[OpenSRF-GIT] OpenSRF branch master updated. 1423787b6076daeb18176e907b1ed307255ffbcb

Evergreen Git git at git.evergreen-ils.org
Mon Nov 5 11:14:37 EST 2018


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSRF".

The branch, master has been updated
       via  1423787b6076daeb18176e907b1ed307255ffbcb (commit)
       via  3db305ba4329b4c93d16b03800755d5807de4de0 (commit)
      from  5c803ae4550bf0e4a992c217baeaffabee30c45a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1423787b6076daeb18176e907b1ed307255ffbcb
Author: Bill Erickson <berickxx at gmail.com>
Date:   Thu Sep 13 13:08:37 2018 -0400

    LP#1711145 NGINX sample websocketd configs
    
    Signed-off-by: Bill Erickson <berickxx at gmail.com>
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/examples/nginx/osrf-ws-http-proxy b/examples/nginx/osrf-ws-http-proxy
index 622e8ea..db2e6e2 100644
--- a/examples/nginx/osrf-ws-http-proxy
+++ b/examples/nginx/osrf-ws-http-proxy
@@ -63,7 +63,16 @@ server {
     }
 
     location /osrf-websocket-translator {
+
+        # apache2-websockets:
+        # Defaults to HTTPS with or without a proxy.
         proxy_pass https://localhost:7682;
+
+        # websocketd:
+        # websocketd may be run with or without SSL.  When used with
+        # NGINX, the assumption is it runs w/o SSL.  Change to taste.
+        #proxy_pass http://localhost:7682;
+
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
@@ -72,12 +81,20 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
 
-        # Raise the default nginx proxy timeout values to an arbitrarily
-        # high value so that we can leverage osrf-websocket-translator's 
-        # timeout settings.
         proxy_connect_timeout 5m;
+
+        # apache2-websockets:
+        # Raise the default nginx proxy timeout settings to
+        # an arbitrarily high value so that we can leverage
+        # osrf-websocket-translator's native timeout settings.
         proxy_send_timeout 1h;
         proxy_read_timeout 1h;
+
+        # websocketd:
+        # websocketd connections persist indefinitely. Leverage nginx
+        # timeouts to periodically disconnect long-idle clients.
+        #proxy_send_timeout 5m;
+        #proxy_read_timeout 5m;
     }
 }
 

commit 3db305ba4329b4c93d16b03800755d5807de4de0
Author: Bill Erickson <berickxx at gmail.com>
Date:   Wed Jul 11 12:27:05 2018 -0400

    LP#1711145 NGINX sample config security improvements
    
    * Adds security recommendations from
    https://mozilla.github.io/server-side-tls/ssl-config-generator/
    * Enables http2
    * Apply a 5-minute proxy read timeout to avoid too-short timeouts on
      long API calls.
    * Adds a (commented) section on sending nginx logs to syslog
    
    Includes INSTALL notes on generating the dhparam file.
    
    Signed-off-by: Bill Erickson <berickxx at gmail.com>
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/README b/README
index 5bbba0d..2abbc83 100644
--- a/README
+++ b/README
@@ -616,14 +616,22 @@ rm /etc/nginx/sites-enabled/default
 +
 4. Edit `/etc/nginx/sites-available/osrf-ws-http-proxy` to set the location
    of the SSL certificate and private key.
-5. Start NGINX
+5. Generate a dhparam file in the directory specified in the nginx config.
++
+[source, bash]
+---------------------------------------------------------------------------
+# Default config stores dhparam.pem in the Apache2 ssl directory.
+openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048
+---------------------------------------------------------------------------
++
+6. Start NGINX
 +
 [source, bash]
 ---------------------------------------------------------------------------
 /etc/init.d/nginx start
 ---------------------------------------------------------------------------
 +
-6. If you didn't run `configure` with the `--with-websockets-port=443` option,
+7. If you didn't run `configure` with the `--with-websockets-port=443` option,
 edit `<PREFIX>/javascript/opensrf_ws.js` and `<PREFIX>/javascript/opensrf_ws_shared.js`
    and change
 +
diff --git a/examples/nginx/osrf-ws-http-proxy b/examples/nginx/osrf-ws-http-proxy
index d079230..622e8ea 100644
--- a/examples/nginx/osrf-ws-http-proxy
+++ b/examples/nginx/osrf-ws-http-proxy
@@ -6,32 +6,60 @@
 #
 # Assumes Apache is listening on HTTP=7080 and HTTPS=7443
 
+# Example sending nginx logs to syslog
+# error_log  syslog:server=unix:/dev/log,nohostname;
+# access_log syslog:server=unix:/dev/log,severity=info,nohostname combined;
+
 server { 
     listen 80;
 
+    # For SSL-everywhere:
+    # server_name domain.example.org
+    # return 301 https://domain.example.org$request_uri;
+
     location / {
         proxy_pass http://localhost:7080;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 300s;
     }
 }
 
 server {
-    listen 443;
-    ssl on;
+    listen 443 ssl http2;
 
     # Use the same SSL certificate as Apache.
     ssl_certificate /etc/apache2/ssl/server.crt;
     ssl_certificate_key /etc/apache2/ssl/server.key;
 
+    # -----------------------------------------------------------------
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    # generate with openssl dhparam -out dhparams.pem 2048
+    ssl_dhparam /etc/apache2/ssl/dhparam.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    # Intermediate ciphers config / updated 2018-07-11
+    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+    ssl_prefer_server_ciphers on;
+    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+    add_header Strict-Transport-Security max-age=15768000;
+    # OCSP Stapling ---
+    # fetch OCSP records from URL in ssl_certificate and cache them
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    # -----------------------------------------------------------------
+
     location / {
         proxy_pass https://localhost:7443;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 300s;
     }
 
     location /osrf-websocket-translator {

-----------------------------------------------------------------------

Summary of changes:
 README                            |   12 +++++++-
 examples/nginx/osrf-ws-http-proxy |   55 +++++++++++++++++++++++++++++++++---
 2 files changed, 60 insertions(+), 7 deletions(-)


hooks/post-receive
-- 
OpenSRF


More information about the opensrf-commits mailing list