JYR9Zo608E/dQLErawdAxWfafQJDCOtsLJb+QdneIY0=\"; max-age=315360000; includeSubDomains";
|
||||
add_header "X-XSS-Protection" "1; mode=block";
|
||||
add_header "X-Frame-Options" "SAMEORIGIN";
|
||||
|
||||
# Cross-Origin Resource Sharing
|
||||
# add_header 'Access-Control-Allow-Origin' '*' always;
|
||||
# add_header 'Access-Control-Allow_Credentials' 'true' always;
|
||||
# add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
|
||||
# add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
|
1975
roles/WebServer/files/php.ini
Normal file
1975
roles/WebServer/files/php.ini
Normal file
File diff suppressed because it is too large
Load Diff
14
roles/WebServer/files/webserver.service
Normal file
14
roles/WebServer/files/webserver.service
Normal file
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=AniNIX/WebServer | Powered by OpenResty
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
PIDFile=/run/openresty.pid
|
||||
ExecStartPre=/opt/openresty/nginx/sbin/nginx -t -q -g 'pid /run/openresty.pid; daemon on; master_process on;'
|
||||
ExecStart=/opt/openresty/nginx/sbin/nginx -g 'pid /run/openresty.pid; daemon on; master_process on;'
|
||||
ExecReload=/opt/openresty/nginx/sbin/nginx -g 'pid /run/openresty.pid; daemon on; master_process on;' -s reload
|
||||
ExecStop=/opt/openresty/nginx/sbin/nginx -g 'pid /run/openresty.pid;' -s quit
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -2,36 +2,71 @@
|
||||
- name: Install openresty
|
||||
become: yes
|
||||
package:
|
||||
name: openresty
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop:
|
||||
- openresty
|
||||
- php-fpm
|
||||
|
||||
- name: Copy PHP config
|
||||
become: yes
|
||||
copy:
|
||||
src: php.ini
|
||||
dest: /etc/php/php.ini
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: Copy Webserver config
|
||||
become: yes
|
||||
copy:
|
||||
src: webserver.service
|
||||
dest: /usr/lib/systemd/system/webserver.service
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0660
|
||||
register: servicefile
|
||||
|
||||
- systemd:
|
||||
daemon_reload: true
|
||||
when: servicefile.changed
|
||||
become: yes
|
||||
|
||||
- name: Copy conf.d
|
||||
become: yes
|
||||
copy:
|
||||
src: conf.d
|
||||
dest: /opt/openresty/nginx/
|
||||
src: "conf.d/{{ inventory_hostname }}"
|
||||
dest: /opt/openresty/nginx/conf.d
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0660
|
||||
directory_mode: 0770
|
||||
register: confd
|
||||
|
||||
- name: Copy main config
|
||||
- name: Copy conf
|
||||
become: yes
|
||||
copy:
|
||||
src: nginx.conf
|
||||
dest: /opt/openresty/nginx/conf/nginx.conf
|
||||
src: conf/
|
||||
dest: /opt/openresty/nginx/conf/
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0660
|
||||
validate: "/opt/openresty/nginx/sbin/nginx -t -c %s"
|
||||
register: conf
|
||||
|
||||
|
||||
# TODO when openresty is ready to go, populate /usr/lib/systemd/system/webserver.service from /usr/lib/systemd/system/openresty.service
|
||||
|
||||
- name: Ensure service is started
|
||||
- name: Ensure default openresty service file is off.
|
||||
become: yes
|
||||
service:
|
||||
name: openresty
|
||||
state: stopped
|
||||
enabled: no
|
||||
|
||||
- name: Ensure service is started
|
||||
become: yes
|
||||
when: conf.changed or confd.changed
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
enabled: yes
|
||||
state: restarted
|
||||
loop:
|
||||
- php-fpm
|
||||
- webserver
|
||||
|
Loading…
Reference in New Issue
Block a user