Migrar la instalación de Diaspora de Apache2 a Nginx
Diaspora
Para poder migrar el pod.hacklab.org.bo de apache a nginx solo vemos la configuracion de apache
nano /etc/apache2/sites-available/pod.hacklab.org.bo # Make sure mod_ssl, mod_rewrite, mod_headers, mod_proxy, # mod_proxy_http and mod_proxy_balancer are enabled <VirtualHost *:80> ServerName pod.hacklab.org.bo RedirectPermanent / https://pod.hacklab.org.bo/ </VirtualHost> <VirtualHost *:443> #<VirtualHost *:80> ServerName pod.hacklab.org.bo DocumentRoot /home/diaspora/diaspora/public RewriteEngine On RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteRule ^/(.*)$ balancer://upstream%{REQUEST_URI} [P,QSA,L] <Proxy balancer://upstream> BalancerMember http://127.0.0.1:3000 </Proxy> ProxyRequests Off ProxyVia On ProxyPreserveHost On RequestHeader set X_FORWARDED_PROTO https <Proxy *> Order allow,deny Allow from all </Proxy> <Directory /home/diaspora/diaspora/public> Allow from all AllowOverride all Options -MultiViews </Directory> SSLEngine On SSLCertificateFile /home/diaspora/ssl/pod.hacklab.org.bo.crt SSLCertificateKeyFile /home/diaspora/ssl/pod.hacklab.org.bo.key # maybe not needed, need for example for startssl to point to a local # copy of http://www.startssl.com/certs/sub.class1.server.ca.pem SSLCertificateChainFile /home/diaspora/ssl/sub.class1.server.ca.pem # Based on https://wiki.mozilla.org/Security/Server_Side_TLS - consider as global configuration SSLProtocol all -SSLv2 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK SSLHonorCipherOrder on SSLCompression off </VirtualHost>
y hacemos las modificaciones en
nano /etc/nginx/sites-available/pod.hacklab.org.bo server { # If your host is not IPv6 ready use listen 80; here. # Add ipv6only=off to your listen directive that has default_server. # Or this one if this is your only vhost. Do not add it to both! listen [::]:8080 ipv6only=on default_server; listen 8080; server_name pod.hacklab.org.bo; rewrite ^/(.*) https://pod.hacklab.org.bo/$1 permanent; } server { listen [::]:443 ipv6only=on default_server; # Same rules as for listen [::]:80 apply. listen 443 ssl; server_name www.diaspora.example.org; rewrite ^/(.*) https://diaspora.example.org/$1 permanent; # SSL setup # This file should also include any necessary intermediate certificates # For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem ssl_certificate /home/diaspora/ssl/pod.hacklab.org.bo.crt; ssl_certificate_key /home/diaspora/ssl/pod.hacklab.org.bo.key; # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS # You might want to make these global # generate with openssl dhparam 2048 > /path/to/dhparam.pem #ssl_dhparam /home/diaspora/ssl/sub.class1.server.ca.pem; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; } # Actual proxy server { #listen [::]:443 ipv6only=on default_server; # Same rules as for listen [::]:80 apply. listen 443 ssl; server_name pod.hacklab.org.bo; root /home/diaspora/diaspora/public; # Configure maximum picture size # Note that Diaspora has a client side check set at 4M client_max_body_size 5M; # SSL setup # This file should also include any necessary intermediate certificates # For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem ssl_certificate /home/diaspora/ssl/pod.hacklab.org.bo.crt; ssl_certificate_key /home/diaspora/ssl/pod.hacklab.org.bo.key; # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS # You might want to make these global # generate with openssl dhparam 2048 > /home/diaspora/ssl/sub.class1.server.ca.pem #ssl_dhparam /home/diaspora/ssl/sub.class1.server.ca.pem; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; # Proxy if requested file not found try_files $uri @diaspora; location @diaspora { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://pod.hacklab.org.bo; } } # Proxy destination # Add as many server directives as you want # Also takes a socket, like unix:/path/to/some/socket.sock upstream pod.hacklab.org.bo { server 127.0.0.1:3000; }
habilitamo la pagina en nginx:
ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/
OJO </pre> Antes de realizar esto:
- Necesitamos dehabilitar el puerto 443 de apache
- Cambiar el puerto de escucha del nginx a 8080 por el momento
Mediawiki
Primero, editamos el archivo en /etc/php5/fpm/pool.d/www.conf y desomentar la linea:
listen = /var/run/php5-fpm.sock
creamos el archivo:
nano /etc/nginx/conf.d/php5-fpm.conf:
y añadimos
upstream php5-fpm-sock { server unix:/var/run/php5-fpm.sock; }
ahora la pagina de mediawiki
server { listen 80; server_name wiki.hacklab.org.bo; root /var/www/wiki.hacklab.org.bo; index index.html index.php; autoindex off; # include conf.sites/wiki-both.conf; # Uncomment after installation! # location / { # index index.php5; # rewrite ^/([^?]*)(?:\?(.*))? /index.php5?title=$1&$2 last; # } location ~ \.php5?$ { try_files $uri =404; include fastcgi_params; fastcgi_pass php5-fpm-sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_intercept_errors on; } location ~ \.php?$ { try_files $uri =404; include fastcgi_params; fastcgi_pass php5-fpm-sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_intercept_errors on; } }