add ssl cert

2024-12-27 23:51:47 +00:00 · 2017-11-25 12:30:00 +08:00 · 2017-11-25 12:30:00 +08:00 · cf40deb97c
commit cf40deb97c
parent 6d08011e2d
8 changed files with 93 additions and 75 deletions
--- a/.gitignore
+++ b/.gitignore
@ -61,8 +61,8 @@ custom_settings.py

 data/log/*
 !data/log/.gitkeep
-data/testcase/*
-!data/testcase/.gitkeep
+data/test_case/*
+!data/test_case/.gitkeep
 data/ssl/*
 !data/ssl/.gitkeep
 data/static/upload/*
--- a/data/test_case/.gitkeep
+++ b/data/test_case/.gitkeep
--- a/deploy/nginx/common.conf
+++ b/deploy/nginx/common.conf
@ -0,0 +1,20 @@
+location /public {
+    root /app/data;
+}
+
+location /api {
+    proxy_pass http://backend;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $http_host;
+    client_max_body_size 200M;
+}
+
+location /admin {
+    root /app/dist/admin;
+    try_files $uri $uri/ /index.html =404;
+}
+
+location / {
+    root /app/dist;
+    try_files $uri $uri/ /index.html =404;
+}
--- a/deploy/nginx/nginx.conf
+++ b/deploy/nginx/nginx.conf
@ -0,0 +1,56 @@
+user nobody;
+daemon off;
+pid /tmp/nginx.pid;
+worker_processes auto;
+pcre_jit on;
+error_log /data/log/nginx_error.log warn;
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+	server_tokens off;
+	keepalive_timeout 65;
+	sendfile on;
+	tcp_nodelay on;
+
+	gzip on;
+	gzip_vary on;
+	gzip_types application/javascript text/css;
+
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+			'$status $body_bytes_sent "$http_referer" '
+			'"$http_user_agent" "$http_x_forwarded_for"';
+
+	access_log /data/log/nginx_access.log main;
+
+    upstream backend {
+        server 127.0.0.1:8080;
+        keepalive 32;
+    }
+
+    server {
+        listen 8000 default_server;
+        server_name _;
+
+        include common.conf;
+    }
+
+    server {
+        listen 1443 ssl http2 default_server;
+        server_name _;
+        ssl_certificate /data/ssl/server.crt;
+        ssl_certificate_key /data/ssl/server.key;
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+
+        include common.conf;
+    }
+
+}
+
--- a/deploy/oj.conf
+++ b/deploy/oj.conf
@ -1,62 +0,0 @@
-user nobody;
-daemon off;
-pid /tmp/nginx.pid;
-worker_processes auto;
-pcre_jit on;
-error_log /data/log/nginx_error.log warn;
-
-events {
-	worker_connections 1024;
-}
-
-http {
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-	server_tokens off;
-	keepalive_timeout 65;
-	sendfile on;
-	tcp_nodelay on;
-
-	gzip on;
-	gzip_vary on;
-
-	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-			'$status $body_bytes_sent "$http_referer" '
-			'"$http_user_agent" "$http_x_forwarded_for"';
-
-	access_log /app/data/log/nginx_access.log main;
-
-    upstream backend {
-        server 127.0.0.1:8080;
-        keepalive 32;
-    }
-
-    server {
-        listen 8000 default_server;
-        server_name _;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header Host $http_host;
-        client_max_body_size 200M;
-
-        location /public {
-            root /app/data;
-        }
-
-        location /api {
-            proxy_pass http://backend;
-            proxy_set_header Host $host;
-        }
-
-        location /admin {
-            root /app/dist/admin;
-            try_files $uri $uri/ /index.html =404;
-        }
-
-        location / {
-            root /app/dist;
-            try_files $uri $uri/ /index.html =404;
-        }
-    }
-
-}
-
--- a/deploy/run.sh
+++ b/deploy/run.sh
@ -1,15 +1,21 @@
 #!/bin/bash

-BASE=/app
-DATA=$BASE/data
+APP=/app
+DATA=/data

-if [ ! -f "$BASE/oj/custom_settings.py" ]; then
-    echo SECRET_KEY=\"$(cat /dev/urandom | head -1 | md5sum | head -c 32)\" >> $BASE/oj/custom_settings.py
+if [ ! -f "$APP/oj/custom_settings.py" ]; then
+    echo SECRET_KEY=\"$(cat /dev/urandom | head -1 | md5sum | head -c 32)\" >> $APP/oj/custom_settings.py
 fi

-mkdir -p $DATA/log $DATA/testcase $DATA/public/upload
+mkdir -p $DATA/log $DATA/ssl $DATA/test_case $DATA/public/upload

-cd $BASE
+SSL="$DATA/ssl"
+if [ ! -f "$SSL/server.key" ]; then
+    openssl req -x509 -newkey rsa:2048 -keyout "$SSL/server.key" -out "$SSL/server.crt" -days 1000 \
+        -subj "/C=CN/ST=Beijing/L=Beijing/O=Beijing OnlineJudge Technology Co., Ltd./OU=Service Infrastructure Department/CN=`hostname`" -nodes
+fi
+
+cd $APP

 n=0
 while [ $n -lt 5 ]
@ -22,7 +28,5 @@ do
    sleep 8
 done

-cp $BASE/deploy/oj.conf /etc/nginx/conf.d/default.conf
-
-chown -R nobody:nogroup $DATA $BASE/dist
+chown -R nobody:nogroup $DATA $APP/dist
 exec supervisord -c /app/deploy/supervisor.conf
--- a/deploy/supervisor.conf
+++ b/deploy/supervisor.conf
@ -11,7 +11,7 @@ childlogdir=/app/data/log/
 serverurl=unix:///tmp/supervisor.sock

 [program:nginx]
-command=nginx -c /app/deploy/oj.conf
+command=nginx -c /app/deploy/nginx/nginx.conf
 directory=/app/
 stdout_logfile=/app/data/log/nginx.log
 stderr_logfile=/app/data/log/nginx.log
--- a/oj/settings.py
+++ b/oj/settings.py
@ -113,7 +113,7 @@ STATIC_URL = '/storage/'

 AUTH_USER_MODEL = 'account.User'

-TEST_CASE_DIR = os.path.join(DATA_DIR, "testcase")
+TEST_CASE_DIR = os.path.join(DATA_DIR, "test_case")
 LOG_PATH = os.path.join(DATA_DIR, "log")

 AVATAR_URI_PREFIX = "/public/avatar"