branch master updated: hydra: Support optional HTTPS to logs.guix.gnu.or

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

branch master updated: hydra: Support optional HTTPS to logs.guix.gnu.or

From:	Tobias Geerinckx-Rice
Subject:	branch master updated: hydra: Support optional HTTPS to logs.guix.gnu.org.
Date:	Mon, 16 Nov 2020 11:57:47 -0500

This is an automated email from the git hooks/post-receive script.

nckx pushed a commit to branch master
in repository maintenance.

The following commit(s) were added to refs/heads/master by this push:
     new fe13de2  hydra: Support optional HTTPS to logs.guix.gnu.org.
fe13de2 is described below

commit fe13de22318082582694b953e32386ee911994ab
Author: Tobias Geerinckx-Rice <me@tobias.gr>
AuthorDate: Mon Nov 16 17:31:10 2020 +0100

    hydra: Support optional HTTPS to logs.guix.gnu.org.
    
    * hydra/bayfront.scm (%certbot-configuration): Add logs.guix.gnu.org to the
    DOMAINS.
    * hydra/nginx/bayfront.conf: Add a Certbot webroot location to the
    logs.guix.gnu.org HTTP server.  Add an HTTPS (‘ssl’) server block for the
    same domain using the newly-generated certificate.
---
 hydra/bayfront.scm        |  1 +
 hydra/nginx/bayfront.conf | 31 +++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index d5f030b..6a7192d 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -91,6 +91,7 @@
    (certificates
     (list (certificate-configuration
            (domains '("bayfront.guix.gnu.org"
+                      "logs.guix.gnu.org"
                       "bayfront.guix.info"
                       "hpc.guix.info"
                       "guix-hpc.bordeaux.inria.fr"))
diff --git a/hydra/nginx/bayfront.conf b/hydra/nginx/bayfront.conf
index 03f94e5..a70bc72 100644
--- a/hydra/nginx/bayfront.conf
+++ b/hydra/nginx/bayfront.conf
@@ -125,6 +125,37 @@ http {
         listen       80;
         server_name  logs.guix.gnu.org;
         access_log   /var/log/nginx/logs.access.log;
+
+        # Certbot webroot for certificate renewal.
+        location /.well-known {
+          root /var/www;
+        }
+        location / {
+          proxy_pass http://localhost:3333/;
+        }
+    }
+
+    # HTTPS server.
+    server {
+        listen       443 ssl;
+        server_name  logs.guix.gnu.org;
+
+        ssl_certificate     
/etc/letsencrypt/live/logs.guix.gnu.org/fullchain.pem;
+        ssl_certificate_key 
/etc/letsencrypt/live/logs.guix.gnu.org/privkey.pem;
+
+        # Make sure SSL is disabled.
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+
+        # Disable weak cipher suites.
+        ssl_ciphers         HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        # Use our own DH parameters created with:
+        #    openssl dhparam -out dhparams.pem 2048
+        # as suggested at <https://weakdh.org/sysadmin.html>.
+        ssl_dhparam         /etc/dhparams.pem;
+
+        access_log   /var/log/nginx/logs.access.log;
         location / {
           proxy_pass http://localhost:3333/;
         }

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated: hydra: Support optional HTTPS to logs.guix.gnu.org., Tobias Geerinckx-Rice <=

Prev by Date: branch core-updates updated: gnu: libtool: Restore shebangs on all libtoolize files.
Next by Date: branch master updated: gnu: icedove: Update to 78.4.3.
Previous by thread: branch core-updates updated: gnu: libtool: Restore shebangs on all libtoolize files.
Next by thread: branch master updated: gnu: icedove: Update to 78.4.3.
Index(es):
- Date
- Thread