Вход
  • Главная
  • Документация
  • Главная
  • Документация

АГИС Модули

Главная/Документация/АГИС Модули
Развернуть все Свернуть все
  • База данных
  •  Администрирование
    •   Ubuntu
      •   Установка ubuntu
        • Инсталяция
        • Docker и его установка
      •   LVM&Snapshot
        • LVM
        • Snapshot
        • agis_backup_lvm_xfs-v2
        • Ошибки
      • Резервные копии
      •   Nginx, ssl, letsencrypt
        • Letsencrypt
      •   NAS
        • Synology
      • SSH
      • date and time
      •   Разные команды
        • systemctl
    •   Базы данных
      • Запуск базы данных АГИС
      •   Mongo
        • mongodump-mongorestore
        • Как узнать версию mongodb
        • Test mongo db
        • Запросы mongodb
        • Запуск mongodb
      •   PostgreSQL
        • Test postgis
        • Dump&Restore
        • Установка и запуск
        • PostgreSQL разное
      •   Elastic search
        • Команды elasticsearch
        • Tools to backup and restore ElasticSearch indices
      • Troubleshooting базы данных АГИС
    •   Docker
      • Команды Docker
    •   Разное
      • Сколько байт(бит) в килобайте, мегабайте, гигабайте
  •  АГИС ГИС сервер
    • Запуск и остановка Tile сервера
    • Экспорт шейпа из АГИС ГИС
    • Импорт шейпа в АГИС ГИС
    • Backup&restore postgis(postgres)
    • Troubleshooting postgis
  •  AГИС scada
    •   Паспорта контроллеров
      • Функции zander

Nginx, ssl, letsencrypt

33 просмотров 0 17.11.2020 18.11.2020

Конфигурационные и yml файлы располагаются /data/agis/agis-nginx

Запуск nginx

docker-compose -f agis-nginx.yml up -d

/data/agis/agis-nginx/conf.d/agis-pwa-nginx.conf – конфигурационный файл для nginx:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
     listen [::]:80;
     listen 80;

     server_name your.domain www.your.domain;

     location ~ /.well-known/acme-challenge {
         allow all;
         root /var/www/certbot;
     }
}


# agis-pwa-scada
server {
    listen 4000 ssl;
    listen [::]:4000 ssl;
    server_name your.domain;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/nginx/ssl/live/your.domain/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/your.domain/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    # ssl_dhparam /path/to/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:E                              CDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256                              :ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES                              256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SH                              A:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DE                              S-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=0;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs

    location / {
        client_max_body_size 200m;
        proxy_pass http://AGIS-IP:30314;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

# agis-model-facade
server {
    listen 4001 ssl;
    listen [::]:4001 ssl;
    server_name your.domain;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/nginx/ssl/live/your.domain/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/your.domain/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    # ssl_dhparam /path/to/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:E                              CDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256                              :ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES                              256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SH                              A:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DE                              S-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=0;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    location / {
        client_max_body_size 200m;
        proxy_pass http://IP-AGIS:30303;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

# agis-tile-server
server {
    listen 4002 ssl;
    listen [::]:4002 ssl;
    server_name info-sec.kz;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/nginx/ssl/live/your.domain/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/your.domain/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    # ssl_dhparam /path/to/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:E                              CDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256                              :ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES                              256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SH                              A:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DE                              S-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=0;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs

    location / {
        proxy_pass http://IP-AGIS:30308;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

agis-nginx.yml
version: '2.4'

services:
  agis-nginx:
    image: nginx:latest
    container_name: agis-nginx
    ports:
      - 4000:4000
      - 4001:4001
      - 4002:4002
      - 443:443
      - 80:80
    volumes:
      - ./public:/var/www/html
      - ./conf.d:/etc/nginx/conf.d
      - ./certbot/conf:/etc/nginx/ssl
      - ./certbot/data:/var/www/certbot

    restart: on-failure
    cpus: 1
    mem_limit: 1gb

networks:
  default:
    external:
      name: agis-net

Это было полезно?

Да  Нет
Вам может быть интересно
  • Функции zander
  • Паспорта контроллеров
  • AГИС scada
  • systemctl
  • База данных
  • date and time
  • Copyright 2020 AGIS. Все права защищены