diff options
Diffstat (limited to 'files')
| -rw-r--r-- | files/etc/nginx/sites-available/webmap | 124 | ||||
| -rw-r--r-- | files/etc/nginx/sites-enabled/webmap | 80 | ||||
| -rw-r--r-- | files/etc/postfix/master.cf | 44 | ||||
| -rw-r--r-- | files/etc/postfix/tls_policy | 2 | ||||
| -rw-r--r-- | files/etc/postgresql/postgresql.conf | 4 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-cgi.service | 36 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-cgi.socket | 11 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-download@.service | 37 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-import@.service | 37 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-update@.target | 3 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-update@.timer | 11 | ||||
| -rw-r--r-- | files/etc/tmpfiles.d/webmap.conf | 8 |
12 files changed, 316 insertions, 81 deletions
diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap new file mode 100644 index 0000000..24ccdb9 --- /dev/null +++ b/files/etc/nginx/sites-available/webmap @@ -0,0 +1,124 @@ +server { + listen 80; + listen [::]:80; + + server_name karta.klimatanalysnorr.se hel01.guilhem.se; + + include /etc/lacme/nginx.conf; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443; + listen [::]:443; + + server_name hel01.guilhem.se; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; + + ssl_certificate /etc/nginx/ssl/webmap.rsa.pem; + ssl_certificate_key /etc/nginx/ssl/webmap.rsa.key; + include snippets/ssl.conf; + + location / { + return 303 https://karta.klimatanalysnorr.se$request_uri; + } +} + +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + server_name karta.klimatanalysnorr.se; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; + + ssl_certificate /etc/nginx/ssl/webmap.rsa.pem; + ssl_certificate_key /etc/nginx/ssl/webmap.rsa.key; + include snippets/ssl.conf; + + root /var/www/webmap; + index index.html; + + add_header Referrer-Policy "no-referrer"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'"; + #add_header Access-Control-Allow-Origin $http_origin always; + + include mime.types; + types { + # application/protobuf and application/vnd.google.protobuf might be valid types too, cf. + # https://stackoverflow.com/questions/30505408/what-is-the-correct-protobuf-content-type + application/x-protobuf pbf; + } + + location ^~ /assets/ { + expires 7d; + try_files $uri =404; + location ~ "\.(?:css|js|svg)$" { + brotli_static on; + } + } + location ^~ /tiles/ { + expires 30m; + brotli_static on; + try_files $uri =404; + # service an empty payload to save bandwidth + error_page 404 /_.txt; + } + location ^~ /raster/ { + expires 30m; + try_files $uri =404; + # service an empty payload to save bandwidth + error_page 404 /_.txt; + } + location = /q { + expires epoch; + limit_except POST { deny all; } + #if ($request_method = OPTIONS) { + # add_header Strict-Transport-Security "max-age=31557600; includeSubDomains"; + # add_header Access-Control-Allow-Origin $http_origin; + # add_header Access-Control-Allow-Methods "POST, GET, OPTIONS"; + # add_header Access-Control-Allow-Headers "Accept, Content-Type"; + # add_header Access-Control-Max-Age 28800; + # return 204; + #} + client_max_body_size 64k; + gzip on; + gzip_types application/json text/plain; + include uwsgi_params; + uwsgi_pass unix:/run/webmap-cgi.socket; + } + + location = /_.txt { + # cache 404 responses for 30m like for valid tiles + add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; + add_header Cache-Control "public; max-age=1800" always; + #add_header Access-Control-Allow-Origin $http_origin always; + internal; + } + + location / { + add_header Referrer-Policy "no-referrer"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; worker-src blob:; base-uri 'self'"; + + expires 1h; + brotli_static