Commit 0bacc8e4 authored by Jacob Priddy's avatar Jacob Priddy 👌

move to wwu cert for main site, and implement second server with self

signed for reliability
parent 498927e9
Pipeline #12449 passed with stages
in 3 minutes and 16 seconds
......@@ -11,6 +11,12 @@ secrets:
file: ./secrets/certs/webserver.key
root_cert:
file: ./secrets/certs/root.cert
wwu_webserver_cert:
file: ./secrets/certs/wwu-granted-elock-cert.cer
wwu_webserver_key:
file: ./secrets/certs/wwu-webserver-request-root.key
wwu_root_cert:
file: ./secrets/certs/wwu-webserver-intermediate.pem
postgres_password:
file: ./secrets/passwords/postgres
......@@ -27,7 +33,11 @@ services:
- webserver_cert
- webserver_key
- root_cert
- wwu_webserver_cert
- wwu_webserver_key
- wwu_root_cert
ports:
- "4433:4433"
- "443:443"
- "80:80"
volumes:
......
......@@ -19,8 +19,8 @@ server {
listen 443 ssl;
index index.php index.html;
ssl_certificate /run/secrets/webserver_cert;
ssl_certificate_key /run/secrets/webserver_key;
ssl_certificate /run/secrets/wwu_webserver_cert;
ssl_certificate_key /run/secrets/wwu_webserver_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
......@@ -35,7 +35,7 @@ server {
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_trusted_certificate /run/secrets/root_cert;
ssl_trusted_certificate /run/secrets/wwu_root_cert;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
......@@ -95,3 +95,36 @@ server {
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
server {
# This server is just setup to pass requests to the api on a different port with a different certificate
server_name localhost;
listen 4433 ssl;
index index.php index.html;
ssl_certificate /run/secrets/webserver_cert;
ssl_certificate_key /run/secrets/webserver_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /run/dhparam/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_trusted_certificate /run/secrets/root_cert;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
root /var/www/frontend/dist;
location /api {
proxy_pass http://localhost.api;
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment