Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Rework static assets, server_name, and ssl protocols in nginx |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
5f65ac9f1d132a55aaf30e8917543cd3 |
| User & Date: | chewbranca 2020-04-10 05:14:53 |
Context
|
2020-04-10
| ||
| 05:22 | mkdir src check-in: 49ad980338 user: chewbranca tags: trunk | |
| 05:14 | Rework static assets, server_name, and ssl protocols in nginx check-in: 5f65ac9f1d user: chewbranca tags: trunk | |
| 03:30 | Fix archive blog post img links check-in: 84b3da6e2c user: chewbranca tags: trunk | |
Changes
Changes to bootstrap/chewbranca_com.sh.
7 7 CHEWBRANCA_SRC_REPO=$1 8 8 echo "Bootstrapping chewbranca.com from $1" 9 9 10 10 # Remove undesirable side effects of CDPATH variable 11 11 unset CDPATH 12 12 # Change current working directory to the directory contains this script 13 13 cd "$( dirname "${BASH_SOURCE[0]}" )" 14 + 15 +# thanks to http://redsymbol.net/articles/unofficial-bash-strict-mode/ 16 +#set -euo pipefail 17 +#IFS=$'\n\t' 18 + 19 +#set -x 20 + 21 +# Trap exit of script for cleanup/debug/etc purposes 22 +#function finish { 23 +# echo "***EXITING***" 24 +#} 25 +#trap finish EXIT 26 + 14 27 15 28 # Initialize Bash Booster 29 +#set +u 16 30 source ../vendor/bashbooster-0.6/bashbooster.sh 31 +#set -u 32 + 33 +set -e 34 +#set -euo pipefail 35 +#IFS=$'\n\t' 17 36 18 37 bb-log-info "Bootstrapping chewbranca.com" 19 38 20 39 mkdir -p /opt/bin 21 40 mkdir -p /opt/log 22 41 mkdir -p /opt/etc 23 42 mkdir -p /opt/service 24 43 mkdir -p /opt/museum 44 + 45 +if ! id -u fossil > /dev/null 2>&1; then 46 + adduser --disabled-password --gecos "" chewbranca 47 + chown fossil:fossil /opt/museum 48 +fi 25 49 26 50 if ! id -u chewbranca > /dev/null 2>&1; then 27 51 adduser --disabled-password --gecos "" chewbranca 28 52 adduser chewbranca sudo 53 + adduser chewbranca fossil 29 54 CSDIR=/home/chewbranca/.ssh 30 55 CSAK=$CSDIR/authorized_keys 31 56 mkdir -p $CSDIR 32 57 if [[ -e $CSAK ]]; then 33 58 if ! grep -q chewbranca $CSAK; then 34 59 cat files/authorized_keys >> $CSAK 35 60 fi ................................................................................ 36 61 else 37 62 cp files/authorized_keys $CSAK 38 63 chown chewbranca:chewbranca $CSAK 39 64 fi 40 65 chmod 0600 $CSAK 41 66 fi 42 67 43 -if ! id -u fossil > /dev/null 2>&1; then 44 - adduser fossil --system 45 - chown fossil:fossil /opt/museum 46 -fi 47 - 48 68 CHEWBRANCA_COM_FOSSIL=/opt/museum/chewbranca_com.fossil 49 69 if [[ ! -e "$CHEWBRANCA_COM_FOSSIL" ]]; then 50 70 cp $CHEWBRANCA_SRC_REPO $CHEWBRANCA_COM_FOSSIL 51 71 chown fossil:fossil $CHEWBRANCA_COM_FOSSIL 52 72 53 73 touch /opt/log/chewbranca.com-fossil-error.log 54 74 chown fossil:fossil /opt/log/chewbranca.com-fossil-error.log ................................................................................ 116 136 117 137 bb-event-on restart-chewbranca-fossil "sv restart chewbranca_fossil" 118 138 bb-sync-file "$CBFDIR/run" "files/chewbranca_com_run" restart-chewbranca-fossil 119 139 120 140 bb-event-on restart-openresty "service openresty restart" 121 141 bb-sync-file "/etc/openresty/nginx.conf" "files/chewbranca_com_nginx.conf" restart-openresty 122 142 123 -bb-log-info "Setup SSL" 143 +bb-log-info "Setup SSL ($?)" 124 144 if ! bb-apt-package? certbot; then 145 + bb-log-info "Installing certbot" 125 146 bb-apt-install certbot 126 147 systemctl disable certbot.timer 127 148 if [ "$CWB_ENABLE_SSL" = true ]; then 128 - cerbot certonly --webroot --dry-run --webroot-path /usr/local/openresty/nginx/html -d chewbranca.com -d www.chewbranca.com -d www2.chewbranca.com 149 + certbot certonly --webroot --dry-run --webroot-path /usr/local/openresty/nginx/html -d chewbranca.com -d www.chewbranca.com -d www2.chewbranca.com -d couchdb.chewbranca.com 129 150 fi 151 +else 152 + echo "SKIPPING SSL SETUP ($?)" 130 153 fi 154 +bb-log-info "Exiting..." 155 + 156 +exit 0
Changes to bootstrap/files/chewbranca_com_nginx.conf.
