Differences

This shows you the differences between two versions of the page.

--- en:mervis-scada:95-installation [2018/05/15 14:17]
m.skrivanek [Notes]
+++ en:mervis-scada:95-installation [2023/03/29 17:19] (current)
@@ Line 14: / Line 14: @@
 If the above procedure does not work, you can change the pool identity from ApplicationPoolIdentity to LocalService.
+===== NGINX =====
+  * example configuration for Nginx server
+<code nginx>
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+http {
+	##
+	# Basic Settings
+	##
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+	##
+	# SSL Settings
+	##
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+	##
+	# Logging Settings
+	##
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+	##
+	# Gzip Settings
+	##
+	gzip on;
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+	##
+	# Virtual Host Configs
+	##
+log_format upstream_time '$remote_addr [$time_local] '
+                             '"$request" $status $body_bytes_sent gzipRatio=$gzip_ratio '
+                             'request_time=$request_time up_response_time="$upstream_response_time"';
+log_format  grpc_format  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent"';
+##important - we have very large bodies
+client_body_buffer_size 500M;
+client_max_body_size 250M;
+#enable logging at the server level!
+access_log off;
+#security
+server_tokens off;
+more_clear_headers Server;
+error_page 301 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 /error.html;
+#https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#upstream-groups
+upstream api_scada {
+        zone upstreams 64K;
+        server scada_server:8520;
+        keepalive 2;
+}
+####################################### 80
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    index index.html index.php;
+    root /mnt/bigdata/cfg/mervis_nginx/www;
+    ##stare API u project-storage vyzaduje "." v hlavicce...
+    #ignore_invalid_headers off;
+    gzip on;
+    gzip_types text/plain;
+    gzip_proxied no-cache no-store private expired auth;
+    gzip_min_length 1000;
+    #security headers
+    add_header X-Content-Type-Options nosniff;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' *.tile.openstreetmap.org  data:; frame-src kb.mervis.info; object-src 'none';" always;
+    location = /error.html {
+      ssi on;
+      internal;
+      auth_basic off;
+      root /mnt/bigdata/cfg/mervis_nginx/www/errors/;
+    }
+    # for certbot ssl
+    location /.well-known/acme-challenge {
+      alias /mnt/bigdata/cfg/mervis_nginx/www/.well-known/acme-challenge;
+    }
+    #redirect everything to https
+    location / {
+      return 301 https://$host$request_uri;
+    }
+    location ~ /(\.svn|web.config) {
+      deny all;
+    }
+}
+######################################### 443
+# #security server - to handle unknown domains
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name "";
+    ssl_certificate /etc/letsencrypt/live/scada.domain.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/scada.domain.com/privkey.pem;
+    #The non-standard code 444 closes a connection without sending a response header.
+    return      444;
+}
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name scada.domain.com;
+    index index.html;
+    root /mnt/bigdata/cfg/mervis_nginx/www;
+    ssl_certificate /etc/letsencrypt/live/scada.domain.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/scada.domain.com/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    #ssl_dhparam /etc/ssl/dhparam.pem;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    gzip on;
+    gzip_types  text/plain
+                text/css
+                text/js
+                text/xml
+                text/javascript
+                application/javascript
+                application/json
+                application/xml
+                application/rss+xml
+                image/svg+xml;
+    gzip_proxied no-cache no-store private expired auth;
+    gzip_min_length 1000;
+    #security headers
+    add_header X-Content-Type-Options nosniff;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN";
+    location = /error.html {
+      ssi on;
+      internal;
+      auth_basic off;
+      root /mnt/bigdata/cfg/scada.domain.com/www;
+    }
+    location = /index.html {
+      add_header Cache-Control "no-cache, public, must-revalidate, proxy-revalidate";
+      #security headers
+      add_header X-Content-Type-Options nosniff;
+      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' *.tile.openstreetmap.org  data:; frame-src kb.mervis.info; object-src 'none';" always;
+    }
+    location / {
+      try_files $uri $uri/ =404;
+      #everything is cached for an hour and then refreshed in the background for one month
+      #while the old version is being used
+      location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico)$ {
+        add_header Cache-Control "public, no-transform, max-age=3600, stale-while-revalidate=2592000";
+        #security headers
+        add_header X-Content-Type-Options nosniff;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' *.tile.openstreetmap.org  data:; frame-src kb.mervis.info; object-src 'none';" always;
+      }
+    }
+    location /api-scada {
+      proxy_http_version 1.1;
+      proxy_set_header   "Connection" "";
+      proxy_pass http://api_scada/api;
+      #security headers
+      add_header X-Content-Type-Options nosniff;
+      proxy_hide_header x-powered-by;
+      proxy_hide_header x-aspnet-version;
+      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header Cache-Control "no-store";
+      add_header Pragma "no-cache";
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' *.tile.openstreetmap.org  data:; frame-src kb.mervis.info; object-src 'none';" always;
+    }
+    location ~ /(\.svn|web.config) {
+      deny all;
+    }
+}
+}
+</code>
+==== Error.html ====
+<code html>
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Mervis</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+  </head>
+<body>
+    <h1>Error: <!--# echo var="status" default="" --></h1>
+</body>
+</code>