add install nginx

2022-02-06 21:52:32 +01:00
parent a5eb55b733
commit 36bfacde18
2 changed files with 156 additions and 1 deletions
--- a/setup.py
+++ b/setup.py
@@ -6,6 +6,7 @@ import time
 import random
 import string
 import jinja2
+from waptcrypto import SSLCertificate, SSLPrivateKey

 # General configuration
 ## Directories
@@ -20,6 +21,7 @@ mattermost_url = 'https://url_of_mattermost_server'
 instance_name = 'name'
 database_backend = 'mysql' # Values : mysql or postgres
 use_nginx = True # Values : True / False
+generate_ssl_cert = True # Values : True / False. Use False if you use commercial, Let's Encrypt or your PKI certificate. In this case, please configure "ssl_certificate_path" and "ssl_key_path" around line 220.


 # WARNING #
@@ -182,7 +184,6 @@ def install():
            f.truncate()

        print('Create Mattermost server service')
-
        jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader('templates'))
        template = jinja_env.get_template('mattermost.service.j2')

@@ -210,6 +211,66 @@ def install():

        print('Mattermost Server is installed !')

+    if use_nginx:
+        #WAPT.install('{}-nginx'.format(control.package.split('-')[0]))
+        print('Install Nginx Web Server')
+        install_apt('nginx')
+
+        jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader('templates'))
+        template = jinja_env.get_template('nginx.conf.j2')
+
+        if generate_ssl_cert:
+            print('Generate SSL key and certificate')
+            ap_ssl_dir = makepath(mattermost_path,'ssl')
+            mkdirs(ap_ssl_dir)
+            key_fn = os.path.join(ap_ssl_dir,'key.pem')
+            key = SSLPrivateKey(key_fn)
+            if not os.path.isfile(key_fn):
+                print('Create SSL RSA Key %s' % key_fn)
+                key.create()
+                key.save_as_pem()
+
+            cert_fn = os.path.join(ap_ssl_dir,'cert.pem')
+            if os.path.isfile(cert_fn):
+                crt = SSLCertificate(cert_fn)
+                if os.path.isfile(cert_fn):
+                    crt = SSLCertificate(cert_fn)
+                    if crt.cn != get_fqdn():
+                        os.rename(cert_fn,"%s-%s.old" % (cert_fn,'{:%Y%m%d-%Hh%Mm%Ss}'.format(datetime.datetime.now())))
+                        crt = key.build_sign_certificate(cn=get_fqdn(),dnsname=get_fqdn(),is_code_signing=False)
+                        print('Create X509 cert %s' % cert_fn)
+                        crt.save_as_pem(cert_fn)
+            else:
+                crt = key.build_sign_certificate(cn=get_fqdn(),dnsname=get_fqdn(),is_code_signing=False)
+                print('Create X509 cert %s' % cert_fn)
+                crt.save_as_pem(cert_fn)
+
+            template_variables = {
+                'mattermost_url': mattermost_url.replace('https://','').replace('http://',''),
+                'ssl_certificate_path': cert_fn.replace('\\','/'),
+                'ssl_key_path': key_fn.replace('\\','/')
+            }
+        else:
+            template_variables = {
+                'mattermost_url': mattermost_url.replace('https://','').replace('http://',''),
+                'ssl_certificate_path': makepath('/etc','ssl','cert.pem'),
+                'ssl_key_path': makepath('/etc','ssl','key.pem')
+            }
+
+
+        config_string = template.render(template_variables)
+        print('Create Nginx configuration file %s' % makepath('/etc','nginx','sites-avalables','mattermost.conf'))
+        with open(makepath('/etc','nginx','sites-available','mattermost.conf'), 'wt') as dst_file:
+            dst_file.write(config_string)
+
+        print('Create symlink to activate mattermost site')
+        if not os.path.exists('/etc/nginx/sites-enabled/mattermost.conf'):
+                print(run('ln -s /etc/nginx/sites-available/mattermost.conf /etc/nginx/sites-enabled/mattermost.conf'))
+
+        print('Test Nginx configuration and start nginx')
+        print(run('nginx -t'))
+        print(run('systemctl restart nginx'))
+        print(run('systemctl enable nginx'))

 def audit():
    installed_version = check_version()
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -0,0 +1,94 @@
+upstream backend {
+   server 127.0.0.1:8065;
+   keepalive 32;
+}
+
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
+
+server {
+  listen 80;
+  server_name   {{ mattermost_url }};
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+   listen 443 ssl http2;
+   server_name    {{ mattermost_url }};
+
+   http2_push_preload on; # Enable HTTP/2 Server Push
+
+   ssl on;
+   ssl_certificate {{ ssl_certificate_path }};
+   ssl_certificate_key {{ ssl_key_path }};
+   ssl_session_timeout 1d;
+
+   # Enable TLS versions (TLSv1.3 is required upcoming HTTP/3 QUIC).
+   ssl_protocols TLSv1.2 TLSv1.3;
+
+   # Enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to
+   # prevent replay attacks.
+   #
+   # @see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+   ssl_early_data on;
+
+   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
+   ssl_prefer_server_ciphers on;
+   ssl_session_cache shared:SSL:50m;
+   # HSTS (ngx_http_headers_module is required) (15768000 seconds = six months)
+   add_header Strict-Transport-Security max-age=15768000;
+   # OCSP Stapling ---
+   # fetch OCSP records from URL in ssl_certificate and cache them
+   ssl_stapling on;
+   ssl_stapling_verify on;
+
+   add_header X-Early-Data $tls1_3_early_data;
+
+   location ~ /api/v[0-9]+/(users/)?websocket$ {
+       proxy_set_header Upgrade $http_upgrade;
+       proxy_set_header Connection "upgrade";
+       client_max_body_size 50M;
+       proxy_set_header Host $http_host;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Frame-Options SAMEORIGIN;
+       proxy_buffers 256 16k;
+       proxy_buffer_size 16k;
+       client_body_timeout 60;
+       send_timeout 300;
+       lingering_timeout 5;
+       proxy_connect_timeout 90;
+       proxy_send_timeout 300;
+       proxy_read_timeout 90s;
+       proxy_http_version 1.1;
+       proxy_pass http://backend;
+   }
+
+   location / {
+       client_max_body_size 50M;
+       proxy_set_header Connection "";
+       proxy_set_header Host $http_host;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Frame-Options SAMEORIGIN;
+       proxy_buffers 256 16k;
+       proxy_buffer_size 16k;
+       proxy_read_timeout 600s;
+       proxy_cache mattermost_cache;
+       proxy_cache_revalidate on;
+       proxy_cache_min_uses 2;
+       proxy_cache_use_stale timeout;
+       proxy_cache_lock on;
+       proxy_http_version 1.1;
+       proxy_pass http://backend;
+   }
+}
+
+# This block is useful for debugging TLS v1.3. Please feel free to remove this
+# and use the `$ssl_early_data` variable exposed by NGINX directly should you
+# wish to do so.
+map $ssl_early_data $tls1_3_early_data {
+  "~." $ssl_early_data;
+  default "";
+}