====== Installation ====== ===== Notes ===== Cloud interface needs in Windows certain access rights to be able to read Perfomance Counters. You can allow that using these two commands: * ''net localgroup "Performance Monitor Users" DefaultAppPool /add'' * ''net localgroup "Performance Log Users" DefaultAppPool /add'' This add the ''DefaultAppPool'' user account which is used by IIS to the groups which are allowed to access Perfomance Counters values. For custom pool of name XY IIS creates virtual account with name „IIS APPPOOL\XY“. If the above procedure does not work, you can change the pool identity from ApplicationPoolIdentity to LocalService. ===== NGINX ===== * example configuration for Nginx server user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## log_format upstream_time '$remote_addr [$time_local] ' '"$request" $status $body_bytes_sent gzipRatio=$gzip_ratio ' 'request_time=$request_time up_response_time="$upstream_response_time"'; log_format grpc_format '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent"'; ##important - we have very large bodies client_body_buffer_size 500M; client_max_body_size 250M; #enable logging at the server level! access_log off; #security server_tokens off; more_clear_headers Server; error_page 301 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 /error.html; #https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#upstream-groups upstream api_scada { zone upstreams 64K; server scada_server:8520; keepalive 2; } ####################################### 80 server { listen 80; listen [::]:80; server_name _; index index.html index.php; root /mnt/bigdata/cfg/mervis_nginx/www; ##stare API u project-storage vyzaduje "." v hlavicce... #ignore_invalid_headers off; gzip on; gzip_types text/plain; gzip_proxied no-cache no-store private expired auth; gzip_min_length 1000; #security headers add_header X-Content-Type-Options nosniff; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always; add_header X-Frame-Options "SAMEORIGIN"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' *.tile.openstreetmap.org data:; frame-src kb.mervis.info; object-src 'none';" always; location = /error.html { ssi on; internal; auth_basic off; root /mnt/bigdata/cfg/mervis_nginx/www/errors/; } # for certbot ssl location /.well-known/acme-challenge { alias /mnt/bigdata/cfg/mervis_nginx/www/.well-known/acme-challenge; } #redirect everything to https location / { return 301 https://$host$request_uri; } location ~ /(\.svn|web.config) { deny all; } } ######################################### 443 # #security server - to handle unknown domains server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ""; ssl_certificate /etc/letsencrypt/live/scada.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/scada.domain.com/privkey.pem; #The non-standard code 444 closes a connection without sending a response header. return 444; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name scada.domain.com; index index.html; root /mnt/bigdata/cfg/mervis_nginx/www; ssl_certificate /etc/letsencrypt/live/scada.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/scada.domain.com/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; #ssl_dhparam /etc/ssl/dhparam.pem; ssl_stapling on; ssl_stapling_verify on; gzip on; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/json application/xml application/rss+xml image/svg+xml; gzip_proxied no-cache no-store private expired auth; gzip_min_length 1000; #security headers add_header X-Content-Type-Options nosniff; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always; add_header X-Frame-Options "SAMEORIGIN"; location = /error.html { ssi on; internal; auth_basic off; root /mnt/bigdata/cfg/scada.domain.com/www; } location = /index.html { add_header Cache-Control "no-cache, public, must-revalidate, proxy-revalidate"; #security headers add_header X-Content-Type-Options nosniff; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always; add_header X-Frame-Options "SAMEORIGIN"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' *.tile.openstreetmap.org data:; frame-src kb.mervis.info; object-src 'none';" always; } location / { try_files $uri $uri/ =404; #everything is cached for an hour and then refreshed in the background for one month #while the old version is being used location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico)$ { add_header Cache-Control "public, no-transform, max-age=3600, stale-while-revalidate=2592000"; #security headers add_header X-Content-Type-Options nosniff; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always; add_header X-Frame-Options "SAMEORIGIN"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' *.tile.openstreetmap.org data:; frame-src kb.mervis.info; object-src 'none';" always; } } location /api-scada { proxy_http_version 1.1; proxy_set_header "Connection" ""; proxy_pass http://api_scada/api; #security headers add_header X-Content-Type-Options nosniff; proxy_hide_header x-powered-by; proxy_hide_header x-aspnet-version; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always; add_header X-Frame-Options "SAMEORIGIN"; add_header Cache-Control "no-store"; add_header Pragma "no-cache"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' *.tile.openstreetmap.org data:; frame-src kb.mervis.info; object-src 'none';" always; } location ~ /(\.svn|web.config) { deny all; } } } ==== Error.html ==== Mervis

Error: