Updating WebServer deployment

This commit is contained in:
DarkFeather 2022-09-15 14:23:34 -05:00
parent 81b9a0a190
commit 12d2ca9a1d
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
26 changed files with 2095 additions and 30 deletions

View File

@ -4,28 +4,14 @@ Having some information be publicly accessible is useful to the network -- it's
The WebServer serves content on the Web -- its name is simple to match the function.
# Relevant Files and Software
Configuration files live in [file:///etc/lighttpd/lighttpd.conf lighttpd.conf], including ciphersuites, URI redirection, and pathing. It can be validated with the following.
<pre>lighttpd -t -f /etc/lighttpd/lighttpd.conf</pre>
Configuration files live in [/opt/openresty/nginx/](file:///opt/openresty/nginx), including ciphersuites, URI redirection, and pathing. It can be validated with the `openresty -t` command. Webserver isn't meant to hold files itself -- it generally proxies and SSL-terminates connections for other apps, using location-based hosting and fastcgi.
Most notably, our lighttpd.conf is set to set specific headers to prevent XSS vulnerabilities. We allow the plaintext listener for a better user experience, but we restrict scripts and style resources from loading from plaintext links via Content-Security-Policy. Our X-Frame options are also set to be restrictive against XSS vulnerabilities. We pin the [[Category:SSL|Let's Encrypt]] sha-256 public key signature, and require strict transport security.
Data files live in [file:///srv/http/ the http directory]. Each domain is virtually hosted by the AniNIX and pathing is set up in configuration. Sites in the WebServer are designed to be as sparse and lightweight as possible for rapidly disseminating information; this comes at a cost of beauty.
The WebServer uses six PHP child processes to handle the processing of pages. Both the WebServer and [[Wiki]] are built on PHP engines to reduce code sprawl and edit times. We will install a custom php.ini to handle things like disabling expose_php and configuring open_basedir.
Of security note are the default.csp.conf and sec.conf files in [the conf folder](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf). These files include our security remediations, as we have been able to get them to work with our apps.
**Please note:** We offer a redirect on www.aninix.net and http://aninix.net:80/ only as a legacy convenience as browsers do not yet support 443 by default -- no data is transmitted on these. When the webhosting community acknowledges the death of the empty www. subdomain and the necessity of encryption, we will drop these. However, for usability, we include them for now.
# Available Clients
* Windows users should use [http://google.com/chrome/browser/desktop/ Chrome] or Firefox. A copy of Chrome is stored in [https://aninix.net/wolfpack WolfPack].
* Privacy-conscious users may be interested in [http://www.seamonkey-project.org/ Seamonkey], also stored in WolfPack. This browser includes mail and IRC clients and can be installed on a [[Holocron|flash drive]]. It can be set to silently purge privacy information on closing, and it is lighter on the OS.
* [[ShadowArch]] users should use Seamonkey; chromium can be used to support custom Chrome extensions and bleeding-edge services, like Pushbullet or Netflix.
[[Category:CachedClient]]
* Mac users should use Safari or Chrome.
* Mobile users should use the built-in browser.
Users should use [Chrome](http://google.com/chrome/browser/desktop/) where possible, though other standard browsers will work. [AniNIX/Maat](https://maat.aninix.net) builds google-chrome as a package for ArchLinux.
# Equivalents or Competition
Hosting services like [https://godaddy.com GoDaddy] and [http://freehostia.com/ FreeHostia] will provide hosting services for web pages. Content management can be done with systems like WordPress.
}}
[[Category:Public_Service]]
[[Category:SSL]]
Hosting services like [GoDaddy](https://godaddy.com) and [FreeHostia](http://freehostia.com/) will provide hosting services for web pages. Content management can be done with systems like WordPress, but these solutions are wildly insecure, even if they can be convenient.

View File

@ -8,6 +8,8 @@ server {
location /
{
rewrite ^/martialarts(\/*)$ /assets/martialarts/index.html;
rewrite /shadowarch /AniNIX/ShadowArch/raw/branch/main/EtcFiles/shadowarch
location /aninix.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
@ -39,7 +41,7 @@ server {
root /usr/share/webapps/aninix/;
try_files $uri /blackpage.html;
}
include letsencrypt.conf;
}

View File

@ -0,0 +1,22 @@
server {
listen 443 ssl http2;
server_name cyberbrain.aninix.net;
include sec.conf;
include default.csp.conf;
include letsencrypt.conf;
location /
{
auth_basic "Cyberbrain";
auth_basic_user_file ../passwords/cyberbrain.htpasswd;
proxy_pass http://127.0.0.1:8822;
proxy_http_version 1.1;
proxy_read_timeout 300;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
}
}

