Configure nginx, matching current Apache config #8
Conversation
debian/marquee/03-nginx-conf
Outdated
| @@ -0,0 +1,16 @@ | |||
| #!/bin/bash -e | |||
There was a problem hiding this comment.
Can you delete all the apache files and renumber these? They're in git history if we want to go back. certbot will need some tweaking. On bgsound I have mkdir -p /var/www/http/.well-known/acme-challenge/ in 00-nginx-conf and certbot certonly -n --agree-tos --webroot -m admin@whatwg.org -d $domain -w /var/www/http in 01-certbot. There will be a TODO about reloading nginx when new certs are issued too.
debian/marquee/03-nginx-conf
Outdated
| chown -R deploy:deploy /var/www | ||
| rm -rf /var/www/html | ||
|
|
||
| /usr/sbin/nginx -t |
There was a problem hiding this comment.
/usr/sbin/nginx -t
why is the path needed?
Not needed—I’ll change it to just nginx
debian/marquee/03-nginx-conf
Outdated
| rm -rf /var/www/html | ||
|
|
||
| /usr/sbin/nginx -t | ||
| systemctl start nginx.service |
There was a problem hiding this comment.
It will be running after the install, so restart. And is this different from nginx -s reload?
There was a problem hiding this comment.
It will be running after the install, so restart.
OK
And is this different from
nginx -s reload?
Yes, reload causes it to just re-read/re-evaluate the config, without restarting. But if nginx is for some reason not running at the point, then reload won’t start it but I guess will just fail.
But even if nginx is stopped restart will cause it start (after loading the config).
So it seems like restart is what we do want here, right?
There was a problem hiding this comment.
Yes, nginx -s reload fails with nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory) if it's not running. I found sudo systemctl reload-or-restart nginx.service which seems to work even if not running, and with any luck it'll reload when possible. I'm guessing that'll avoid dropping ongoing connections.
debian/marquee/04-nginx-sites
Outdated
| cp nginx/sites/*.conf /etc/nginx/sites-available/ | ||
|
|
||
| for domain in `cat DOMAINS | tr , ' '`; do | ||
| ln -s /etc/nginx/sites-available/$domain.conf /etc/nginx/sites-enabled/ |
There was a problem hiding this comment.
This is nicer than what I'd been doing, thanks!
debian/marquee/04-nginx-sites
Outdated
| ln -s /etc/nginx/sites-available/$domain.conf /etc/nginx/sites-enabled/ | ||
| done | ||
|
|
||
| /usr/sbin/nginx -t |
There was a problem hiding this comment.
/usr/sbin/nginx -t
Ditto questions.
Changed to just nginx and restart there too
debian/marquee/nginx/conf/http.conf
Outdated
| server { | ||
| listen 80 default_server; | ||
| listen [::]:80 default_server; | ||
| server_name _; |
There was a problem hiding this comment.
server_name _;
Is this needed?
I’m actually not sure. The nginx docs say:
If no server_name is defined in a server block then nginx uses the empty name as the server name.
So I’ve always the convention of setting the name to _ and can say from experience I know that’s never caused any problems—but can’t say I know from experience I know that leaving it unset so the “empty name” gets used doesn’t cause any problems.
But anyway I’ll test it and see.
There was a problem hiding this comment.
server_name _;
Is this needed?
I’ll test it and see.
I’ve now tested and can’t find that it causes any problems. From reading the docs and thinking about it, I guess the only thing it would ever affect is requests that don’t send the Host header. So that’s something we don’t need to care about anyway—since no browsers ever do that, and it’s non-conforming anyway (in HTTP 1.1 and 2 at least). And nginx itself rejects such requests with a 400 Bad Request before ever evaluating against the config.
There was a problem hiding this comment.
Keeping this or omitting it is fine, whatever you think is clearer.
debian/marquee/nginx/conf/http.conf
Outdated
| listen 80 default_server; | ||
| listen [::]:80 default_server; | ||
| server_name _; | ||
| return 301 https://$host$request_uri; |
There was a problem hiding this comment.
To make the webroot certbot thing work, we'll need:
location ^~ /.well-known/acme-challenge/ {
default_type application/jose+json;
}
location / {
return 301 https://$host$request_uri;
}
There was a problem hiding this comment.
Wait, we don't redirect other URLs than / or does this mean something else?
There was a problem hiding this comment.
Documentation is at http://nginx.org/en/docs/http/ngx_http_core_module.html#location, didn't actually read it, but this syntax amounts to a prefix match, not an exact match.
There was a problem hiding this comment.
To make the webroot certbot thing work, we'll need:
location ^~ /.well-known/acme-challenge/ { default_type application/jose+json; } location / { return 301 https://$host$request_uri; }
OK, added
| @@ -0,0 +1,13 @@ | |||
| server { | |||
| listen 443 ssl http2; | |||
| listen [::]:443 ssl http2; | |||
There was a problem hiding this comment.
Can we move these to whatwg.conf?
There was a problem hiding this comment.
Or http.conf? What's the difference between http and whatwg?
There was a problem hiding this comment.
I think http.conf is for not-HTTPS.
There was a problem hiding this comment.
listen 443 ssl http2;
listen [::]:443 ssl http2;
Can we move these to whatwg.conf?
No we can’t. Each server block needs to have its own listen directive; otherwise the server gets defaulted to port 80:
https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
If the directive is not present then either *:80 is used if nginx runs with the superuser privileges, or *:8000 otherwise.
By default, any server block that does not include a listen directive is given the listen parameters of
0.0.0.0:80(or0.0.0.0:8080if Nginx is being run by a normal, non-root user).
And there’s no config option to override that; it’s hardcoded into the nginx sources:
There was a problem hiding this comment.
Or http.conf? What's the difference between http and whatwg?
I think http.conf is for not-HTTPS.
Yeah, the only purpose of http.conf is just to redirect non-HTTPS to HTTPS.
But as far as why both http.conf and whatwg.conf are needed: because http.conf gets put into the /etc/nginx/conf.d directory, and anything that’s put there gets included once in the main top-level nginx http {…} block. But the stuff in whatwg.conf needs to get included into multiple places, in the server {…} blocks for each virtual server (domain).
There was a problem hiding this comment.
Each server block needs to have its own listen directive
Huh, and including such a directive via include doesn't mean "having" it?
There was a problem hiding this comment.
Each server block needs to have its own listen directive
Huh, and including such a directive via
includedoesn't mean "having" it?
Ah, I hadn’t thought about just putting it in whatwg.conf. But I’ve now moved it there and it works find that way, so I’ll commit that change—thanks
There was a problem hiding this comment.
Did that work out, can you push those changes?
There was a problem hiding this comment.
Did that work out, can you push those changes?
It did work, and I’ve now pushed the changes I‘ve made so far. I will wrap up the rest and push them later today.
| server_name books.spec.whatwg.org; | ||
|
|
||
| ssl_certificate /etc/letsencrypt/live/books.spec.whatwg.org/fullchain.pem; | ||
| ssl_certificate_key /etc/letsencrypt/live/books.spec.whatwg.org/privkey.pem; |
There was a problem hiding this comment.
Could we move these to whatwg.conf and use some kind of templating to determine the file name?
There was a problem hiding this comment.
ssl_certificate /etc/letsencrypt/live/books.spec.whatwg.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/books.spec.whatwg.org/privkey.pem;
Could we move these to whatwg.conf and use some kind of templating to determine the file name?
No, because nginx doesn’t itself have any kind of templating mechanism or static macros for use in config files. So I think the only way to do that would be to use a runtime variable in the ssl_certificate and ssl_certificate_key values—specifically, $server_name —if that even worked, which it doesn’t.
To confirm that, I tried putting ssl_certificate /etc/letsencrypt/live/${server_name}/fullchain.pem and ssl_certificate_key /etc/letsencrypt/live/${server_name/privkey.pem in whatwg.conf and removing from all the sites/*.conf files. That caused nginx to fail at startup with BIO_new_file("/etc/letsencrypt/live/${server_name}/fullchain.pem").
Because nginx evaluates that value statically at startup, I guess at that point ${server_name} is undefined or null, since it’s something that only gets set at runtime.
But even if it worked, I think the problem there is that it would be expensive in that nginx variables are basically all runtime variables that require a lookup per-request.
The nginx docs have an FAQ that discusses the general issue:
There was a problem hiding this comment.
Ah, great, thanks for the education!
It does make me think we should perhaps be generating these files using some templating system, but we can do that later, if ever. Not a big deal for now.
There was a problem hiding this comment.
