From b6a17448f78e8307e9cb5e027c0248f9cd370450 Mon Sep 17 00:00:00 2001 From: Baptiste Lemoine Date: Wed, 15 Jan 2020 10:55:21 +0100 Subject: [PATCH] script for nginx config --- doc/nginx.md | 10 ++++ doc/nginx/framadate-api.conf | 95 ++++++++++++++++++++++++++++++++++++ doc/nginx/setup.sh | 28 +++++++++++ 3 files changed, 133 insertions(+) create mode 100644 doc/nginx.md create mode 100644 doc/nginx/framadate-api.conf create mode 100644 doc/nginx/setup.sh diff --git a/doc/nginx.md b/doc/nginx.md new file mode 100644 index 0000000..f25ecfd --- /dev/null +++ b/doc/nginx.md @@ -0,0 +1,10 @@ +# CORS config for nginx +To be able to work between some domain and an other you have to setup the cross origin ressource config of your web server. + +Use the nginx example config, don't forget to replace the example.com. +The following script copies the example confing and asks you for a replacement of the domains names. + +```bash +bash doc/nginx/setup.sh +``` + diff --git a/doc/nginx/framadate-api.conf b/doc/nginx/framadate-api.conf new file mode 100644 index 0000000..1e8b1eb --- /dev/null +++ b/doc/nginx/framadate-api.conf @@ -0,0 +1,95 @@ + +server { + listen 80; + listen [::]:80; + server_name framadate-api.cipherbliss.com; + # enforce https + return 301 https://$server_name$request_uri; + +} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name framadate-api.cipherbliss.com; + + # Use Mozilla's guidelines for SSL/TLS settings + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + + # Path to the root of your installation + root /home/www/tykayn/cipherbliss/framadate/; + + location / { + # try to serve file directly, fallback to index.html to see the frontend of funky framadate + try_files $uri /index.html$is_args$args; + + # handle OPTIONS requests + # @note: don't try to DRY out this "if" block, or you're gonna have a bad time. + # @see: http://wiki.nginx.org/IfIsEvil + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since'; + add_header 'Access-Control-Allow-Methods' 'GET, DELETE, OPTIONS, POST, PUT'; + add_header 'Access-Control-Allow-Origin' 'https://framadate-api.cipherbliss.com'; + add_header 'Access-Control-Max-Age' 2592000; + add_header 'Content-Length' 0; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + return 204; + } + # send the CORS headers + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Origin' 'https://framadate-api.cipherbliss.com'; + + # set additional security headers + add_header 'Cache-Control' 'no-cache, no-store, must-revalidate'; + add_header 'Content-Security-Policy' 'connect-src framadate-api.cipherbliss.com'; + add_header 'Expires' '0'; + add_header 'Pragma' 'no-cache'; + add_header 'Strict-Transport-Security' 'max-age=31536000; includeSubDomains'; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-Frame-Options' 'DENY'; + add_header 'X-XSS-Protection' '1; mode=block'; + } + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + + location ~* \.(png|jpg|jpeg|gif|ico)$ { + expires max; + log_not_found off; + } + + # PROD + location ~ ^/app\.php(/|$) { + include fastcgi.conf; + fastcgi_intercept_errors on; + fastcgi_pass php-handler; + # When you are using symlinks to link the document root to the + # current version of your application, you should pass the real + # application path instead of the path to the symlink to PHP + # FPM. + # Otherwise, PHP's OPcache may not properly detect changes to + # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126 + # for more information). + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + # Prevents URIs that include the front controller. This will 404: + # http://domain.tld/app.php/some-path + # Remove the internal directive to allow URIs like this + internal; + } + + # return 404 for all other php files not matching the front controller + # this prevents access to other php files you don't want to be accessible. + location ~ \.php$ { + return 404; + } +} diff --git a/doc/nginx/setup.sh b/doc/nginx/setup.sh new file mode 100644 index 0000000..e5fb0c6 --- /dev/null +++ b/doc/nginx/setup.sh @@ -0,0 +1,28 @@ +#!/bib/bash +echo "copy framadate api nginx config" +sudo cp ./framadate-api.conf /etc/nginx/sites-available/ + +echo "replace api.example.com with your website api domain" +APISUBDOMAIN='other-api-domain.example.com' +read -p 'sub api domain [$APISUBDOMAIN]: ' APISUBDOMAIN +APIDOMAIN='other-api-domain.example.com' +read -p 'sub api domain [$APIDOMAIN]: ' APIDOMAIN +sudo sed -i 's/api.example.com/$APISUBDOMAIN/g' /etc/nginx/sites-available/framadate-api.conf +echo "replace example.com with your website api domain" +sudo sed -i 's/example.com/$APIDOMAIN/g' /etc/nginx/sites-available/framadate-api.conf + +echo "enable nginx config" +sudo ln -s /etc/nginx/sites-available/framadate-api.conf /etc/nginx/sites-enabled/framadate-api.conf + +echo "testing nginx config" +EXPECTED_NGINX_TEST="nginx: the configuration file /etc/nginx/nginx.conf syntax is ok +nginx: configuration file /etc/nginx/nginx.conf test is successful" +CHECK_NGINX=$(sudo nginx -t) +# shellcheck disable=SC1073 +if [ "$CHECK_NGINX" = "$EXPECTED_NGINX_TEST"]; then + echo "config is OK" + exit 0 +else + echo "something is wrong in your nginx config, check the file /etc/nginx/sites-available/framadate-api.conf" + exit 1 +fi