-
Notifications
You must be signed in to change notification settings - Fork 3
Server Configuration
- SSH
- No password auth
- No root login
- No X11 forwarding
- Firewall - only allow 22, 80, 443
Install nginx stable
wget -qO - https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
sudo echo -e "deb http://nginx.org/packages/ubuntu/ `lsb_release -cs` nginx\ndeb-src http://nginx.org/packages/ubuntu/ `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
sudo apt-get update
sudo apt-get install nginxUse a strong Diffie-Hellman group
sudo mkdir -m 700 /etc/nginx/ssl
sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048Grab the Let's Encrypt cert for OCSP stapling.
sudo curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -o /etc/nginx/ssl/trusted.crtA few changes to /etc/nginx/nginx.conf:
server_tokens off;
...
gzip on;
gzip_static on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
resolver 8.8.8.8;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/trusted.crt;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
include /etc/nginx/conf.d/*.conf;We're going to use /etc/nginx/conf.d/thewhitehat.club.conf as our config path.
server {
listen 80;
server_name thewhitehat.club www.thewhitehat.club;
return 301 https://thewhitehat.club$request_uri;
}
server {
listen 443 ssl http2;
server_name www.thewhitehat.club;
ssl_certificate /etc/letsencrypt/live/thewhitehat.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/thewhitehat.club/privkey.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
return 301 https://thewhitehat.club$request_uri;
}
server {
listen 443 ssl http2;
server_name thewhitehat.club;
ssl_certificate /etc/letsencrypt/live/thewhitehat.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/thewhitehat.club/privkey.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
location = /status.svg {
root /var/www/seclab;
}
root /var/www/thewhitehat.club;
}nginx just cares that there's a cert in /var/lib/letsencrypt/live/thewhitehat.club. letsencrypt makes sure there's always a valid cert there, by automating renewal. Plus it's free!
It's an sslad: lettuce encrypt
Install:
sudo apt-get install git
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencryptGet a cert:
cd /opt/letsencrypt
sudo service nginx stop
./letsencrypt-auto certonly --webroot -w /var/www/thewhitehat.club --email [email protected] --agree-tos -d thewhitehat.club -d www.thewhitehat.club
sudo service nginx startSSLanta Claus is coming to town.
First we'll set up a git user
sudo useradd -m git
sudo su git
cd
mkdir -m 700 .ssh
touch .ssh/authorized_keys && chmod 600 .ssh/authorized_keys # Public keys should be added to this fileNow we can create the repo:
mkdir ~/thewhitehat.club
cd ~/thewhitehat.club
git init .
git config receive.denyCurrentBranch false
touch .git/hooks/post-receive && chmod 775 .git/hooks/post-receiveNow we need to write the post-receive hook. This script will be run whenever someone pushes to the repo. This just updates the local copy of the source (the files in ~/thewhitehat.club) to the most recent commit in master, and runs the build.
.git/hooks/post-receive:
#!/bin/sh
cd ..
GIT_DIR=.git git checkout -f
rm /home/git/thewhitehat.club/static/css/*
sudo /etc/init.d/uwsgi reload
echo "SUCCESS"- We also need to give the git user sudo permission for running
sudo /etc/init.d/uwsgi reload. This is added into the/etc/sudoersfile, in the "User privilege specification" section, by:
git ALL=NOPASSWD: /etc/init.d/uwsgiNow anyone with access to the git user can deploy the site! See Deployment for details.