• Главная
  • Документация

АГИС Администрирование

Главная/Документация/АГИС Администрирование
Развернуть все Свернуть все
  • О разделе АГИС Администрирование
  •  Установка АГИС
    • Инсталяция Ubuntu
    • Установка LVM
    • Установка Docker
    • Установка модулей АГИС
    • Резервные копии
  • Запуск, перезапуск и останов АГИС
  •  Администрирование
    •   Ubuntu
      •   LVM&Snapshot
        • Snapshot
        • agis_backup_lvm_xfs
        • Ошибки
      •   Nginx, ssl, letsencrypt
        • Сертификат ssl
        • Letsencrypt
      •   NAS
        • Synology
        • Qnap
      •   SSH
        • SSH доступ без пароля по ключу
        • Клиент ssh
      •   Разные команды
        • Основные команды Linux
        • Расширенные команды
        • Работа с сервером
      • FTP server
      • VPN server
    •   Базы данных
      • Запуск базы данных АГИС
      •   Mongo
        • mongodump-mongorestore
        • Основы
        • Test mongo db
        • Запросы mongodb
        • Запуск mongodb
        • Studio 3T for Mongo DB
        • Тестовый контейнер mongodb
        • mongodb формат даты
        • Replica set
      •   PostgreSQL
        • Test postgis
        • Dump&Restore PostgreSQL
        • Установка и запуск
        • PostgreSQL разное
      •   Elastic search
        • Команды elasticsearch
        • Tools to backup and restore ElasticSearch indices
      • Troubleshooting базы данных АГИС
      • MySql
    •   Docker
      • Команды Docker
      • Команды Docker (admin)
      • docker ps
      • .env
      • docker images save load
    •   Troubleshhoting
      • Mobaxterm
      • Проблема с дисками после raid
    •   Pfsense
      • Установка
      • Openvpn client
    •   Разное
      • Сколько байт(бит) в килобайте, мегабайте, гигабайте
      • Save bookmarks Studio 3T Mobaxterm
      • Acronis true image
      • Кодировки
  •  АГИС ГИС сервер
    • Запуск и остановка Tile сервера
    • Экспорт шейпа из АГИС ГИС
    • Импорт шейпа в АГИС ГИС
    • Backup&restore postgis(postgres)
    • Запуск pgAdmin4
    • Troubleshooting postgis
  •  АГИС Администрирование
    •   Пользователи
      • Добавление нового пользователя
    •   Роли
      • Добавление новой роли
    •   Перевод
      • Добавления перевода
    • АДС (Автоматизированная дисп служба)

Nginx, ssl, letsencrypt

100 просмотров 0

Конфигурационные и yml файлы располагаются /data/agis/agis-nginx

Запуск nginx

docker-compose -f agis-nginx.yml up -d

/data/agis/agis-nginx/conf.d/agis-pwa-nginx.conf – конфигурационный файл для nginx:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}
server {
     listen [::]:80;
     listen 80;
     server_name your.domain www.your.domain;
     location ~ /.well-known/acme-challenge {
         allow all;
         root /var/www/certbot;
     }
}
# agis-pwa-scada
server {
    listen 4000 ssl;
    listen [::]:4000 ssl;
    server_name your.domain;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/nginx/ssl/live/your.domain/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/your.domain/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    # ssl_dhparam /path/to/dhparam.pem;
    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:E                              CDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256                              :ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES                              256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SH                              A:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DE                              S-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=0;
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    location / {
        client_max_body_size 200m;
        proxy_pass http://AGIS-IP:30314;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}
# agis-model-facade
server {
    listen 4001 ssl;
    listen [::]:4001 ssl;
    server_name your.domain;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/nginx/ssl/live/your.domain/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/your.domain/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    # ssl_dhparam /path/to/dhparam.pem;
    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:E                              CDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256                              :ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES                              256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SH                              A:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DE                              S-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=0;
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    location / {
        client_max_body_size 200m;
        proxy_pass http://IP-AGIS:30303;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}
# agis-tile-server
server {
    listen 4002 ssl;
    listen [::]:4002 ssl;
    server_name info-sec.kz;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/nginx/ssl/live/your.domain/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/your.domain/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    # ssl_dhparam /path/to/dhparam.pem;
    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:E                              CDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256                              :ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES                              256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SH                              A:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DE                              S-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=0;
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    location / {
        proxy_pass http://IP-AGIS:30308;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

agis-nginx.yml

version: '2.4'
services:
  agis-nginx:
    image: nginx:latest
    container_name: agis-nginx
    ports:
      - 4000:4000
      - 4001:4001
      - 4002:4002
      - 443:443
      - 80:80
    volumes:
      - ./public:/var/www/html
      - ./conf.d:/etc/nginx/conf.d
      - ./certbot/conf:/etc/nginx/ssl
      - ./certbot/data:/var/www/certbot
    restart: on-failure
    cpus: 1
    mem_limit: 1gb
networks:
  default:
    external:
      name: agis-net
Вам может быть интересно
  • Сертификат ssl
  • Replica set
  • VPN server
  • MySql
  • Кодировки
  • АДС (Автоматизированная дисп служба)
  • Copyright 2020 AGIS. Все права защищены