commit c1fa25a5d993ef723d55feb2bb808edde798fcd5 parent b35bd1b95752171ba963f46a07c8ea6975bf7a4c Author: Christian Grothoff <christian@grothoff.org> Date: Tue, 6 Sep 2016 19:03:55 +0200 Merge branch 'master' of git+ssh://taler.net/var/git/deployment Diffstat:
24 files changed, 81 insertions(+), 99 deletions(-)
diff --git a/etc/nginx/conf.d/talerssl b/etc/nginx/conf.d/talerssl @@ -6,4 +6,8 @@ ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; -add_header Strict-Transport-Security "max-age=63072000; preload"; +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; +#add_header X-XSS-Protection "1; mode=block"; +#add_header X-Frame-Options "SAMEORIGIN"; +#add_header X-Content-Type-Options "nosniff"; +#add_header Content-Security-Policy "default-src 'self'"; diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf @@ -20,7 +20,6 @@ http { types_hash_max_size 2048; server_tokens off; - # server_names_hash_bucket_size 64; # server_name_in_redirect off; diff --git a/etc/nginx/sites-enabled/api-ssl.site b/etc/nginx/sites-enabled/api-ssl.site @@ -1,5 +1,6 @@ server { - listen 443 ssl; ## listen for ipv4; this line is default and implied + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/api.taler.net/_build/html; @@ -8,15 +9,7 @@ server { server_name api.taler.net; server_name www.api.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location / { autoindex off; diff --git a/etc/nginx/sites-enabled/api.site b/etc/nginx/sites-enabled/api.site @@ -1,5 +1,6 @@ server { - listen 80; ## listen for ipv4; this line is default and implied + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/api.taler.net/_build/html; diff --git a/etc/nginx/sites-enabled/buildbot-ssl.site b/etc/nginx/sites-enabled/buildbot-ssl.site @@ -1,5 +1,6 @@ server { - listen 443 ssl; ## listen for ipv4; this line is default and implied + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/buildbot/; @@ -7,15 +8,7 @@ server { # Make site accessible from http://localhost/ server_name buildbot.taler.net; server_name www.buildbot.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location / { proxy_pass http://localhost:8010; @@ -25,7 +18,7 @@ server { error_page 502 /502.html; location = /502.html { - root /home/fournier/buildbot; + root /home/fournier/buildbot; } include conf.d/favicon_robots; diff --git a/etc/nginx/sites-enabled/buildbot.site b/etc/nginx/sites-enabled/buildbot.site @@ -1,5 +1,6 @@ server { - listen 80; ## listen for ipv4; this line is default and implied + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/buildbot/; diff --git a/etc/nginx/sites-enabled/decentralise-ssl.site b/etc/nginx/sites-enabled/decentralise-ssl.site @@ -1,5 +1,6 @@ server { - listen 443 ssl; ## listen for ipv4; this line is default and implied + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/decentralise; @@ -7,15 +8,7 @@ server { # Make site accessible from http://localhost/ server_name www.decentralise.rennes.inria.fr; server_name decentralise.rennes.inria.fr; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; rewrite / http://www.inria.fr/en/teams/decentralise redirect; } diff --git a/etc/nginx/sites-enabled/decentralise.site b/etc/nginx/sites-enabled/decentralise.site @@ -1,5 +1,6 @@ server { - listen 80; ## listen for ipv4; this line is default and implied + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/decentralise; diff --git a/etc/nginx/sites-enabled/default.site b/etc/nginx/sites-enabled/default.site @@ -1,6 +1,16 @@ # matched when no other server name matches server { listen 80 default_server; + listen [::]:80 default_server; + # server name must simply something invalid ... + server_name _; + # drop connection, special nginx status code + return 444; +} +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + include conf.d/talerssl; # server name must simply something invalid ... server_name _; # drop connection, special nginx status code diff --git a/etc/nginx/sites-enabled/demo.site b/etc/nginx/sites-enabled/demo.site @@ -1,5 +1,6 @@ server { listen 80; + listen [::]:80; server_name demo.taler.net *.demo.taler.net; rewrite ^ https://$host$request_uri? permanent; } @@ -7,6 +8,7 @@ server { server { listen 443 ssl; + listen [::]:443 ssl; server_name demo.taler.net www.demo.taler.net; include conf.d/demo.redirects; include conf.d/talerssl; @@ -22,6 +24,7 @@ server { server { listen 443 ssl; + listen [::]:443 ssl; server_name exchange.demo.taler.net; root /dev/null; include conf.d/talerssl; @@ -36,6 +39,7 @@ server { server { listen 443 ssl; + listen [::]:443 ssl; server_name blog.demo.taler.net; root /dev/null; include conf.d/demo.redirects; @@ -60,6 +64,7 @@ server { server { listen 443 ssl; + listen [::]:443 ssl; server_name shop.demo.taler.net; ssi on; include conf.d/demo.redirects; @@ -84,6 +89,7 @@ server { server { listen 443 ssl; + listen [::]:443 ssl; server_name bank.demo.taler.net; ssi on; include conf.d/demo.redirects; @@ -95,7 +101,8 @@ server { } location /admin/add/incoming { - allow 127.0.0.1; + allow 127.0.0.1; + allow ::1; deny all; } diff --git a/etc/nginx/sites-enabled/gauger-ssl.site b/etc/nginx/sites-enabled/gauger-ssl.site @@ -1,5 +1,6 @@ server { - listen 443 ssl; ## listen for ipv4; this line is default and implied + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/gauger/; @@ -7,15 +8,7 @@ server { # Make site accessible from http://localhost/ server_name gauger.taler.net; server_name www.gauger.