It does make me think we should perhaps be generating these files using some templating system
Agreed, that would be better for maintenance
but we can do that later, if ever. Not a big deal for now.
Yeah, I think once we finally have all the domains moved over, we can go and back and set something up that we can design and test with all cases as a complete set
debian/marquee/03-nginx-conf
Outdated
|
|
||
| apt install nginx | ||
|
|
||
| # a2dissite doesn't work if nothing is enabled |
There was a problem hiding this comment.
This comment was for the apache config, left behind.
debian/marquee/03-nginx-conf
Outdated
| # a2dissite doesn't work if nothing is enabled | ||
| rm -f /etc/nginx/sites-enabled/* | ||
|
|
||
| cp -p nginx/conf/http.conf /etc/nginx/conf.d/ |
There was a problem hiding this comment.
Why preserve ownership etc.? Isn't it better if these files are owned by root?
There was a problem hiding this comment.
cp -p nginx/conf/http.conf /etc/nginx/conf.d/
Why preserve ownership etc.?
No good reason. Will drop the -p
Isn't it better if these files are owned by root?
yes
debian/marquee/03-nginx-conf
Outdated
| rm -rf /var/www/html | ||
|
|
||
| /usr/sbin/nginx -t | ||
| systemctl start nginx.service |
There was a problem hiding this comment.
Yes, nginx -s reload fails with nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory) if it's not running. I found sudo systemctl reload-or-restart nginx.service which seems to work even if not running, and with any luck it'll reload when possible. I'm guessing that'll avoid dropping ongoing connections.
debian/marquee/nginx/conf/http.conf
Outdated
| server { | ||
| listen 80 default_server; | ||
| listen [::]:80 default_server; | ||
| server_name _; |
There was a problem hiding this comment.
Keeping this or omitting it is fine, whatever you think is clearer.
debian/marquee/nginx/conf/http.conf
Outdated
| listen 80 default_server; | ||
| listen [::]:80 default_server; | ||
| server_name _; | ||
| return 301 https://$host$request_uri; |
There was a problem hiding this comment.
Documentation is at http://nginx.org/en/docs/http/ngx_http_core_module.html#location, didn't actually read it, but this syntax amounts to a prefix match, not an exact match.
|
|
||
| include /etc/nginx/whatwg.conf; | ||
|
|
||
| return 301 https://books.idea.whatwg.org$request_uri; |
There was a problem hiding this comment.
For idea↔spec redirects I think we should use HTTP 302, as 301 may be cached, and we might move things between. This was a bit of a nuisance with https://whatwg.org/faq.
|
|
||
| include /etc/nginx/whatwg.conf; | ||
|
|
||
| return 301 https://figures.idea.whatwg.org$request_uri; |
|
|
||
| include /etc/nginx/whatwg.conf; | ||
|
|
||
| return 301 https://w3c.github.io/DOM-Parsing$request_uri; |
There was a problem hiding this comment.
Hmm, this matches the apache config, but maybe we should omit $request_uri, as basically nothing in https://github.com/whatwg/domparsing exists in https://github.com/w3c/DOM-Parsing
|
|
||
| include /etc/nginx/whatwg.conf; | ||
|
|
||
| return 301 https://html.spec.whatwg.org/dev; |
There was a problem hiding this comment.
Add a slash to avoid another redirect.
| ssl_certificate /etc/letsencrypt/live/fetch.spec.whatwg.org/fullchain.pem; | ||
| ssl_certificate_key /etc/letsencrypt/live/fetch.spec.whatwg.org/privkey.pem; | ||
|
|
||
| include /etc/nginx/whatwg.conf; |
There was a problem hiding this comment.
https://fetch.spec.whatwg.org/commit-snapshots/ is now 403 forbidden but wasn't before. @domenic, does it matter?
There was a problem hiding this comment.
I browse that directory index pretty often for the various specs; it would be nice to have one if nginx has that feature.
There was a problem hiding this comment.
@sideshowbarker, maybe a whatwg-spec.conf that does the extra things?
There was a problem hiding this comment.
Yeah, we should have a directory listing of sorts.
There was a problem hiding this comment.
https://fetch.spec.whatwg.org/commit-snapshots/ is now 403 forbidden but wasn't before. @domenic, does it matter?
