Skip to content

Commit

Permalink
Simplify cert renewall and nginx confs
Browse files Browse the repository at this point in the history
Also, use configuration from https://ssl-config.mozilla.org/
  • Loading branch information
fauust committed Oct 16, 2024
1 parent 2b6865f commit a56e150
Show file tree
Hide file tree
Showing 5 changed files with 52 additions and 77 deletions.
12 changes: 1 addition & 11 deletions docker-compose/docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ services:
- /srv/buildbot/helper_files:/srv/buildbot/helper_files:ro
- ./logs/nginx:/var/log/nginx
- ./certbot/www/:/var/www/certbot/:ro
- ./certbot/conf/:/etc/nginx/ssl/:ro
- ./certbot/ssl/:/etc/nginx/ssl/:ro
environment:
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
Expand All @@ -58,16 +58,6 @@ services:
options:
tag: "bb-nginx"

certbot:
image: certbot/certbot:latest
restart: "no"
container_name: certbot
hostname: certbot
volumes:
- ./certbot/www/:/var/www/certbot/:rw
- ./certbot/conf/:/etc/letsencrypt/:rw
network_mode: host

master-web:
image: quay.io/mariadb-foundation/bb-master:master-web
restart: unless-stopped
Expand Down
12 changes: 1 addition & 11 deletions docker-compose/generate-config.py
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@
- /srv/buildbot/helper_files:/srv/buildbot/helper_files:ro
- ./logs/nginx:/var/log/nginx
- ./certbot/www/:/var/www/certbot/:ro
- ./certbot/conf/:/etc/nginx/ssl/:ro
- ./certbot/ssl/:/etc/nginx/ssl/:ro
environment:
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
Expand All @@ -84,16 +84,6 @@
options:
tag: "bb-nginx"
certbot:
image: certbot/certbot:latest
restart: "no"
container_name: certbot
hostname: certbot
volumes:
- ./certbot/www/:/var/www/certbot/:rw
- ./certbot/conf/:/etc/letsencrypt/:rw
network_mode: host
master-web:
image: quay.io/mariadb-foundation/bb-master:master-web
restart: unless-stopped
Expand Down
34 changes: 34 additions & 0 deletions docker-compose/nginx/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,41 @@ http {

keepalive_timeout 65;

# Enable gzipped format
gzip on;
# Set level of compression
gzip_comp_level 3;
# Set mime types
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

# SSL configuration
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /etc/nginx/ssl/dhparam;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;

# # Disable embedding the site
add_header X-Frame-Options "SAMEORIGIN";
# # Enable XSS protection
add_header X-XSS-Protection "1;mode=block";

include /etc/nginx/conf.d/*.conf;
}
29 changes: 3 additions & 26 deletions docker-compose/nginx/templates/bb.conf.template
Original file line number Diff line number Diff line change
Expand Up @@ -14,40 +14,17 @@ server {
}
}


# Default rate limited zone, with 30 requests per minute
limit_req_zone $request_uri zone=default:10m rate=30r/m;
client_max_body_size 10M;

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;

server_name ${NGINX_BUILDBOT_VHOST};

# SSL configuration
# ssl on; Deprecated in newer versions of NGINX (yields nginx: [emerg] unknown directive "ssl )
ssl_certificate /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/privkey.pem; # managed by Certbot
# put a one day session timeout for websockets to stay longer
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.1 TLSv1.2;

# Force https - Enable HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;" always;
# # Disable embedding the site
add_header X-Frame-Options "SAMEORIGIN";
# # Enable XSS protection
add_header X-XSS-Protection "1;mode=block";

# Enable gzipped format
#gzip on; already on in main conf
# Set level of compression
gzip_comp_level 3;
# Set mime types
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Expand Down
42 changes: 13 additions & 29 deletions docker-compose/nginx/templates/ci.conf.template
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,23 @@ server {
}
}

# Build artifacts location
# Default rate limited zone, with 30 requests per minute
limit_req_zone $request_uri zone=default:10m rate=30r/m;
client_max_body_size 10M;

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;

server_name ${NGINX_ARTIFACTS_VHOST};

# ratelimit is disabled, do we need it on ci.mariadb.org, probably not
# (static website)
# Use default zone for rate limiting, allow burst of 10 requests with no
# delay
# limit_req zone=default burst=10 nodelay;

root /srv/buildbot/packages/;
location /helper_files {
alias /srv/buildbot/helper_files; #FIXME - for consistency, on hz-bbm2 let's rename it to helper_files instead of mariadb-shared-packages (current PROD)
Expand All @@ -47,32 +57,6 @@ server {

autoindex on;

# SSL configuration
# ssl on;
ssl_certificate /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2;

# Force https - Enable HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;" always;
# Disable embedding the site
add_header X-Frame-Options "SAMEORIGIN";
# Enable XSS protection
add_header X-XSS-Protection "1;mode=block";
max_ranges 1;
msie_padding off;

# Enable gzipped format
# gzip on; already on in main conf
# Set level of compression
gzip_comp_level 3;
# Set mime types
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

# Use default zone for rate limiting, allow burst of 10 requests with
# no delay
# limit_req zone=default burst=10 nodelay;

error_page 404 /older_builds$request_uri;

# logging
Expand Down

0 comments on commit a56e150

Please sign in to comment.