Skip to content

GitLab

D
Doorcode
Commit 0bacc8e4 authored by Jacob Priddy's avatar Jacob Priddy 👌
Browse files
Options

move to wwu cert for main site, and implement second server with self 

signed for reliability
parent 498927e9
Pipeline #12449 passed with stages
      in 3 minutes and 16 seconds
      Hide whitespace changes
      Inline Side-by-side
      Showing with 46 additions and 3 deletions
      docker-compose.yml.prod
      View file @ 0bacc8e4
      ......@@ -11,6 +11,12 @@ secrets:
      file: ./secrets/certs/webserver.key
      root_cert:
      file: ./secrets/certs/root.cert
      wwu_webserver_cert:
      file: ./secrets/certs/wwu-granted-elock-cert.cer
      wwu_webserver_key:
      file: ./secrets/certs/wwu-webserver-request-root.key
      wwu_root_cert:
      file: ./secrets/certs/wwu-webserver-intermediate.pem
      postgres_password:
      file: ./secrets/passwords/postgres
      ......@@ -27,7 +33,11 @@ services:
      - webserver_cert
      - webserver_key
      - root_cert
      - wwu_webserver_cert
      - wwu_webserver_key
      - wwu_root_cert
      ports:
      - "4433:4433"
      - "443:443"
      - "80:80"
      volumes:
      ......
      nginx/conf.d/prod.conf
      View file @ 0bacc8e4
      ......@@ -19,8 +19,8 @@ server {
      listen 443 ssl;
      index index.php index.html;
      ssl_certificate /run/secrets/webserver_cert;
      ssl_certificate_key /run/secrets/webserver_key;
      ssl_certificate /run/secrets/wwu_webserver_cert;
      ssl_certificate_key /run/secrets/wwu_webserver_key;
      ssl_session_timeout 1d;
      ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
      ssl_session_tickets off;
      ......@@ -35,7 +35,7 @@ server {
      # HSTS (ngx_http_headers_module is required) (63072000 seconds)
      add_header Strict-Transport-Security "max-age=63072000" always;
      ssl_trusted_certificate /run/secrets/root_cert;
      ssl_trusted_certificate /run/secrets/wwu_root_cert;
      error_log /var/log/nginx/error.log;
      access_log /var/log/nginx/access.log;
      ......@@ -95,3 +95,36 @@ server {
      fastcgi_param SCRIPT_FILENAME $request_filename;
      }
      }
      server {
      # This server is just setup to pass requests to the api on a different port with a different certificate
      server_name localhost;
      listen 4433 ssl;
      index index.php index.html;
      ssl_certificate /run/secrets/webserver_cert;
      ssl_certificate_key /run/secrets/webserver_key;
      ssl_session_timeout 1d;
      ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
      ssl_session_tickets off;
      # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
      ssl_dhparam /run/dhparam/dhparam;
      ssl_protocols TLSv1.2 TLSv1.3;
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
      ssl_prefer_server_ciphers off;
      # HSTS (ngx_http_headers_module is required) (63072000 seconds)
      add_header Strict-Transport-Security "max-age=63072000" always;
      ssl_trusted_certificate /run/secrets/root_cert;
      error_log /var/log/nginx/error.log;
      access_log /var/log/nginx/access.log;
      root /var/www/frontend/dist;
      location /api {
      proxy_pass http://localhost.api;
      }
      }
      Markdown is supported
      0% or .
      You are about to add 0 people to the discussion. Proceed with caution.
      Finish editing this message first!
      Please register or to comment