I browse that directory index pretty often for the various specs; it would be nice to have one if nginx has that feature
OK, fixed that and now all /commit-snapshots paths are browsable.
| autoindex_exact_size off; | ||
| } | ||
|
|
||
| rewrite /work https://html.spec.whatwg.org/multipage/microdata.html#licensing-works; |
There was a problem hiding this comment.
https://n.whatwg.org/workz and https://n.whatwg.org/bla/work are also redirected with this. I guess that's harmless, but maybe ^/work$ or a location = /work { return ... } would be better?
There was a problem hiding this comment.
Yeah, this should be location most likely. We don't want to redirect all the things.
There was a problem hiding this comment.
https://n.whatwg.org/workz and https://n.whatwg.org/bla/work are also redirected with this. I guess that's harmless, but maybe
^/work$or alocation = /work { return ... }would be better?Yeah, this should be location most likely. We don't want to redirect all the things.
OK, fixed.
|
@sideshowbarker, can you make sure 6b72735 (mimesniff and xhr) are also included? Those should be the last of the current "easy" ones, the rest have something special about deploy to resolve first. |
|
@sideshowbarker, https://resources.whatwg.org/fonts/README.md now has the wrong content-type, application/octet-stream. |
This replaces the ssl_ciphers value with the current value from using “Modern” at https://mozilla.github.io/server-side-tls/ssl-config-generator/
Untested. @foolip please make sure this is what it should be.
See https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires Because `expires max` auto-sets Cache-Control to 10 years, we shouldn’t set an explicit Cache-Control too—because that ends up causing nginx to send two Cache-Control headers.
Yup, added |
Yeah, see https://github.com/nginx/nginx/blob/master/conf/mime.types. Apparently, by default nginx doesn’t recognize So, added a mapping in |
|
OK, I’ve responded to all review comments here—so please re-review and merge if there are no new changes needed. I think #8 (comment) (what cache headers+values we should send) is the only remaining thing from the review comments here that might still require further changes. And I’ve raised #10 for that, so if there are no new changes needed for anything else here otherwise, I suggest that we not block on that caching question but instead go ahead and merge this. |
This overrides 03acfb9 to replaces the ssl_ciphers value with the current value from using “Intermediate” at https://mozilla.github.io/server-side-tls/ssl-config-generator/ instead of “Modern”—because using the “Modern” ssl_ciphers value also apparently disable both TLSv1.1 and TLSv1.0 (which it’s not clear we agree we want to do yet).
OK—thanks for finding that, switched to using it
I thought a plain |
Could be, I haven't done any testing. |
That was about http.conf, and I think that's fine. |
debian/marquee/00-nginx-conf
Outdated
| chown -R deploy:deploy /var/www | ||
| rm -rf /var/www/html | ||
|
|
||
| mkdir -p /var/www/http/.well-known/acme-challenge |
There was a problem hiding this comment.
I was going to say put this before the chown, but maybe it's just as well that it's after so that only root can create files there? On marquee it's currently owned by the deploy user, so one needs to change.
There was a problem hiding this comment.
I was going to say put this before the
chown, but maybe it's just as well that it's after so that only root can create files there? On marquee it's currently owned by the deploy user, so one needs to change.
I’ve moved it before the chown. It doesn’t seem like having only root be able to create files there needs to be a big concern
debian/marquee/01-certbot
Outdated
| @@ -2,6 +2,6 @@ | |||
|
|
|||
| apt install certbot python-certbot-apache | |||
|
|
|||
| for domains in `cat DOMAINS`; do | |||
| certbot certonly -n --apache --agree-tos -m admin@whatwg.org -d $domains | |||
| for domain in `cat DOMAINS`; do | |||
There was a problem hiding this comment.
This should actually be plural, because it can be a value like "whatwg.org,www.whatwg.org" and documentation says "-d DOMAINS Comma-separated list of domains to obtain a cert for"
debian/marquee/01-certbot
Outdated
| @@ -2,6 +2,6 @@ | |||
|
|
|||
| apt install certbot python-certbot-apache | |||
There was a problem hiding this comment.
Drop python-certbot-apache. Also rebase and rm -rf debian/marquee/apache/, some things are still left.
|
|
||
| include whatwg-headers.conf; | ||
|
|
||
| location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ { |
There was a problem hiding this comment.
Thanks, let's figure it out separately.
| include whatwg-headers.conf; | ||
| } | ||
|
|
||
| location /commit-snapshots { |
| autoindex_exact_size off; | ||
| } | ||
|
|
||
| include mime.types; |
There was a problem hiding this comment.
