Met à jour la doc par rapport à la prod

doc/Makefile

@@ -191,6 +191,7 @@ update-configs:
 	scp zestedesavoir.com:/etc/systemd/system/zds.socket source/install/configs/
 	scp zestedesavoir.com:/etc/systemd/system/solr.service source/install/configs/
 	scp zestedesavoir.com:/etc/mysql/my.cnf source/install/configs/
+	scp -r zestedesavoir.com:/etc/mysql/conf.d source/install/configs/
 	# clean all secrets
 	ssh zestedesavoir.com 'cat /opt/zds/zds-site/zds/settings_prod.py' | \
 	gsed "s/'PASSWORD':\(.*\),/'PASSWORD':\ 'to-fill',/" | \
@@ -201,5 +202,5 @@ update-configs:
 	gsed "s/RECAPTCHA_[^U]\(.*\)=\(.*\)/RECAPTCHA_\1= 'to-fill'/" | \
 	gsed "s/ZDS_APP\['site'\]\['google\(.*\)=\(.*\)/ZDS_APP\['site'\]\['google\1= 'to-fill'/" \
 	> source/install/configs/settings_prod.py
-	echo "Vérifiez manuellement les fichiers avec `git add --all --patch`"
-	echo "pour vous assurer qu'aucun 'secret' ne sera commité!"
+	echo "Vérifiez manuellement les fichiers avec \`git add --all --patch\`"
+	echo "pour vous assurer qu'aucun 'secret' ne sera commité\!"

doc/source/back-end-code/tutorialv2.rst

@@ -72,5 +72,5 @@ Les utilitaires (``utils.py``)
 Les utilitaires de publication (``publication_utils.py``)
 =========================================================
 
-.. automodule:: zds.tutorialv2.publication_utils.py
+.. automodule:: zds.tutorialv2.publication_utils
     :members:

doc/source/install/configs/conf.d/my.cnf

@@ -0,0 +1,141 @@
+#
+# The MySQL database server configuration file.
+#
+# You can copy this to one of:
+# - "/etc/mysql/my.cnf" to set global options,
+# - "~/.my.cnf" to set user-specific options.
+#
+# One can use all long options that the program supports.
+# Run program with --help to get a list of available options and with
+# --print-defaults to see which it would actually understand and use.
+#
+# For explanations see
+# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
+
+# This will be passed to all mysql clients
+# It has been reported that passwords should be enclosed with ticks/quotes
+# escpecially if they contain "#" chars...
+# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
+[client]
+port            = 3306
+socket          = /var/run/mysqld/mysqld.sock
+default-character-set = utf8mb4
+
+# Here is entries for some specific programs
+# The following values assume you have at least 32M ram
+
+# This was formally known as [safe_mysqld]. Both versions are currently parsed.
+[mysqld_safe]
+socket          = /var/run/mysqld/mysqld.sock
+nice            = 0
+
+[mysqld]
+#
+# * Basic Settings
+#
+user            = mysql
+pid-file        = /var/run/mysqld/mysqld.pid
+socket          = /var/run/mysqld/mysqld.sock
+port            = 3306
+basedir         = /usr
+datadir         = /var/lib/mysql
+tmpdir          = /tmp
+lc-messages-dir = /usr/share/mysql
+skip-external-locking
+skip-name-resolve
+#
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+bind-address            = 127.0.0.1
+#
+# * Fine Tuning
+#
+key_buffer              = 16M
+max_allowed_packet      = 16M
+thread_stack            = 256K
+thread_cache_size       = 8
+# This replaces the startup script and checks MyISAM tables if needed
+# the first time they are touched
+myisam-recover         = BACKUP
+max_connections        = 60
+#table_cache            = 64
+#thread_concurrency     = 10
+#
+# * Query Cache Configuration
+#
+# query_cache_limit       = 1M
+
+query_cache_size = 256M
+query_cache_type = 1
+query_cache_limit = 512K
+query_cache_min_res_unit = 512
+
+#
+# * Logging and Replication
+#
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+# As of 5.1 you can enable the log at runtime!
+#general_log_file        = /var/log/mysql/mysql.log
+#general_log             = 1
+#
+# Error log - should be very few entries.
+#
+log_error = /var/log/mysql/error.log
+#
+# Here you can see queries with especially long duration
+slow_query_log_file = /var/log/mysql/mysql-slow.log
+slow_query_log = 1
+long_query_time = 2
+#log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+# note: if you are setting up a replication slave, see README.Debian about
+#       other settings you may need to change.
+#server-id              = 1
+#log_bin                        = /var/log/mysql/mysql-bin.log
+expire_logs_days        = 10
+max_binlog_size         = 100M
+#binlog_do_db           = include_database_name
+#binlog_ignore_db       = include_database_name
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+#
+# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
+#
+# ssl-ca=/etc/mysql/cacert.pem
+# ssl-cert=/etc/mysql/server-cert.pem
+# ssl-key=/etc/mysql/server-key.pem
+innodb_file_per_table=on
+innodb_file_format=barracuda
+innodb_large_prefix=on
+innodb_buffer_pool_size=2G
+innodb_buffer_pool_instances=1
+tmp_table_size=128M
+max_heap_table_size=128M
+sort_buffer_size=4M
+join_buffer_size=256K
+character-set-client-handshake = FALSE
+character-set-server = utf8mb4
+collation-server = utf8mb4_unicode_ci
+
+
+[mysqldump]
+quick
+quote-names
+max_allowed_packet      = 16M
+
+[mysql]
+#no-auto-rehash # faster start of mysql but no tab completition
+
+[isamchk]
+key_buffer_size              = 16M
+

doc/source/install/configs/conf.d/mysql.cnf

@@ -0,0 +1,2 @@
+[mysql]
+default-character-set = utf8mb4

doc/source/install/configs/conf.d/mysqld_safe_syslog.cnf

@@ -0,0 +1,2 @@
+[mysqld_safe]
+syslog

doc/source/install/configs/conf.d/mysqldump.cnf

@@ -0,0 +1,4 @@
+[mysqldump]
+quick
+quote-names
+max_allowed_packet	= 16M

doc/source/install/configs/my.cnf

@@ -12,123 +12,10 @@
 # For explanations see
 # http://dev.mysql.com/doc/mysql/en/server-system-variables.html
 
-# This will be passed to all mysql clients
-# It has been reported that passwords should be enclosed with ticks/quotes
-# escpecially if they contain "#" chars...
-# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
-[client]
-port		= 3306
-socket		= /var/run/mysqld/mysqld.sock
-
-# Here is entries for some specific programs
-# The following values assume you have at least 32M ram
-
-# This was formally known as [safe_mysqld]. Both versions are currently parsed.
-[mysqld_safe]
-socket		= /var/run/mysqld/mysqld.sock
-nice		= 0
-
-[mysqld]
-#
-# * Basic Settings
-#
-user		= mysql
-pid-file	= /var/run/mysqld/mysqld.pid
-socket		= /var/run/mysqld/mysqld.sock
-port		= 3306
-basedir		= /usr
-datadir		= /var/lib/mysql
-tmpdir		= /tmp
-lc-messages-dir	= /usr/share/mysql
-skip-external-locking
-#
-# Instead of skip-networking the default is now to listen only on
-# localhost which is more compatible and is not less secure.
-bind-address		= 127.0.0.1
-#
-# * Fine Tuning
-#
-key_buffer		= 16M
-max_allowed_packet	= 16M
-query_cache_size	= 256K
-sort_buffer_size	= 4M
-thread_stack		= 192K
-thread_cache_size       = 8
-# This replaces the startup script and checks MyISAM tables if needed
-# the first time they are touched
-myisam-recover         = BACKUP
-max_connections        = 60
-#table_cache            = 64
-#thread_concurrency     = 10
-#
-# * Query Cache Configuration
-#
-query_cache_min_res_unit = 512
-query_cache_limit	= 16M
-query_cache_size        = 256M
-#
-# * Logging and Replication
-#
-# Both location gets rotated by the cronjob.
-# Be aware that this log type is a performance killer.
-# As of 5.1 you can enable the log at runtime!
-#general_log_file        = /var/log/mysql/mysql.log
-#general_log             = 1
-#
-# Error log - should be very few entries.
-#
-log_error = /var/log/mysql/error.log
-#
-# Here you can see queries with especially long duration
-slow_query_log_file = /var/log/mysql/mysql-slow.log
-slow_query_log      = 1
-long_query_time = 2
-log_queries_not_using_indexes
-#
-# The following can be used as easy to replay backup logs or for replication.
-# note: if you are setting up a replication slave, see README.Debian about
-#       other settings you may need to change.
-#server-id		= 1
-#log_bin			= /var/log/mysql/mysql-bin.log
-expire_logs_days	= 10
-max_binlog_size         = 100M
-#binlog_do_db		= include_database_name
-#binlog_ignore_db	= include_database_name
-#
-# * InnoDB
-#
-# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
-# Read the manual for more InnoDB related options. There are many!
-innodb_buffer_pool_size	= 512M
-# innodb_force_recovery = 6
-#
-# * Security Features
-#
-# Read the manual, too, if you want chroot!
-# chroot = /var/lib/mysql/
-#
-# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
-#
-# ssl-ca=/etc/mysql/cacert.pem
-# ssl-cert=/etc/mysql/server-cert.pem
-# ssl-key=/etc/mysql/server-key.pem
-
-
-
-[mysqldump]
-quick
-quote-names
-max_allowed_packet	= 16M
-
-[mysql]
-#no-auto-rehash	# faster start of mysql but no tab completition
-
-[isamchk]
-key_buffer		= 16M
-
 #
 # * IMPORTANT: Additional settings that can override those from this file!
 #   The files must end with '.cnf', otherwise they'll be ignored.
 #
-!includedir /etc/mysql/conf.d/
 
+!includedir /etc/mysql/conf.d/
+!includedir /etc/mysql/mysql.conf.d/

doc/source/install/configs/nginx/sites-available/prod-redirect

@@ -1,8 +1,8 @@
 server {
 	listen 80;
 	listen [::]:80;
-	listen 443 ssl spdy;
-	listen [::]:443 ssl spdy;
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
 	server_name
 		www.zestedesavoir.com
 		ftp.zestedesavoir.com

doc/source/install/configs/nginx/sites-available/zestedesavoir

@@ -23,6 +23,7 @@ server {
 
 	ssl_certificate /etc/letsencrypt/live/zestedesavoir.com/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/zestedesavoir.com/privkey.pem;
+	include snippets/ssl.conf;
 
 	# Logging
 	access_log /var/log/zds/nginx-access.log;

doc/source/install/configs/nginx/snippets/ssl.conf

@@ -1,7 +1,17 @@
 # SSL configuration
 ssl_session_timeout 1d;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
 ssl_prefer_server_ciphers on;
-ssl_session_cache shared:SSL:50m;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
 ssl_dhparam /etc/ssl/dhparam.pem;
+
+# Hardening security settings
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+add_header X-Xss-Protection "1" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options SAMEORIGIN;
+