on; + try_files $uri $uri/ =404; + } +} diff --git a/files/etc/nginx/sites-enabled/webmap b/files/etc/nginx/sites-enabled/webmap deleted file mode 100644 index d16ab60..0000000 --- a/files/etc/nginx/sites-enabled/webmap +++ /dev/null @@ -1,80 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name karta.klimatanalysnorr.se hel01.guilhem.se; - - include /etc/lacme/nginx.conf; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log warn; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443; - listen [::]:443; - - server_name hel01.guilhem.se; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log warn; - - ssl_certificate /etc/nginx/ssl/webmap.rsa.pem; - ssl_certificate_key /etc/nginx/ssl/webmap.rsa.key; - include snippets/ssl.conf; - - location / { - return 303 https://karta.klimatanalysnorr.se$request_uri; - } -} - -server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - - server_name karta.klimatanalysnorr.se; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log warn; - - ssl_certificate /etc/nginx/ssl/webmap.rsa.pem; - ssl_certificate_key /etc/nginx/ssl/webmap.rsa.key; - include snippets/ssl.conf; - - add_header Referrer-Policy "no-referrer"; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options "nosniff"; - add_header X-XSS-Protection "1; mode=block"; - add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; - add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'"; - - root /var/www/webmap; - index index.html; - - location ^~ /assets/ { - expires 7d; - gzip_static on; - try_files $uri =404; - } - location ^~ /tiles/ { - expires 1d; - gzip_static on; - try_files $uri =404; - error_page 404 /_.txt; - } - - location = /_.txt { - # cache 404 responses - add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; - add_header Cache-Control "public; max-age=86400" always; - internal; - } - - location / { - try_files $uri $uri/ =404; - } -} diff --git a/files/etc/postfix/master.cf b/files/etc/postfix/master.cf new file mode 100644 index 0000000..3c60f31 --- /dev/null +++ b/files/etc/postfix/master.cf @@ -0,0 +1,44 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 + -o smtp_tls_security_level=fingerprint +relay-smtps unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 + -o smtp_tls_wrappermode=yes + -o smtp_tls_security_level=fingerprint +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd diff --git a/files/etc/postfix/tls_policy b/files/etc/postfix/tls_policy index 2af19c5..c5641d3 100644 --- a/files/etc/postfix/tls_policy +++ b/files/etc/postfix/tls_policy @@ -1,3 +1,3 @@ # WARN: smtp_tls_fingerprint_digest MUST be sha256! -[smtp.guilhem.org]:587 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!TLSv1.2 +[smtp.guilhem.org]:465 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!TLSv1.2 match=B2:37:09:EC:B9:54:DC:51:FA:77:A1:31:0D:30:06:84:7E:10:81:5B:9B:30:B0:31:6E:9A:7B:53:13:C8:37:62 diff --git a/files/etc/postgresql/postgresql.conf b/files/etc/postgresql/postgresql.conf new file mode 100644 index 0000000..038438a --- /dev/null +++ b/files/etc/postgresql/postgresql.conf @@ -0,0 +1,4 @@ +shared_buffers = 768MB +temp_buffers = 128MB +work_mem = 16MB +effective_cache_size = 1536MB diff --git a/files/etc/systemd/system/webmap-cgi.service b/files/etc/systemd/system/webmap-cgi.service new file mode 100644 index 0000000..88f22e5 --- /dev/null +++ b/files/etc/systemd/system/webmap-cgi.service @@ -0,0 +1,36 @@ +[Unit] +Description=Webmap CGI (Common Gateway Interface) +After=syslog.target network.target postgresql.service + +[Service] +DynamicUser=yes +User=_webmap-cgi +# Note: the "WARNING: you have enabled harakiri without post buffering" can +# be ignored because body requests are in fact buffered on the nginx side +ExecStart=/usr/bin/uwsgi -M -p2 \ + --single-interpreter --die-on-term \ + --close-on-exec --close-on-exec2 \ + --max-requests 1000 \ + --max-worker-lifetime 86400 \ + --max-worker-lifetime-delta 11 \ + --harakiri 60 \ + --lazy-apps \ + --plugins python3 \ + --pythonpath /usr/local/share/webmap \ + --wsgi-file /usr/libexec/webmap-cgi +Nice=10 +RestartSec=15s +Restart=always + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX + +[Install] +WantedBy=multi-user.target diff --git a/files/etc/systemd/system/webmap-cgi.socket b/files/etc/systemd/system/webmap-cgi.socket new file mode 100644 index 0000000..2828985 --- /dev/null +++ b/files/etc/systemd/system/webmap-cgi.socket @@ -0,0 +1,11 @@ +[Unit] +Description=Webmap CGI (Common Gateway Interface) activation socket +After=syslog.target network.target + +[Socket] +ListenStream=%t/webmap-cgi.socket +SocketUser=www-data +SocketMode=0666 + +[Install] +WantedBy=sockets.target diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service new file mode 100644 index 0000000..d7a49dc --- /dev/null +++ b/files/etc/systemd/system/webmap-download@.service @@ -0,0 +1,37 @@ +[Unit] +Description=Webmap updater service (download ‘%I’) +# Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671 +# XXX Looks like Upholds= prevents running a single unit, as it causes +# webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service` +After=network-online.target webmap-update@%i.target +Upholds=webmap-update@%i.target + +[Service] +User=_webmap-download +Group=_webmap + +Nice=15 +IOSchedulingClass=idle + +Type=oneshot +ExecStart=/usr/local/bin/webmap-download \ + --cachedir=%C/webmap \ + --lockdir=%t/lock/webmap/cache \ + --no-exit-code \ + --quiet \ + -- %I + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ReadWritePaths=%C/webmap +ReadWritePaths=%t/lock/webmap/cache + +[Install] +WantedBy=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service new file mode 100644 index 0000000..964c37d --- /dev/null +++ b/files/etc/systemd/system/webmap-import@.service @@ -0,0 +1,37 @@ +[Unit] +Description=Webmap updater service (import ‘%I’ to PostGIS) +After=postgresql.service webmap-update@%i.target +After=webmap-download@%i.service +Upholds=webmap-update@%i.target + +[Service] +User=_webmap +Group=_webmap + +Nice=15 +IOSchedulingClass=idle + +Type=oneshot +ExecStart=/usr/local/bin/webmap-import \ + --cachedir=%C/webmap \ + --lockfile=%t/lock/webmap/lock \ + --lockdir-sources=%t/lock/webmap/cache \ + --mvtdir=/var/www/webmap/tiles/%I \ + --mvt-compress \ + -- %I + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ReadWritePaths=%t/lock/webmap +ReadWritePaths=/var/www/webmap/tiles +PrivateTmp=yes + +[Install] +WantedBy=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target new file mode 100644 index 0000000..840de96 --- /dev/null +++ b/files/etc/systemd/system/webmap-update@.target @@ -0,0 +1,3 @@ +[Unit] +Description=Webmap updater (target unit ‘%I’) +StopWhenUnneeded=true diff --git a/files/etc/systemd/system/webmap-update@.timer b/files/etc/systemd/system/webmap-update@.timer new file mode 100644 index 0000000..74fb848 --- /dev/null +++ b/files/etc/systemd/system/webmap-update@.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Webmap updater (timer unit) + +[Timer] +OnCalendar=*-*-* 01:00:00 +AccuracySec=1s +RandomizedDelaySec=3599 +Unit=webmap-update@%i.target + +[Install] +WantedBy=timers.target diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf new file mode 100644 index 0000000..786e6dd --- /dev/null +++ b/files/etc/tmpfiles.d/webmap.conf @@ -0,0 +1,8 @@ +d %t/lock/webmap 00755 root root + +# for `webmap-download --lockdir` *and* `webmap-import --lockdir-sources` +# (hence the set-group-ID bit and g+w) +d %t/lock/webmap/cache 02775 _webmap-download _webmap + +# for `webmap-import --lockfile` +f %t/lock/webmap/lock 00644 _webmap _webmap |