Diferencia entre revisiones de «Migrar la instalación de Diaspora de Apache2 a Nginx»
Sin resumen de edición |
Sin resumen de edición |
||
| Línea 1: | Línea 1: | ||
<span style="font-size:medium">Diaspora</span> | |||
---- | |||
Para poder migrar el [[Pod.hacklab.org.bo|pod.hacklab.org.bo ]] de apache a nginx solo vemos la configuracion de apache | Para poder migrar el [[Pod.hacklab.org.bo|pod.hacklab.org.bo ]] de apache a nginx solo vemos la configuracion de apache | ||
<pre>nano /etc/apache2/sites-available/pod.hacklab.org.bo | <pre>nano /etc/apache2/sites-available/pod.hacklab.org.bo | ||
| Línea 150: | Línea 154: | ||
<pre>ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/ | <pre>ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/ | ||
</pre> | </pre> | ||
'''OJO''' | '''OJO''' </pre> Antes de realizar esto: | ||
Antes de realizar esto: | |||
*Necesitamos dehabilitar el puerto 443 de apache | *Necesitamos dehabilitar el puerto 443 de apache | ||
*Cambiar el puerto de escucha del nginx a 8080 por el momento | *Cambiar el puerto de escucha del nginx a 8080 por el momento | ||
Revisión del 01:52 18 abr 2014
Diaspora
Para poder migrar el pod.hacklab.org.bo de apache a nginx solo vemos la configuracion de apache
nano /etc/apache2/sites-available/pod.hacklab.org.bo
# Make sure mod_ssl, mod_rewrite, mod_headers, mod_proxy,
# mod_proxy_http and mod_proxy_balancer are enabled
<VirtualHost *:80>
ServerName pod.hacklab.org.bo
RedirectPermanent / https://pod.hacklab.org.bo/
</VirtualHost>
<VirtualHost *:443>
#<VirtualHost *:80>
ServerName pod.hacklab.org.bo
DocumentRoot /home/diaspora/diaspora/public
RewriteEngine On
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://upstream%{REQUEST_URI} [P,QSA,L]
<Proxy balancer://upstream>
BalancerMember http://127.0.0.1:3000
</Proxy>
ProxyRequests Off
ProxyVia On
ProxyPreserveHost On
RequestHeader set X_FORWARDED_PROTO https
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
<Directory /home/diaspora/diaspora/public>
Allow from all
AllowOverride all
Options -MultiViews
</Directory>
SSLEngine On
SSLCertificateFile /home/diaspora/ssl/pod.hacklab.org.bo.crt
SSLCertificateKeyFile /home/diaspora/ssl/pod.hacklab.org.bo.key
# maybe not needed, need for example for startssl to point to a local
# copy of http://www.startssl.com/certs/sub.class1.server.ca.pem
SSLCertificateChainFile /home/diaspora/ssl/sub.class1.server.ca.pem
# Based on https://wiki.mozilla.org/Security/Server_Side_TLS - consider as global configuration
SSLProtocol all -SSLv2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
SSLCompression off
</VirtualHost>
y hacemos las modificaciones en
nano /etc/nginx/sites-available/pod.hacklab.org.bo
server {
# If your host is not IPv6 ready use listen 80; here.
# Add ipv6only=off to your listen directive that has default_server.
# Or this one if this is your only vhost. Do not add it to both!
listen [::]:8080 ipv6only=on default_server;
listen 8080;
server_name pod.hacklab.org.bo;
rewrite ^/(.*) https://pod.hacklab.org.bo/$1 permanent;
}
server {
listen [::]:443 ipv6only=on default_server; # Same rules as for listen [::]:80 apply.
listen 443 ssl;
server_name www.diaspora.example.org;
rewrite ^/(.*) https://diaspora.example.org/$1 permanent;
# SSL setup
# This file should also include any necessary intermediate certificates
# For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem
ssl_certificate /home/diaspora/ssl/pod.hacklab.org.bo.crt;
ssl_certificate_key /home/diaspora/ssl/pod.hacklab.org.bo.key;
# Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
# You might want to make these global
# generate with openssl dhparam 2048 > /path/to/dhparam.pem
#ssl_dhparam /home/diaspora/ssl/sub.class1.server.ca.pem;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
}
# Actual proxy
server {
#listen [::]:443 ipv6only=on default_server; # Same rules as for listen [::]:80 apply.
listen 443 ssl;
server_name pod.hacklab.org.bo;
root /home/diaspora/diaspora/public;
# Configure maximum picture size
# Note that Diaspora has a client side check set at 4M
client_max_body_size 5M;
# SSL setup
# This file should also include any necessary intermediate certificates
# For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem
ssl_certificate /home/diaspora/ssl/pod.hacklab.org.bo.crt;
ssl_certificate_key /home/diaspora/ssl/pod.hacklab.org.bo.key;
# Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
# You might want to make these global
# generate with openssl dhparam 2048 > /home/diaspora/ssl/sub.class1.server.ca.pem
#ssl_dhparam /home/diaspora/ssl/sub.class1.server.ca.pem;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
# Proxy if requested file not found
try_files $uri @diaspora;
location @diaspora {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://pod.hacklab.org.bo;
}
}
# Proxy destination
# Add as many server directives as you want
# Also takes a socket, like unix:/path/to/some/socket.sock
upstream pod.hacklab.org.bo {
server 127.0.0.1:3000;
}
habilitamo la pagina en nginx:
ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/
OJO </pre> Antes de realizar esto:
- Necesitamos dehabilitar el puerto 443 de apache
- Cambiar el puerto de escucha del nginx a 8080 por el momento