Can you add a comment about why this is necessary given that it's also included in the main nginx.conf?
|
|
||
| include mime.types; | ||
| types { | ||
| text/plain md; |
There was a problem hiding this comment.
I ran find *whatwg.org -type f -name '*.*' | sed 's#.*/##' | sed 's/.*[.]//' | sort | uniq on the existing servers and found these file extensions:
appcache
cgi
css
gif
gz
htaccess (ignore)
html
ico
include (ignore)
jpeg
jpg
js
json
map
md
mp4
ogv
old
pdf
png
sh
svg
swp
ttf
txt
woff
woff2
xml
zip
Can you check that all of these have the correct type still?
(Also looked for extension-less files, updated description of #7 to not forget them. There are none affected by this PR.)
There was a problem hiding this comment.
I ran
find *whatwg.org -type f -name '*.*' | sed 's#.*/##' | sed 's/.*[.]//' | sort | uniqon the existing servers and found these file extensions:
…
Can you check that all of these have the correct type still?
OK, I went through and checked all those and added any that were missing.
Some comment and questions:
cgi
We don’t need anything for .cgi, right?
map
What is that?
ogv
Added video/ogg per https://www.iana.org/assignments/media-types/video/ogg
old
What is that?
swp
Don’t think we need that :)
ttf
Added font/ttf per https://www.iana.org/assignments/media-types/font/ttf
woff2
Added font/woff2 per https://www.iana.org/assignments/media-types/font/woff2
ttf, woff2, and ogv lack mappings in /etc/apache2/mods-available/mime.conf too, so I left comments in whatwg.conf to make it clear where the mappings come from
In d5dd1f6 I’ve removed that one ad-hoc thing I had there that was adding |
See mozilla/server-side-tls#135 > proper rotation of session ticket encryption key is not > implemented in nignx or Apache. Thus it is easier to recommend against > its use that suggest use of 3rd party software to fix it. > The problem is not that they are insecure, or that they can't be made > secure. The problem is that the way they are commonly implemented means > that you don't provide forward secrecy if you use them - all encryption > keys are ultimately encrypted with just one encryption key - the session > ticket key. > > see here for more in-depth explanation: > https://www.imperialviolet.org/2013/06/27/botchingpfs.ht
If we do change to Modern, then we should also remember to remove the Because with the Modern settings, that won’t be used at all any longer, so we could just drop it. |
This change sets ssl_session_timeout & ssl_session_cache to the values recommended by https://mozilla.github.io/server-side-tls/ssl-config-generator/ But I’m not sure what the rationale for those recommended values is, so I’ve also raised mozilla/server-side-tls#198 in hopes of getting an explanation.
|
I’ve changed |
|
FWIW, I think we should err on the side of supporter older clients (keeping TLSv1) when we're just serving static content, can we have an issue about that change and start out matching the current config? |
|
I guess we can start out conservative, sure. My main argument for going with TLSv12 only is that we're supposed to set an example and I'd expect all our end users to have modern hardware and software. |
| gzip_comp_level 6; | ||
| gzip_buffers 16 8k; | ||
| gzip_http_version 1.1; | ||
| gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml image/svg+xml application/xml+rss text/javascript; |
There was a problem hiding this comment.
Remove application/x-javascript as we don't care for it?
|
|
||
| include /etc/nginx/whatwg.conf; | ||
|
|
||
| return 301 https://github.com/tc39/ecma262/labels/web%20reality; |
|
|
||
| include /etc/nginx/whatwg.conf; | ||
|
|
||
| return 301 https://w3c.github.io/DOM-Parsing/; |
|
|
||
| include /etc/nginx/whatwg.conf; | ||
|
|
||
| return 301 https://wicg.github.io/mediasession/; |
|
|
||
| include /etc/nginx/whatwg.conf; | ||
|
|
||
| return 301 https://w3c.github.io/webvtt$request_uri; |
|
|
||
| include whatwg-headers.conf; | ||
|
|
||
| location /commit-snapshots { |
There was a problem hiding this comment.
Previous comment has been collapsed, so: branch-snapshots too.
| } | ||
| location / { | ||
| return 301 https://$host$request_uri; | ||
| } |
There was a problem hiding this comment.
Oops, an important detail is missing here:
root /var/www/http;
Had to put that on marquee to get a new cert.
No description provided.