-
Notifications
You must be signed in to change notification settings - Fork 0
VM Node test
Cyprien Devillez edited this page Mar 20, 2015
·
45 revisions
IPv4: 5.196.206.62
Virtual MAC: 02:00:00:14:05:2c
OS: Ubuntu 14.04
Installed from VM-template
mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
openssl req -nodes -newkey rsa:2048 -sha1 -keyout donut.key -out donut.csr
Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:Paris Locality Name (eg, city) []:Paris Organization Name (eg, company) [Internet Widgits Pty Ltd]:DONUT SYSTEMS SAS Organizational Unit Name (eg, section) []:DONUT SYSTEMS SAS Common Name (e.g. server FQDN or YOUR name) []:*.donut.me Email Address []:hello@donut.me Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
wget -O /etc/nginx/ssl/gandi.crt https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
cat /etc/nginx/ssl/donut.crt /etc/nginx/ssl/gandi.crt > /etc/nginx/ssl/donut.pem
cd /etc/nginx/ssl
openssl req -nodes -newkey rsa:2048 -sha1 -key donut.key -out ws.test.donut.csr
Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:Paris Locality Name (eg, city) []:Paris Organization Name (eg, company) [Internet Widgits Pty Ltd]:DONUT SYSTEMS SAS Organizational Unit Name (eg, section) []:DONUT SYSTEMS SAS Common Name (e.g. server FQDN or YOUR name) []:ws.test.donut.me Email Address []:hello@donut.me Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Install nginx (as root):
$ apt-get install nginx
$ vi /etc/nginx/nginx.conf
user www-data;
worker_processes 6;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Request optimisation
##
open_file_cache max=50000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
reset_timedout_connection on;
client_body_buffer_size 16K;
client_header_buffer_size 4k;
client_max_body_size 2m;
large_client_header_buffers 4 64k;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 10;
send_timeout 10;
##
# DDOS Protection
##
#Connexions maximum par ip
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 20;
#Nombre de requêtes/s maximum par ip
limit_req_zone $binary_remote_addr zone=allips:10m rate=50r/s;
limit_req zone=allips burst=200 nodelay;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
$ vi /etc/nginx/sites-available/web.conf
server {
listen 80;
server_name redirtest.donut.me;
rewrite ^(.*) https://test.donut.me$request_uri permanent;
}
server {
listen 80;
server_name test.donut.me;
location / {
proxy_pass http://test.donut.me:3000;
}
error_page 403 /error/403.html;
error_page 404 /error/404.html;
#error_page 499 /error/499.html;
error_page 500 501 502 503 504 /error/50x.html;
location /error/ {
root /home/donut/app/server;
}
gzip on;
gzip_min_length 1100;
gzip_buffers 16 32k;
gzip_types text/plain application/x-javascript text/xml text/css;
gzip_comp_level 6;
gzip_proxied any;
gzip_vary on;
}
server {
listen 443;
server_name test.donut.me;
location / {
proxy_pass http://test.donut.me:3000;
}
gzip on;
gzip_min_length 1100;
gzip_buffers 16 32k;
gzip_types text/plain application/x-javascript text/xml text/css;
gzip_comp_level 6;
gzip_proxied any;
gzip_vary on;
ssl on;
ssl_certificate /etc/nginx/ssl/donut.pem;
ssl_certificate_key /etc/nginx/ssl/donut.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
$ vi /etc/nginx/sites-available/ws.conf
upstream io_nodes {
ip_hash;
server ws.test.donut.me:3050;
server ws.test.donut.me:3051;
}
server {
listen 80;
server_name ws.test.donut.me;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_pass http://io_nodes;
}
gzip on;
gzip_min_length 1100;
gzip_buffers 16 32k;
gzip_types text/plain application/x-javascript text/xml text/css;
gzip_comp_level 6;
gzip_proxied any;
gzip_vary on;
}
server {
listen 443;
server_name ws.test.donut.me;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_pass http://io_nodes;
}
gzip on;
gzip_min_length 1100;
gzip_buffers 16 32k;
gzip_types text/plain application/x-javascript text/xml text/css;
gzip_comp_level 6;
gzip_proxied any;
gzip_vary on;
ssl on;
ssl_certificate /etc/nginx/ssl/donut.crt;
ssl_certificate_key /etc/nginx/ssl/donut.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
$ cd /etc/nginx/sites-enabled
$ rm default
$ ln -s /etc/nginx/sites-available/web.conf web
$ ln -s /etc/nginx/sites-available/ws.conf ws