Add initial config files for hosting under nginx

These are the initial config files for hosting *.whatwg.org domains under nginx. Notes: * We match the Mozilla SSL Configurator “Intermediate” settings See https://mozilla.github.io/server-side-tls/ssl-config-generator/ * We set `ssl_session_tickets off` * We allow directory indexes everywhere (makes all directory indexes browsable) * We use `systemctl reload-or-restart nginx.service`
whatwg · Sep 8, 2017 · 526311f · 526311f
1 parent 6b72735
commit 526311f
Show file tree

Hide file tree

Showing 70 changed files with 400 additions and 298 deletions.
diff --git a/debian/marquee/00-apache-conf b/debian/marquee/00-apache-conf
diff --git a/debian/marquee/00-nginx-conf b/debian/marquee/00-nginx-conf
@@ -0,0 +1,17 @@
+#!/bin/bash -e
+
+apt install nginx
+
+rm -f /etc/nginx/sites-enabled/*
+
+cp nginx/conf/http.conf /etc/nginx/conf.d/
+cp nginx/conf/whatwg.conf /etc/nginx/
+cp nginx/conf/whatwg-headers.conf /etc/nginx/
+
+mkdir -p /var/www/http/.well-known/acme-challenge
+
+chown -R deploy:deploy /var/www
+rm -rf /var/www/html
+
+nginx -t
+systemctl reload-or-restart nginx.service
diff --git a/debian/marquee/01-certbot b/debian/marquee/01-certbot
@@ -1,7 +1,7 @@
 #!/bin/bash -e
 
-apt install certbot python-certbot-apache
+apt install certbot
 
 for domains in `cat DOMAINS`; do
-    certbot certonly -n --apache --agree-tos -m admin@whatwg.org -d $domains
+    certbot certonly -n --agree-tos --webroot -m admin@whatwg.org -d $domains -w /var/www/http
 done
diff --git a/debian/marquee/02-apache-sites b/debian/marquee/02-apache-sites
diff --git a/debian/marquee/02-nginx-sites b/debian/marquee/02-nginx-sites
@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+rm -f /etc/nginx/sites-enabled/*
+cp nginx/sites/*.conf /etc/nginx/sites-available/
+
+for domain in `cat DOMAINS | tr , ' '`; do
+    ln -s /etc/nginx/sites-available/$domain.conf /etc/nginx/sites-enabled/
+done
+
+nginx -t
+systemctl reload-or-restart nginx.service
diff --git a/debian/marquee/apache/conf/http.conf b/debian/marquee/apache/conf/http.conf
diff --git a/debian/marquee/apache/conf/zz_local.conf b/debian/marquee/apache/conf/zz_local.conf
diff --git a/debian/marquee/apache/sites/books.idea.whatwg.org.conf b/debian/marquee/apache/sites/books.idea.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/books.spec.whatwg.org.conf b/debian/marquee/apache/sites/books.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/c.whatwg.org.conf b/debian/marquee/apache/sites/c.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/compat.spec.whatwg.org.conf b/debian/marquee/apache/sites/compat.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/developer.whatwg.org.conf b/debian/marquee/apache/sites/developer.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/developers.whatwg.org.conf b/debian/marquee/apache/sites/developers.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/dom.spec.whatwg.org.conf b/debian/marquee/apache/sites/dom.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/domparsing.spec.whatwg.org.conf b/debian/marquee/apache/sites/domparsing.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/fetch.spec.whatwg.org.conf b/debian/marquee/apache/sites/fetch.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/figures.idea.whatwg.org.conf b/debian/marquee/apache/sites/figures.idea.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/figures.spec.whatwg.org.conf b/debian/marquee/apache/sites/figures.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/fullscreen.spec.whatwg.org.conf b/debian/marquee/apache/sites/fullscreen.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/help.whatwg.org.conf b/debian/marquee/apache/sites/help.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/html-differences.whatwg.org.conf b/debian/marquee/apache/sites/html-differences.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/idea.whatwg.org.conf b/debian/marquee/apache/sites/idea.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/images.whatwg.org.conf b/debian/marquee/apache/sites/images.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/infra.spec.whatwg.org.conf b/debian/marquee/apache/sites/infra.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/javascript.spec.whatwg.org.conf b/debian/marquee/apache/sites/javascript.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/mediasession.spec.whatwg.org.conf b/debian/marquee/apache/sites/mediasession.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/n.whatwg.org.conf b/debian/marquee/apache/sites/n.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/notifications.spec.whatwg.org.conf b/debian/marquee/apache/sites/notifications.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/quirks.spec.whatwg.org.conf b/debian/marquee/apache/sites/quirks.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/resources.whatwg.org.conf b/debian/marquee/apache/sites/resources.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/spec.whatwg.org.conf b/debian/marquee/apache/sites/spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/specs.whatwg.org.conf b/debian/marquee/apache/sites/specs.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/svn.whatwg.org.conf b/debian/marquee/apache/sites/svn.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/validator.whatwg.org.conf b/debian/marquee/apache/sites/validator.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/webvtt.spec.whatwg.org.conf b/debian/marquee/apache/sites/webvtt.spec.whatwg.org.conf
diff --git a/debian/marquee/apache/sites/xn--7ca.whatwg.org.conf b/debian/marquee/apache/sites/xn--7ca.whatwg.org.conf
diff --git a/debian/marquee/nginx/conf/http.conf b/debian/marquee/nginx/conf/http.conf
@@ -0,0 +1,11 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    root /var/www/http;
+    location ^~ /.well-known/acme-challenge/ {
+        default_type application/jose+json;
+    }
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
diff --git a/debian/marquee/nginx/conf/whatwg-headers.conf b/debian/marquee/nginx/conf/whatwg-headers.conf
@@ -0,0 +1,3 @@
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";