From 7c15c345b43e5445434c1c6b76f64904421d7763 Mon Sep 17 00:00:00 2001 From: Daniel Tsvetkov Date: Wed, 15 Apr 2020 21:56:06 +0200 Subject: [PATCH] blank nginx and gunicorn services --- oshipka.sh | 1 + provision/gunicorn.service | 14 ++++++++++ provision/nginx.conf | 55 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100644 provision/gunicorn.service create mode 100644 provision/nginx.conf diff --git a/oshipka.sh b/oshipka.sh index 87d0de6..ead4fbc 100755 --- a/oshipka.sh +++ b/oshipka.sh @@ -93,6 +93,7 @@ bootstrap() { run_in_prod() { shift PORT=$1 + source venv/bin/activate gunicorn -w 4 -b 0.0.0.0:${PORT} run:app } diff --git a/provision/gunicorn.service b/provision/gunicorn.service new file mode 100644 index 0000000..d671e41 --- /dev/null +++ b/provision/gunicorn.service @@ -0,0 +1,14 @@ +[Unit] +Description=gunicorn service +Requires=network.target +After=network.target + +[Service] +User=pi2 +Type=simple +WorkingDirectory=/home/pi2/watch +ExecStart=/bin/bash -c 'export OSHIPKA_PATH=/home/pi2/oshipka; $OSHIPKA_PATH/oshipka.sh prod 5000' +Restart=on-failure + +[Install] +WantedBy=default.target diff --git a/provision/nginx.conf b/provision/nginx.conf new file mode 100644 index 0000000..1c8605e --- /dev/null +++ b/provision/nginx.conf @@ -0,0 +1,55 @@ +server { + listen 80; + listen [::]:80; + + server_name PROJECT_DOMAIN; + + # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. + return 301 https://; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name PROJECT_DOMAIN; + + server_tokens off; + charset utf-8; + client_max_body_size 1g; + + # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate + ssl_certificate /etc/letsencrypt/live/PROJECT_DOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/PROJECT_DOMAIN/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/dhparam.pem; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # TODO: + # OCSP stapling + # ssl_stapling on; + # ssl_stapling_verify on; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + + # replace with the IP address of your resolver + location / { + proxy_pass http://192.168.1.112:5001; + proxy_redirect off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + } +}