Migrar la instalación de Diaspora de Apache2 a Nginx

De Hacklab La Paz - r00thouse
Revisión del 11:29 27 dic 2015 de Looper (discusión | contribs.) (SSL/TLS update)
(difs.) ← Revisión anterior | Revisión actual (difs.) | Revisión siguiente → (difs.)

Diaspora

Para poder migrar el pod.hacklab.org.bo de apache a nginx solo vemos la configuracion de apache 

nano /etc/apache2/sites-available/pod.hacklab.org.bo

# Make sure mod_ssl, mod_rewrite, mod_headers, mod_proxy,
# mod_proxy_http and mod_proxy_balancer are enabled
 
<VirtualHost *:80>
ServerName pod.hacklab.org.bo
RedirectPermanent / https://pod.hacklab.org.bo/
</VirtualHost>

<VirtualHost *:443>
#<VirtualHost *:80>
ServerName pod.hacklab.org.bo
DocumentRoot /home/diaspora/diaspora/public
 
RewriteEngine On
 
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://upstream%{REQUEST_URI} [P,QSA,L]
 
<Proxy balancer://upstream>
BalancerMember http://127.0.0.1:3000
</Proxy>
 
ProxyRequests Off
ProxyVia On
ProxyPreserveHost On
RequestHeader set X_FORWARDED_PROTO https
 
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
 
<Directory /home/diaspora/diaspora/public>
Allow from all
AllowOverride all
Options -MultiViews
</Directory>
 
SSLEngine On
SSLCertificateFile /home/diaspora/ssl/pod.hacklab.org.bo.crt
SSLCertificateKeyFile /home/diaspora/ssl/pod.hacklab.org.bo.key
# maybe not needed, need for example for startssl to point to a local
# copy of http://www.startssl.com/certs/sub.class1.server.ca.pem
SSLCertificateChainFile /home/diaspora/ssl/sub.class1.server.ca.pem
 
 
# Based on https://wiki.mozilla.org/Security/Server_Side_TLS - consider as global configuration
SSLProtocol all -SSLv2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
SSLCompression off
</VirtualHost>

y hacemos las modificaciones en 

nano /etc/nginx/sites-available/pod.hacklab.org.bo

server {
# If your host is not IPv6 ready use listen 80; here.
# Add ipv6only=off to your listen directive that has default_server.
# Or this one if this is your only vhost. Do not add it to both!
listen [::]:8080 ipv6only=on default_server;
listen 8080; 
server_name pod.hacklab.org.bo;
rewrite ^/(.*) https://pod.hacklab.org.bo/$1 permanent;
 
}
 
server {
listen [::]:443 ipv6only=on default_server; # Same rules as for listen [::]:80 apply.
listen 443 ssl; 
server_name www.diaspora.example.org;
rewrite ^/(.*) https://diaspora.example.org/$1 permanent;
 
# SSL setup
 
# This file should also include any necessary intermediate certificates
# For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem
# ssl_certificate include chain
ssl_certificate /home/diaspora/ssl/pod.hacklab.org.bo.crt;
ssl_certificate_key /home/diaspora/ssl/pod.hacklab.org.bo.key;
 
# Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
# You might want to make these global
 
# Prevent Logjam Attack: generate with openssl dhparam 2048 > /path/to/dhparam.pem
#ssl_dhparam /home/diaspora/ssl/sub.class1.server.ca.pem;
 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
}
 
# Actual proxy
 
server {
#listen [::]:443 ipv6only=on default_server; # Same rules as for listen [::]:80 apply.
listen 443 ssl;
server_name pod.hacklab.org.bo;
root /home/diaspora/diaspora/public;
 
# Configure maximum picture size
# Note that Diaspora has a client side check set at 4M
client_max_body_size 5M;
 
# SSL setup
 
# This file should also include any necessary intermediate certificates
# For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem
ssl_certificate /home/diaspora/ssl/pod.hacklab.org.bo.crt;
ssl_certificate_key /home/diaspora/ssl/pod.hacklab.org.bo.key;
 
# Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
# You might want to make these global
 
# generate with openssl dhparam 2048 > /home/diaspora/ssl/sub.class1.server.ca.pem
#ssl_dhparam /home/diaspora/ssl/sub.class1.server.ca.pem;
 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
 
# Proxy if requested file not found
try_files $uri @diaspora;
 
location @diaspora {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
 
proxy_pass http://pod.hacklab.org.bo;
}
}
 
# Proxy destination
# Add as many server directives as you want
# Also takes a socket, like unix:/path/to/some/socket.sock
upstream pod.hacklab.org.bo {
server 127.0.0.1:3000;
}

habilitamo la pagina en nginx: 

ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/

OJO </pre> Antes de realizar esto:

  • Necesitamos dehabilitar el puerto 443 de apache
  • Cambiar el puerto de escucha del nginx a 8080 por el momento

Mediawiki

Primero, editamos el archivo en /etc/php5/fpm/pool.d/www.conf y desomentar la linea: 

 listen = /var/run/php5-fpm.sock

creamos el archivo: 

nano /etc/nginx/conf.d/php5-fpm.conf:

y añadimos 

upstream php5-fpm-sock {
    server unix:/var/run/php5-fpm.sock;
}

ahora la pagina de mediawiki 

server {
  listen 80;
  server_name wiki.hacklab.org.bo;
  root /var/www/wiki.hacklab.org.bo;
  index index.html index.php;
  autoindex off;
#  include conf.sites/wiki-both.conf;

#    Uncomment after installation!
#    location / {
#        index index.php5;
#        rewrite ^/([^?]*)(?:\?(.*))? /index.php5?title=$1&$2 last;
#    }

  location ~ \.php5?$ {
      try_files $uri =404;
      include fastcgi_params;
      fastcgi_pass php5-fpm-sock;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_intercept_errors on;
  }

  location ~ \.php?$ {
      try_files $uri =404;
      include fastcgi_params;
      fastcgi_pass php5-fpm-sock;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_intercept_errors on;
  }
}
Obtenido de «https://wiki.hacklab.org.bo/index.php?title=Migrar_la_instalación_de_Diaspora_de_Apache2_a_Nginx&oldid=1208»