Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Rework static assets, server_name, and ssl protocols in nginx |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
5f65ac9f1d132a55aaf30e8917543cd3 |
| User & Date: | chewbranca 2020-04-10 05:14:53 |
Context
|
2020-04-10
| ||
| 05:22 | mkdir src check-in: 49ad980338 user: chewbranca tags: trunk | |
| 05:14 | Rework static assets, server_name, and ssl protocols in nginx check-in: 5f65ac9f1d user: chewbranca tags: trunk | |
| 03:30 | Fix archive blog post img links check-in: 84b3da6e2c user: chewbranca tags: trunk | |
Changes
Changes to bootstrap/chewbranca_com.sh.
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 .. 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 ... 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
CHEWBRANCA_SRC_REPO=$1
echo "Bootstrapping chewbranca.com from $1"
# Remove undesirable side effects of CDPATH variable
unset CDPATH
# Change current working directory to the directory contains this script
cd "$( dirname "${BASH_SOURCE[0]}" )"
# Initialize Bash Booster
source ../vendor/bashbooster-0.6/bashbooster.sh
bb-log-info "Bootstrapping chewbranca.com"
mkdir -p /opt/bin
mkdir -p /opt/log
mkdir -p /opt/etc
mkdir -p /opt/service
mkdir -p /opt/museum
if ! id -u chewbranca > /dev/null 2>&1; then
adduser --disabled-password --gecos "" chewbranca
adduser chewbranca sudo
CSDIR=/home/chewbranca/.ssh
CSAK=$CSDIR/authorized_keys
mkdir -p $CSDIR
if [[ -e $CSAK ]]; then
if ! grep -q chewbranca $CSAK; then
cat files/authorized_keys >> $CSAK
fi
................................................................................
else
cp files/authorized_keys $CSAK
chown chewbranca:chewbranca $CSAK
fi
chmod 0600 $CSAK
fi
if ! id -u fossil > /dev/null 2>&1; then
adduser fossil --system
chown fossil:fossil /opt/museum
fi
CHEWBRANCA_COM_FOSSIL=/opt/museum/chewbranca_com.fossil
if [[ ! -e "$CHEWBRANCA_COM_FOSSIL" ]]; then
cp $CHEWBRANCA_SRC_REPO $CHEWBRANCA_COM_FOSSIL
chown fossil:fossil $CHEWBRANCA_COM_FOSSIL
touch /opt/log/chewbranca.com-fossil-error.log
chown fossil:fossil /opt/log/chewbranca.com-fossil-error.log
................................................................................
bb-event-on restart-chewbranca-fossil "sv restart chewbranca_fossil"
bb-sync-file "$CBFDIR/run" "files/chewbranca_com_run" restart-chewbranca-fossil
bb-event-on restart-openresty "service openresty restart"
bb-sync-file "/etc/openresty/nginx.conf" "files/chewbranca_com_nginx.conf" restart-openresty
bb-log-info "Setup SSL"
if ! bb-apt-package? certbot; then
bb-apt-install certbot
systemctl disable certbot.timer
if [ "$CWB_ENABLE_SSL" = true ]; then
cerbot certonly --webroot --dry-run --webroot-path /usr/local/openresty/nginx/html -d chewbranca.com -d www.chewbranca.com -d www2.chewbranca.com
fi
fi
|
> > > > > > > > > > > > > > > > > > > > > > > > > < < < < < | > | > > > > > |
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 .. 61 62 63 64 65 66 67 68 69 70 71 72 73 74 ... 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 |
CHEWBRANCA_SRC_REPO=$1
echo "Bootstrapping chewbranca.com from $1"
# Remove undesirable side effects of CDPATH variable
unset CDPATH
# Change current working directory to the directory contains this script
cd "$( dirname "${BASH_SOURCE[0]}" )"
# thanks to http://redsymbol.net/articles/unofficial-bash-strict-mode/
#set -euo pipefail
#IFS=$'\n\t'
#set -x
# Trap exit of script for cleanup/debug/etc purposes
#function finish {
# echo "***EXITING***"
#}
#trap finish EXIT
# Initialize Bash Booster
#set +u
source ../vendor/bashbooster-0.6/bashbooster.sh
#set -u
set -e
#set -euo pipefail
#IFS=$'\n\t'
bb-log-info "Bootstrapping chewbranca.com"
mkdir -p /opt/bin
mkdir -p /opt/log
mkdir -p /opt/etc
mkdir -p /opt/service
mkdir -p /opt/museum
if ! id -u fossil > /dev/null 2>&1; then
adduser --disabled-password --gecos "" chewbranca
chown fossil:fossil /opt/museum
fi
if ! id -u chewbranca > /dev/null 2>&1; then
adduser --disabled-password --gecos "" chewbranca
adduser chewbranca sudo
adduser chewbranca fossil
CSDIR=/home/chewbranca/.ssh
CSAK=$CSDIR/authorized_keys
mkdir -p $CSDIR
if [[ -e $CSAK ]]; then
if ! grep -q chewbranca $CSAK; then
cat files/authorized_keys >> $CSAK
fi
................................................................................
else
cp files/authorized_keys $CSAK
chown chewbranca:chewbranca $CSAK
fi
chmod 0600 $CSAK
fi
CHEWBRANCA_COM_FOSSIL=/opt/museum/chewbranca_com.fossil
if [[ ! -e "$CHEWBRANCA_COM_FOSSIL" ]]; then
cp $CHEWBRANCA_SRC_REPO $CHEWBRANCA_COM_FOSSIL
chown fossil:fossil $CHEWBRANCA_COM_FOSSIL
touch /opt/log/chewbranca.com-fossil-error.log
chown fossil:fossil /opt/log/chewbranca.com-fossil-error.log
................................................................................
bb-event-on restart-chewbranca-fossil "sv restart chewbranca_fossil"
bb-sync-file "$CBFDIR/run" "files/chewbranca_com_run" restart-chewbranca-fossil
bb-event-on restart-openresty "service openresty restart"
bb-sync-file "/etc/openresty/nginx.conf" "files/chewbranca_com_nginx.conf" restart-openresty
bb-log-info "Setup SSL ($?)"
if ! bb-apt-package? certbot; then
bb-log-info "Installing certbot"
bb-apt-install certbot
systemctl disable certbot.timer
if [ "$CWB_ENABLE_SSL" = true ]; then
certbot certonly --webroot --dry-run --webroot-path /usr/local/openresty/nginx/html -d chewbranca.com -d www.chewbranca.com -d www2.chewbranca.com -d couchdb.chewbranca.com
fi
else
echo "SKIPPING SSL SETUP ($?)"
fi
bb-log-info "Exiting..."
exit 0
|
Changes to bootstrap/files/chewbranca_com_nginx.conf.
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
...
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
#ssl_certificate_key /etc/letsencrypt/live/chewbranca.com/privkey.pem;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256”;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_prefer_server_ciphers on;
#ssl_session_timeout 1440m;
# This is expressed as a rewrite rule instead of an "if" because
# http://wiki.nginx.org/IfIsEvil
#rewrite ^(/.well-known/acme-challenge/.*) $1 break;
# Force everything else to HTTPS with a permanent redirect.
#return 301 https://$host$request_uri;
server_name localhost chewbranca.com www.chewbranca.com www2.chewbranca.com dev.chewbranca.com;
#charset koi8-r;
#access_log logs/host.access.log main;
access_log /opt/log/nginx/chewbranca.com-http-access.log;
error_log /opt/log/nginx/chewbranca.com-http-error.log;
................................................................................
ngx.say("<p>hello, world</p>")
}
break;
}
# Redirect everything else to the Fossil instance
#location /code {
location /{
include scgi_params;
#scgi_param SCRIPT_NAME "/code";
scgi_param SCRIPT_NAME "";
scgi_pass 127.0.0.1:7890;
}
}
}
|
|
>
|
|
>
>
>
>
>
|
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
...