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location / { proxy_pass http://localhost:1801; diff --git a/etc/nginx/sites-enabled/gauger.site b/etc/nginx/sites-enabled/gauger.site @@ -1,5 +1,6 @@ server { - listen 80; ## listen for ipv4; this line is default and implied + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/gauger/; diff --git a/etc/nginx/sites-enabled/git-ssl.site b/etc/nginx/sites-enabled/git-ssl.site @@ -1,19 +1,12 @@ server { - listen 443 ssl; ## listen for ipv4; this line is default and implied + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/git; # Make site accessible from http://localhost/ server_name git.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location / { autoindex off; diff --git a/etc/nginx/sites-enabled/git.site b/etc/nginx/sites-enabled/git.site @@ -1,5 +1,6 @@ server { - listen 80; ## listen for ipv4; this line is default and implied + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/git; diff --git a/etc/nginx/sites-enabled/lcov-ssl.site b/etc/nginx/sites-enabled/lcov-ssl.site @@ -1,5 +1,6 @@ server { - listen 443 ssl; ## listen for ipv4; this line is default and implied + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/lcov.taler.net/; @@ -7,15 +8,7 @@ server { # Make site accessible from http://localhost/ server_name lcov.taler.net; server_name www.lcov.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location / { autoindex on; diff --git a/etc/nginx/sites-enabled/lcov.site b/etc/nginx/sites-enabled/lcov.site @@ -1,5 +1,6 @@ server { - listen 80; ## listen for ipv4; this line is default and implied + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/lcov.taler.net/; diff --git a/etc/nginx/sites-enabled/sandbox.site b/etc/nginx/sites-enabled/sandbox.site @@ -1,11 +1,13 @@ server { listen 80; + listen [::]:80; server_name sandbox.taler.net *.sandbox.taler.net; rewrite ^ https://$host$request_uri? permanent; } server { - listen 443 ssl; + listen 443 ssl; + listen [::]:443 ssl; server_name sandbox.taler.net; include conf.d/talerssl; diff --git a/etc/nginx/sites-enabled/test.site b/etc/nginx/sites-enabled/test.site @@ -1,5 +1,6 @@ server { listen 80; + listen [::]:80; server_name test.taler.net *.test.taler.net; rewrite ^ https://$host$request_uri? permanent; } @@ -7,6 +8,7 @@ server { server { listen 443 ssl; + listen [::]:443 ssl; server_name test.taler.net www.test.taler.net; root /dev/null; include conf.d/test.redirects; @@ -22,6 +24,7 @@ server { server { listen 443 ssl; + listen [::]:443 ssl; server_name exchange.test.taler.net; root /dev/null; include conf.d/talerssl; @@ -42,6 +45,7 @@ server { server { listen 443 ssl; + listen [::]:443 ssl; server_name blog.test.taler.net; root /dev/null; include conf.d/test.redirects; @@ -65,6 +69,7 @@ server { server { listen 443 ssl; + listen [::]:443 ssl; server_name shop.test.taler.net; ssi on; include conf.d/test.redirects; @@ -88,13 +93,14 @@ server { server { listen 443 ssl; + listen [::]:443 ssl; server_name bank.test.taler.net; ssi on; include conf.d/test.redirects; include conf.d/talerssl; location /admin/add/incoming { - allow 127.0.0.1; + allow 127.0.0.1; allow 131.254.145.3; deny all; uwsgi_pass unix:/home/test/sockets/bank.uwsgi; diff --git a/etc/nginx/sites-enabled/trollslayer.site b/etc/nginx/sites-enabled/trollslayer.site @@ -1,5 +1,6 @@ server { - listen 80; ## listen for ipv4; this line is default and implied + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/trollslayer/; diff --git a/etc/nginx/sites-enabled/www-ssl.site b/etc/nginx/sites-enabled/www-ssl.site @@ -1,21 +1,14 @@ server { - listen 443 ssl; ## listen for ipv4; this line is default and implied + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 # Make site accessible from http://localhost/ server_name taler.net; server_name www.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + include conf.d/talerssl; - add_header Strict-Transport-Security "max-age=63072000; preload"; - location / { root /var/www/taler.net; autoindex off; diff --git a/etc/nginx/sites-enabled/www.git-ssl.site b/etc/nginx/sites-enabled/www.git-ssl.site @@ -1,19 +1,12 @@ server { - listen 443 ssl; ## listen for ipv4; this line is default and implied + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 # Make site accessible from http://localhost/ server_name www.git.taler.net; - - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location /index.cgi { root /usr/share/gitweb/; @@ -24,7 +17,7 @@ server { fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; fastcgi_pass unix:/var/run/fcgiwrap.socket; } - + location / { root /usr/share/gitweb/; index index.cgi; diff --git a/etc/nginx/sites-enabled/www.git.site b/etc/nginx/sites-enabled/www.git.site @@ -1,10 +1,11 @@ server { - listen 80; ## listen for ipv4; this line is default and implied + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 # Make site accessible from http://localhost/ server_name www.git.taler.net; - + location /index.cgi { root /usr/share/gitweb/; @@ -15,7 +16,7 @@ server { fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; fastcgi_pass unix:/var/run/fcgiwrap.socket; } - + location / { root /usr/share/gitweb/; index index.cgi; diff --git a/etc/nginx/sites-enabled/www.site b/etc/nginx/sites-enabled/www.site @@ -1,5 +1,6 @@ server { - listen 80; ## listen for ipv4; this line is default and implied + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /var/www/taler.net; diff --git a/taler-build/update_landing.sh b/taler-build/update_landing.sh @@ -11,5 +11,6 @@ git fetch git reset --hard FETCH_HEAD git submodule update --init - +AUTOMAKE="automake --foreign" autoreconf -fiv +./configure make