View File

@ -0,0 +1 @@
add_header "Content-Security-Policy" "default-src data: 'self' aninix.net foundation.aninix.net; script-src foundation.aninix.net www.gstatic.com www.google.com js.stripe.com unsafe-inline ssl.google-analytics.com 'self' aninix.net foundation.aninix.net data: 'unsafe-inline' 'unsafe-eval'; style-src foundation.aninix.net 'self' aninix.net foundation.aninix.net 'unsafe-inline' fonts.googleapis.com fonts.gstatic.com; img-src foundation.aninix.net 'self' aninix.net foundation.aninix.net upload.wikimedia.org commons.wikimedia.org creativecommons.org www.w3.org stripe.com ssl.google-analytics.com; font-src fonts.gstatic.com data: 'self' aninix.net foundation.aninix.net; connect-src ssl.google-analytics.com js.stripe.com mb3admin.com 'self' aninix.net foundation.aninix.net; media-src blob: 'self' aninix.net foundation.aninix.net ; child-src blob: 'self' js.stripe.com aninix.net foundation.aninix.net www.google.com; form-action 'self' aninix.net foundation.aninix.net; upgrade-insecure-requests;";

View File

@ -0,0 +1,6 @@
location ~ ^/.well-known/acme-challenge
{
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
}

View File

@ -0,0 +1,2 @@
allow 10.0.1.0/24;
deny all;

View File

@ -0,0 +1,22 @@
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";
add_header "X-Content-Type-Options" "nosniff";
add_header "Public-Key-Pins" "pin-sha256=\"JYR9Zo608E/dQLErawdAxWfafQJDCOtsLJb+QdneIY0=\"; max-age=315360000; includeSubDomains";
add_header "X-XSS-Protection" "1; mode=block";
add_header "X-Frame-Options" "SAMEORIGIN";
# Cross-Origin Resource Sharing
# add_header 'Access-Control-Allow-Origin' '*' always;
# add_header 'Access-Control-Allow_Credentials' 'true' always;
# add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
# add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,14 @@
[Unit]
Description=AniNIX/WebServer | Powered by OpenResty
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/run/openresty.pid
ExecStartPre=/opt/openresty/nginx/sbin/nginx -t -q -g 'pid /run/openresty.pid; daemon on; master_process on;'
ExecStart=/opt/openresty/nginx/sbin/nginx -g 'pid /run/openresty.pid; daemon on; master_process on;'
ExecReload=/opt/openresty/nginx/sbin/nginx -g 'pid /run/openresty.pid; daemon on; master_process on;' -s reload
ExecStop=/opt/openresty/nginx/sbin/nginx -g 'pid /run/openresty.pid;' -s quit
[Install]
WantedBy=multi-user.target

View File

@ -2,36 +2,71 @@
- name: Install openresty
become: yes
package:
name: openresty
name: "{{ item }}"
state: present
loop:
- openresty
- php-fpm
- name: Copy PHP config
become: yes
copy:
src: php.ini
dest: /etc/php/php.ini
owner: root
group: root
mode: 0755
- name: Copy Webserver config
become: yes
copy:
src: webserver.service
dest: /usr/lib/systemd/system/webserver.service
owner: http
group: http
mode: 0660
register: servicefile
- systemd:
daemon_reload: true
when: servicefile.changed
become: yes
- name: Copy conf.d
become: yes
copy:
src: conf.d
dest: /opt/openresty/nginx/
src: "conf.d/{{ inventory_hostname }}"
dest: /opt/openresty/nginx/conf.d
owner: http
group: http
mode: 0660
directory_mode: 0770
register: confd
- name: Copy main config
- name: Copy conf
become: yes
copy:
src: nginx.conf
dest: /opt/openresty/nginx/conf/nginx.conf
src: conf/
dest: /opt/openresty/nginx/conf/
owner: http
group: http
mode: 0660
validate: "/opt/openresty/nginx/sbin/nginx -t -c %s"
register: conf
# TODO when openresty is ready to go, populate /usr/lib/systemd/system/webserver.service from /usr/lib/systemd/system/openresty.service
- name: Ensure service is started
- name: Ensure default openresty service file is off.
become: yes
service:
name: openresty
state: stopped
enabled: no
- name: Ensure service is started
become: yes
when: conf.changed or confd.changed
service:
name: "{{ item }}"
enabled: yes
state: restarted
loop:
- php-fpm
- webserver