Diferencia entre revisiones de «Migrar la instalación de Diaspora de Apache2 a Nginx»
(Página creada con «Agregar documentación aquí Category:Linux») |
Sin resumen de edición |
||
Línea 1: | Línea 1: | ||
Para poder migrar el [[Pod.hacklab.org.bo|pod.hacklab.org.bo ]] de apache a nginx solo vemos la configuracion de apache | |||
[[ | <pre>nano /etc/apache2/sites-available/pod.hacklab.org.bo | ||
# Make sure mod_ssl, mod_rewrite, mod_headers, mod_proxy, | |||
# mod_proxy_http and mod_proxy_balancer are enabled | |||
<VirtualHost *:80> | |||
ServerName pod.hacklab.org.bo | |||
RedirectPermanent / https://pod.hacklab.org.bo/ | |||
</VirtualHost> | |||
<VirtualHost *:443> | |||
#<VirtualHost *:80> | |||
ServerName pod.hacklab.org.bo | |||
DocumentRoot /home/diaspora/diaspora/public | |||
RewriteEngine On | |||
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f | |||
RewriteRule ^/(.*)$ balancer://upstream%{REQUEST_URI} [P,QSA,L] | |||
<Proxy balancer://upstream> | |||
BalancerMember http://127.0.0.1:3000 | |||
</Proxy> | |||
ProxyRequests Off | |||
ProxyVia On | |||
ProxyPreserveHost On | |||
RequestHeader set X_FORWARDED_PROTO https | |||
<Proxy *> | |||
Order allow,deny | |||
Allow from all | |||
</Proxy> | |||
<Directory /home/diaspora/diaspora/public> | |||
Allow from all | |||
AllowOverride all | |||
Options -MultiViews | |||
</Directory> | |||
SSLEngine On | |||
SSLCertificateFile /home/diaspora/ssl/pod.hacklab.org.bo.crt | |||
SSLCertificateKeyFile /home/diaspora/ssl/pod.hacklab.org.bo.key | |||
# maybe not needed, need for example for startssl to point to a local | |||
# copy of http://www.startssl.com/certs/sub.class1.server.ca.pem | |||
SSLCertificateChainFile /home/diaspora/ssl/sub.class1.server.ca.pem | |||
# Based on https://wiki.mozilla.org/Security/Server_Side_TLS - consider as global configuration | |||
SSLProtocol all -SSLv2 | |||
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK | |||
SSLHonorCipherOrder on | |||
SSLCompression off | |||
</VirtualHost> | |||
</pre> | |||
y hacemos las modificaciones en | |||
<pre>nano /etc/nginx/sites-available/pod.hacklab.org.bo | |||
server { | |||
# If your host is not IPv6 ready use listen 80; here. | |||
# Add ipv6only=off to your listen directive that has default_server. | |||
# Or this one if this is your only vhost. Do not add it to both! | |||
listen [::]:8080 ipv6only=on default_server; | |||
listen 8080; | |||
server_name pod.hacklab.org.bo; | |||
rewrite ^/(.*) https://pod.hacklab.org.bo/$1 permanent; | |||
} | |||
server { | |||
listen [::]:443 ipv6only=on default_server; # Same rules as for listen [::]:80 apply. | |||
listen 443 ssl; | |||
server_name www.diaspora.example.org; | |||
rewrite ^/(.*) https://diaspora.example.org/$1 permanent; | |||
# SSL setup | |||
# This file should also include any necessary intermediate certificates | |||
# For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem | |||
ssl_certificate /home/diaspora/ssl/pod.hacklab.org.bo.crt; | |||
ssl_certificate_key /home/diaspora/ssl/pod.hacklab.org.bo.key; | |||
# Taken from https://wiki.mozilla.org/Security/Server_Side_TLS | |||
# You might want to make these global | |||
# generate with openssl dhparam 2048 > /path/to/dhparam.pem | |||
#ssl_dhparam /home/diaspora/ssl/sub.class1.server.ca.pem; | |||
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | |||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK; | |||
ssl_session_timeout 5m; | |||
ssl_prefer_server_ciphers on; | |||
ssl_session_cache shared:SSL:50m; | |||
} | |||
# Actual proxy | |||
server { | |||
#listen [::]:443 ipv6only=on default_server; # Same rules as for listen [::]:80 apply. | |||
listen 443 ssl; | |||
server_name pod.hacklab.org.bo; | |||
root /home/diaspora/diaspora/public; | |||
# Configure maximum picture size | |||
# Note that Diaspora has a client side check set at 4M | |||
client_max_body_size 5M; | |||
# SSL setup | |||
# This file should also include any necessary intermediate certificates | |||
# For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem | |||
ssl_certificate /home/diaspora/ssl/pod.hacklab.org.bo.crt; | |||
ssl_certificate_key /home/diaspora/ssl/pod.hacklab.org.bo.key; | |||
# Taken from https://wiki.mozilla.org/Security/Server_Side_TLS | |||
# You might want to make these global | |||
# generate with openssl dhparam 2048 > /home/diaspora/ssl/sub.class1.server.ca.pem | |||
#ssl_dhparam /home/diaspora/ssl/sub.class1.server.ca.pem; | |||
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | |||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK; | |||
ssl_session_timeout 5m; | |||
ssl_prefer_server_ciphers on; | |||
ssl_session_cache shared:SSL:50m; | |||
# Proxy if requested file not found | |||
try_files $uri @diaspora; | |||
location @diaspora { | |||
proxy_set_header X-Real-IP $remote_addr; | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
