c4lab
Nginx root: /etc/nginx/
Main config: /etc/nginx/nginx.conf
Put your certification in /certs
and than
server {
server_name toolmen.bime.ntu.edu.tw;
listen 8080 ssl http2;
listen [::]:8080 ssl http2;
ssl_certificate /certs/fullchain.pem;
ssl_certificate_key /certs/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
}
If you want to get A+, check this out https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
openssl dhparam -out /certs/certsdhparam.pem 4096
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_dhparam /certs/certsdhparam.pem;
ssl_ecdh_curve secp521r1:secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
server {
...
return 301 $scheme://toolmen.bime.ntu.edu.tw:8080$request_uri;
}
server {
...
error_page 497 https://toolmen.bime.ntu.edu.tw:$server_port$request_uri;
}
docker pull nginx
docker run --name web443 -d -p 80:80 -p 443:443 --restart always -v $(pwd):/etc/nginx -v ./certs:/certs:ro nginx
services:
web:
image: nginx
restart: always
ports:
- 8080:8080
volumes:
- ./web/certs/:/certs:ro
- ./web/nginx.conf:/etc/nginx/nginx.conf:ro
- ./web_log:/var/log/nginx/
We use free service, Let's encrypt me.
mkdir -p letsencrypt
docker run --rm -it -p 80:80 --security-opt label=disable -v $PWD/letsencrypt:/etc/letsencrypt certbot/certbot certonly --standalone
cp letsencrypt/live/toolmen.bime.ntu.edu.tw/* certs/
And renew it every three months
docker run --rm -it -p 80:80 -p 443:443 --security-opt label=disable -v $PWD/letsencrypt:/etc/letsencrypt certbot/certbot renew
cp letsencrypt/live/toolmen.bime.ntu.edu.tw/* certs/
With webroot, you can renew the certs without stop 80 and 443 service
nginx.conf
server {
server_name toolmen.bime.ntu.edu.tw;
listen 80;
location ^~ /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
location / {
return 301 https://toolmen.bime.ntu.edu.tw;
}
}
If the container called web
with image docker.io/library/nginx
and the mounted your letsencrypt folder to /etc/letsencrypt
. i.e. -p 80:80 -p 443:443 -v $PWD/letsencrypt:/etc/letsencrypt
docker exec -it web bash
apt update
apt install python3-certbot-nginx -y
certbot renew --webroot --webroot-path /var/www/letsencrypt/
certbot certonly --webroot -d your.domain.tw --webroot-path /var/www/letsencrypt/
cd certs
openssl genrsa 1024 > privkey.pem
chmod 400 privkey.pem
openssl req -new -x509 -nodes -sha1 -days 365 -key privkey.pem -out fullchain.pem
cd ..
Install Driver check if you have GPU(pysical) lspci | grep -i nvidia Disable nouveau vim /etc/modprobe.d/blacklist-nouveau.conf blacklist nouveau options nouveau modeset=0
Nov 23, 2022[toc] Target I want to setup a DNS server for alias all the server in the internal networks. It's possible to use ansible to update all /etc/hosts in each server. However it is not a elegant way. Thus, I setup the coredns and try to figure out the configuration for supporting all commonly used protocols (plain, https, tls) and test them one by one. Finally, I will set this DNS IP:port in our main router. Setup Coredns
Sep 29, 2022Intro 我們的 server 的 storage 是用 megaraid 去蓋的 所以要查看硬碟 有兩種方式 關機 進 Storage 的 BIOS 看(之前都這樣)(這個 BIOS 之前案 CTRL + R) megacli + smartctl (這次要講的) Concept Overview: 相關名詞都在這裡ㄌ Preparation
Jun 23, 2022Upload your fastq, we will run HLA pipeline for your in aws. Github: https://github.com/linnil1/hla-on-aws Architecture API API logic I deploy my nuxt APP in Cloudflare APIGateway + lambda as API server
Apr 7, 2022or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up