From 23bf155d2ed0db756a5738bb216c1529c7b69f7a Mon Sep 17 00:00:00 2001 From: Holger Frey Date: Tue, 12 Dec 2017 15:56:34 +0100 Subject: [PATCH] Added nginx config example --- cookiecutter.json | 3 +- ...ample_moin_{{cookiecutter.directory_name}} | 51 +++++++++++++++++++ 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 {{cookiecutter.directory_name}}/nginx_example_moin_{{cookiecutter.directory_name}} diff --git a/cookiecutter.json b/cookiecutter.json index 7787efd..bfc0495 100644 --- a/cookiecutter.json +++ b/cookiecutter.json @@ -2,5 +2,6 @@ "new_wiki": "", "wiki_name": "{{ cookiecutter.new_wiki|title|replace(' ', '') }}", "directory_name": "{{ cookiecutter.wiki_name|lower }}", - "url": "https://{{cookiecutter.directory_name}}.cpi.imtek.uni-freiburg.de/" + "domain": "{{cookiecutter.directory_name}}.cpi.imtek.uni-freiburg.de", + "access": ["university only", "public"] } diff --git a/{{cookiecutter.directory_name}}/nginx_example_moin_{{cookiecutter.directory_name}} b/{{cookiecutter.directory_name}}/nginx_example_moin_{{cookiecutter.directory_name}} new file mode 100644 index 0000000..785ecc0 --- /dev/null +++ b/{{cookiecutter.directory_name}}/nginx_example_moin_{{cookiecutter.directory_name}} @@ -0,0 +1,51 @@ +server { + listen 443 ssl; + server_name {{cookiecutter.domain}}; + add_header X-Clacks-Overhead "GNU Terry Pratchett"; + + access_log /var/log/nginx/moin_{{cookiecutter.directory_name}}.access.log; + + {% if cookiecutter.access == "university only" %} + # Access is only allowed from the internal university network + allow 132.230.0.0/16; + allow 192.52.0.0/16; + allow 10.0.0.0/8; + deny all; + {% endif %} + + # ssl configuration + # ssl key and certificate + ssl_certificate /etc/ssl/uni-fr/live/{{cookiecutter.directory_name}}/fullchain.pem; + ssl_certificate_key /etc/ssl/uni-fr/keys/{{cookiecutter.directory_name}}.key; + # ssl protocols and ciphers + ssl_protocols TLSv1.2 TLSv1.1 TLSv1; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL; + ssl_prefer_server_ciphers on; + # use a strong diffy helman elliptic curve + ssl_dhparam /etc/ssl/nginx/dhparam2048.pem; + ssl_ecdh_curve secp384r1; + # add HSTS header + add_header Strict-Transport-Security "max-age=31536000"; + + location /HonigTopf { + add_header Content-Type image/gif; + alias /var/www/moin/static/honeypot.gif; + } + + location ^~ /moin_static/ { + alias /var/www/moin_static/; + } + + location ^~ /static/ { + alias /var/www/moin/static/; + } + + location / { + try_files $uri @moin; + } + + location @moin { + include uwsgi_params; + uwsgi_pass unix:/tmp/moin.sock; + } +}