proxy_set_header X-Forwarded-Proto https; | |||
proxy_set_header Host $http_host; | |||
proxy_redirect off; | |||
proxy_pass http://pod.hacklab.org.bo; | |||
} | |||
} | |||
# Proxy destination | |||
# Add as many server directives as you want | |||
# Also takes a socket, like unix:/path/to/some/socket.sock | |||
upstream pod.hacklab.org.bo { | |||
server 127.0.0.1:3000; | |||
} | |||
</pre> | |||
habilitamo la pagina en nginx: | |||
<pre>ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/ | |||
'''OJO''' | |||
</pre> | |||
Antes de realizar esto: | |||
*Necesitamos dehabilitar el puerto 443 de apache | |||
*Cambiar el puerto de escucha del nginx a 8080 por el momento |
Revisión del 20:43 17 abr 2014
Para poder migrar el pod.hacklab.org.bo de apache a nginx solo vemos la configuracion de apache
nano /etc/apache2/sites-available/pod.hacklab.org.bo # Make sure mod_ssl, mod_rewrite, mod_headers, mod_proxy, # mod_proxy_http and mod_proxy_balancer are enabled <VirtualHost *:80> ServerName pod.hacklab.org.bo RedirectPermanent / https://pod.hacklab.org.bo/ </VirtualHost> <VirtualHost *:443> #<VirtualHost *:80> ServerName pod.hacklab.org.bo DocumentRoot /home/diaspora/diaspora/public RewriteEngine On RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteRule ^/(.*)$ balancer://upstream%{REQUEST_URI} [P,QSA,L] <Proxy balancer://upstream> BalancerMember http://127.0.0.1:3000 </Proxy> ProxyRequests Off ProxyVia On ProxyPreserveHost On RequestHeader set X_FORWARDED_PROTO https <Proxy *> Order allow,deny Allow from all </Proxy> <Directory /home/diaspora/diaspora/public> Allow from all AllowOverride all Options -MultiViews </Directory> SSLEngine On SSLCertificateFile /home/diaspora/ssl/pod.hacklab.org.bo.crt SSLCertificateKeyFile /home/diaspora/ssl/pod.hacklab.org.bo.key # maybe not needed, need for example for startssl to point to a local # copy of http://www.startssl.com/certs/sub.class1.server.ca.pem SSLCertificateChainFile /home/diaspora/ssl/sub.class1.server.ca.pem # Based on https://wiki.mozilla.org/Security/Server_Side_TLS - consider as global configuration SSLProtocol all -SSLv2 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK SSLHonorCipherOrder on SSLCompression off </VirtualHost>
y hacemos las modificaciones en
nano /etc/nginx/sites-available/pod.hacklab.org.bo server { # If your host is not IPv6 ready use listen 80; here. # Add ipv6only=off to your listen directive that has default_server. # Or this one if this is your only vhost. Do not add it to both! listen [::]:8080 ipv6only=on default_server; listen 8080; server_name pod.hacklab.org.bo; rewrite ^/(.*) https://pod.hacklab.org.bo/$1 permanent; } server { listen [::]:443 ipv6only=on default_server; # Same rules as for listen [::]:80 apply. listen 443 ssl; server_name www.diaspora.example.org; rewrite ^/(.*) https://diaspora.example.org/$1 permanent; # SSL setup # This file should also include any necessary intermediate certificates # For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem ssl_certificate /home/diaspora/ssl/pod.hacklab.org.bo.crt; ssl_certificate_key /home/diaspora/ssl/pod.hacklab.org.bo.key; # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS # You might want to make these global # generate with openssl dhparam 2048 > /path/to/dhparam.pem #ssl_dhparam /home/diaspora/ssl/sub.class1.server.ca.pem; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; } # Actual proxy server { #listen [::]:443 ipv6only=on default_server; # Same rules as for listen [::]:80 apply. listen 443 ssl; server_name pod.hacklab.org.bo; root /home/diaspora/diaspora/public; # Configure maximum picture size # Note that Diaspora has a client side check set at 4M client_max_body_size 5M; # SSL setup # This file should also include any necessary intermediate certificates # For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem ssl_certificate /home/diaspora/ssl/pod.hacklab.org.bo.crt; ssl_certificate_key /home/diaspora/ssl/pod.hacklab.org.bo.key; # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS # You might want to make these global # generate with openssl dhparam 2048 > /home/diaspora/ssl/sub.class1.server.ca.pem #ssl_dhparam /home/diaspora/ssl/sub.class1.server.ca.pem; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; # Proxy if requested file not found try_files $uri @diaspora; location @diaspora { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://pod.hacklab.org.bo; } } # Proxy destination # Add as many server directives as you want # Also takes a socket, like unix:/path/to/some/socket.sock upstream pod.hacklab.org.bo { server 127.0.0.1:3000; }
habilitamo la pagina en nginx:
ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/ '''OJO'''
Antes de realizar esto:
- Necesitamos dehabilitar el puerto 443 de apache
- Cambiar el puerto de escucha del nginx a 8080 por el momento