58 58 #ssl_certificate_key /etc/letsencrypt/live/chewbranca.com/privkey.pem; 59 59 60 60 #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 61 61 62 62 ssl_stapling on; 63 63 ssl_stapling_verify on; 64 64 65 - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 65 + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 66 + ssl_protocols TLSv1.2; 66 67 #ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256”; 67 68 ssl_session_cache shared:le_nginx_SSL:1m; 68 69 ssl_prefer_server_ciphers on; 69 70 #ssl_session_timeout 1440m; 70 71 71 72 # This is expressed as a rewrite rule instead of an "if" because 72 73 # http://wiki.nginx.org/IfIsEvil 73 74 #rewrite ^(/.well-known/acme-challenge/.*) $1 break; 74 75 75 76 # Force everything else to HTTPS with a permanent redirect. 76 77 #return 301 https://$host$request_uri; 77 78 78 - server_name localhost chewbranca.com www.chewbranca.com www2.chewbranca.com dev.chewbranca.com; 79 + server_name chewbranca.com localhost www.chewbranca.com www2.chewbranca.com dev.chewbranca.com couchdb.chewbranca.com; 79 80 80 81 #charset koi8-r; 81 82 82 83 #access_log logs/host.access.log main; 83 84 access_log /opt/log/nginx/chewbranca.com-http-access.log; 84 85 error_log /opt/log/nginx/chewbranca.com-http-error.log; 85 86 ................................................................................ 155 156 ngx.say("<p>hello, world</p>") 156 157 } 157 158 break; 158 159 } 159 160 160 161 # Redirect everything else to the Fossil instance 161 162 #location /code { 162 - location /{ 163 + location / { 164 + root html; 165 + try_files $uri @chewbranca_fossil; 166 + } 167 + 168 + location @chewbranca_fossil { 163 169 include scgi_params; 164 170 #scgi_param SCRIPT_NAME "/code"; 165 171 scgi_param SCRIPT_NAME ""; 166 172 scgi_pass 127.0.0.1:7890; 167 173 } 168 174 } 169 175 } 170 176
Changes to vendor/bashbooster-0.6/bashbooster.sh.
409 409 410 410 bb-event-fire() { 411 411 [[ -n "$@" ]] || return 0 412 412 413 413 local EVENT="$1" 414 414 shift 415 415 416 + echo "FIRING EVENT: $EVENT" 416 417 BB_EVENT_DEPTH["$EVENT"]=$(( ${BB_EVENT_DEPTH["$EVENT"]} + 1 )) 417 418 if (( ${BB_EVENT_DEPTH["$EVENT"]} >= $BB_EVENT_MAX_DEPTH )) 418 419 then 419 420 bb-exit \ 420 421 $BB_ERROR_EVENT_MAX_DEPTH_REACHED \ 421 422 "Max recursion depth has been reached on processing event '$EVENT'" 422 423 fi ................................................................................ 1454 1455 bb-tmp-init 1455 1456 bb-event-init 1456 1457 bb-download-init 1457 1458 bb-flag-init 1458 1459 1459 1460 1460 1461 bb-cleanup-update-exit-code() { 1462 + echo "In bb-cleanup-update-exit-code" 1461 1463 if bb-error? && (( $BB_EXIT_CODE == 0 )) 1462 1464 then 1463 1465 BB_EXIT_CODE=$BB_ERROR 1464 1466 fi 1465 1467 } 1466 1468 1467 1469 bb-cleanup() { 1470 + echo "[bb-cleanup]..." 1468 1471 bb-cleanup-update-exit-code 1469 1472 1470 - bb-event-fire bb-cleanup ; bb-cleanup-update-exit-code 1473 + #bb-event-fire bb-cleanup ; bb-cleanup-update-exit-code 1471 1474 1472 1475 bb-flag-cleanup ; bb-cleanup-update-exit-code 1473 1476 bb-event-cleanup ; bb-cleanup-update-exit-code 1474 1477 bb-tmp-cleanup ; bb-cleanup-update-exit-code 1475 1478 bb-workspace-cleanup ; bb-cleanup-update-exit-code 1476 1479 1477 1480 exit $BB_EXIT_CODE 1478 1481 } 1479 1482 1480 1483 trap bb-cleanup EXIT 1481 1484