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
#ssl_certificate_key /etc/letsencrypt/live/chewbranca.com/privkey.pem;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2;
#ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256”;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_prefer_server_ciphers on;
#ssl_session_timeout 1440m;
# This is expressed as a rewrite rule instead of an "if" because
# http://wiki.nginx.org/IfIsEvil
#rewrite ^(/.well-known/acme-challenge/.*) $1 break;
# Force everything else to HTTPS with a permanent redirect.
#return 301 https://$host$request_uri;
server_name chewbranca.com localhost www.chewbranca.com www2.chewbranca.com dev.chewbranca.com couchdb.chewbranca.com;
#charset koi8-r;
#access_log logs/host.access.log main;
access_log /opt/log/nginx/chewbranca.com-http-access.log;
error_log /opt/log/nginx/chewbranca.com-http-error.log;
................................................................................
ngx.say("<p>hello, world</p>")
}
break;
}
# Redirect everything else to the Fossil instance
#location /code {
location / {
root html;
try_files $uri @chewbranca_fossil;
}
location @chewbranca_fossil {
include scgi_params;
#scgi_param SCRIPT_NAME "/code";
scgi_param SCRIPT_NAME "";
scgi_pass 127.0.0.1:7890;
}
}
}
|
Changes to vendor/bashbooster-0.6/bashbooster.sh.
409
410
411
412
413
414
415
416
417
418
419
420
421
422
....
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
|
bb-event-fire() {
[[ -n "$@" ]] || return 0
local EVENT="$1"
shift
BB_EVENT_DEPTH["$EVENT"]=$(( ${BB_EVENT_DEPTH["$EVENT"]} + 1 ))
if (( ${BB_EVENT_DEPTH["$EVENT"]} >= $BB_EVENT_MAX_DEPTH ))
then
bb-exit \
$BB_ERROR_EVENT_MAX_DEPTH_REACHED \
"Max recursion depth has been reached on processing event '$EVENT'"
fi
................................................................................
bb-tmp-init
bb-event-init
bb-download-init
bb-flag-init
bb-cleanup-update-exit-code() {
if bb-error? && (( $BB_EXIT_CODE == 0 ))
then
BB_EXIT_CODE=$BB_ERROR
fi
}
bb-cleanup() {
bb-cleanup-update-exit-code
bb-event-fire bb-cleanup ; bb-cleanup-update-exit-code
bb-flag-cleanup ; bb-cleanup-update-exit-code
bb-event-cleanup ; bb-cleanup-update-exit-code
bb-tmp-cleanup ; bb-cleanup-update-exit-code
bb-workspace-cleanup ; bb-cleanup-update-exit-code
exit $BB_EXIT_CODE
}
trap bb-cleanup EXIT
|
>
>
>
|
|
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
....
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
|
bb-event-fire() {
[[ -n "$@" ]] || return 0
local EVENT="$1"
shift
echo "FIRING EVENT: $EVENT"
BB_EVENT_DEPTH["$EVENT"]=$(( ${BB_EVENT_DEPTH["$EVENT"]} + 1 ))
if (( ${BB_EVENT_DEPTH["$EVENT"]} >= $BB_EVENT_MAX_DEPTH ))
then
bb-exit \
$BB_ERROR_EVENT_MAX_DEPTH_REACHED \
"Max recursion depth has been reached on processing event '$EVENT'"
fi
................................................................................
bb-tmp-init
bb-event-init
bb-download-init
bb-flag-init
bb-cleanup-update-exit-code() {
echo "In bb-cleanup-update-exit-code"
if bb-error? && (( $BB_EXIT_CODE == 0 ))
then
BB_EXIT_CODE=$BB_ERROR
fi
}
bb-cleanup() {
echo "[bb-cleanup]..."
bb-cleanup-update-exit-code
#bb-event-fire bb-cleanup ; bb-cleanup-update-exit-code
bb-flag-cleanup ; bb-cleanup-update-exit-code
bb-event-cleanup ; bb-cleanup-update-exit-code
bb-tmp-cleanup ; bb-cleanup-update-exit-code
bb-workspace-cleanup ; bb-cleanup-update-exit-code
exit $BB_EXIT_CODE
}
trap bb-cleanup EXIT
|