Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
tech:web-01 [18/09/2025 00:04] – [Stockage] LibertAdmin | tech:web-01 [14/10/2025 08:15] (Version actuelle) – [Liberta (Site principal)] LibertAdmin | ||
---|---|---|---|
Ligne 1176: | Ligne 1176: | ||
</ | </ | ||
+ | ==== Partie logicielle ==== | ||
+ | |||
+ | Toutes les applications web des services sont servies par le serveur / reverse-proxy Nginx dont voici les configurations pour chaque application ainsi que les configurations communes. | ||
+ | |||
+ | Nous avons décidé de bannir dans la configuration générale un certain nombre de pays nous noyant de spam et d' | ||
+ | |||
+ | <code bash> | ||
+ | # cat / | ||
+ | user www-data; | ||
+ | worker_processes auto; | ||
+ | pid / | ||
+ | include / | ||
+ | |||
+ | events { | ||
+ | worker_connections 1024; | ||
+ | multi_accept on; | ||
+ | use epoll; | ||
+ | } | ||
+ | |||
+ | http { | ||
+ | server_names_hash_bucket_size 64; | ||
+ | |||
+ | # Liberta : no more reverse proxy: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | include / | ||
+ | default_type application/ | ||
+ | access_log / | ||
+ | error_log / | ||
+ | sendfile on; | ||
+ | send_timeout 3600; | ||
+ | tcp_nopush on; | ||
+ | tcp_nodelay on; | ||
+ | open_file_cache max=500 inactive=10m; | ||
+ | open_file_cache_errors on; | ||
+ | keepalive_timeout 65; | ||
+ | reset_timedout_connection on; | ||
+ | server_tokens off; | ||
+ | resolver_timeout 5s; | ||
+ | proxy_buffers 16 16k; | ||
+ | proxy_buffer_size 16k; | ||
+ | fastcgi_buffers 64 4K; | ||
+ | client_max_body_size 8G; | ||
+ | |||
+ | ## | ||
+ | # Logging Settings | ||
+ | ## | ||
+ | |||
+ | rewrite_log on; | ||
+ | access_log / | ||
+ | error_log / | ||
+ | |||
+ | # Liberta : ban all countries except those: | ||
+ | geoip_country / | ||
+ | map $geoip_country_code $allowed_country { | ||
+ | default no; | ||
+ | AL yes; | ||
+ | AD yes; | ||
+ | AM yes; | ||
+ | AT yes; | ||
+ | BA yes; | ||
+ | BE yes; | ||
+ | BG yes; | ||
+ | BY yes; | ||
+ | CH yes; | ||
+ | CY yes; | ||
+ | CZ yes; | ||
+ | DK yes; | ||
+ | EE yes; | ||
+ | FI yes; | ||
+ | FR yes; | ||
+ | FO yes; | ||
+ | DE yes; | ||
+ | GB yes; | ||
+ | GE yes; | ||
+ | GI yes; | ||
+ | GR yes; | ||
+ | HR yes; | ||
+ | HU yes; | ||
+ | IE yes; | ||
+ | IM yes; | ||
+ | IS yes; | ||
+ | IT yes; | ||
+ | LI yes; | ||
+ | LV yes; | ||
+ | LT yes; | ||
+ | LU yes; | ||
+ | MC yes; | ||
+ | MD yes; | ||
+ | ME yes; | ||
+ | MK yes; | ||
+ | MT yes; | ||
+ | NL yes; | ||
+ | NO yes; | ||
+ | PL yes; | ||
+ | PT yes; | ||
+ | RO yes; | ||
+ | SK yes; | ||
+ | SI yes; | ||
+ | ES yes; | ||
+ | RS yes; | ||
+ | RU yes; | ||
+ | SE yes; | ||
+ | SM yes; | ||
+ | TR yes; | ||
+ | UA yes; | ||
+ | VA yes; | ||
+ | XK yes; | ||
+ | # Allowed countries list: | ||
+ | # AL, | ||
+ | } | ||
+ | |||
+ | ## | ||
+ | # Virtual Host Configs | ||
+ | ## | ||
+ | |||
+ | include / | ||
+ | include / | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | Nous avons créé le fichier commun ''/ | ||
+ | |||
+ | Le fichier est agrémenté de directives de sécurité recommandées pour la plupart des applications (certaines modifient ces directives via leur propre configuration évidemment) : | ||
+ | |||
+ | <code bash> | ||
+ | # cat / | ||
+ | # Security headers | ||
+ | add_header X-XSS-Protection | ||
+ | add_header X-Content-Type-Options | ||
+ | add_header Referrer-Policy | ||
+ | add_header Content-Security-Policy | ||
+ | add_header Permissions-Policy | ||
+ | add_header Strict-Transport-Security " | ||
+ | |||
+ | # Dotfiles | ||
+ | location ~ / | ||
+ | deny all; | ||
+ | } | ||
+ | |||
+ | # ACME-challenge | ||
+ | location ^~ / | ||
+ | root / | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | |||
+ | === Liberta (Site principal)=== | ||
+ | |||
+ | Le site de Liberta est en pur HTML et CSS. Il **était**, il est passé sur [[https:// | ||
+ | |||
+ | Ce fichier contient la gestion globale du HTTP, lequel redirige tous les domaines vers HTTPS, notamment le site de Liberta qui est sur le sous-domaine '' | ||
+ | |||
+ | Nous listons volontairement notre répertoire '' | ||
+ | |||
+ | <code bash> | ||
+ | # Configuration globale : | ||
+ | # HTTP + redirect | ||
+ | server { | ||
+ | server_name _; | ||
+ | listen | ||
+ | listen | ||
+ | |||
+ | include letsencrypt_security.conf; | ||
+ | |||
+ | location / { | ||
+ | return 301 https:// | ||
+ | } | ||
+ | } | ||
+ | |||
+ | # Domaine liberta.vip sans sous-domaine : | ||
+ | # HTTP + redirect | ||
+ | server { | ||
+ | server_name liberta.vip; | ||
+ | listen | ||
+ | listen | ||
+ | |||
+ | include letsencrypt_security.conf; | ||
+ | |||
+ | location / { | ||
+ | return 301 https:// | ||
+ | } | ||
+ | } | ||
+ | server { | ||
+ | server_name liberta.vip; | ||
+ | listen 443 ssl http2; | ||
+ | listen [::]:443 ssl http2; | ||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | return 301 https:// | ||
+ | } | ||
+ | # Liberta (Pur HTML / CSS) | ||
+ | # HTTP + redirect | ||
+ | server { | ||
+ | server_name www.liberta.vip; | ||
+ | listen | ||
+ | listen | ||
+ | |||
+ | include letsencrypt_security.conf; | ||
+ | |||
+ | location / { | ||
+ | return 301 https:// | ||
+ | } | ||
+ | } | ||
+ | server { | ||
+ | server_name www.liberta.vip; | ||
+ | listen 443 ssl http2; | ||
+ | listen [::]:443 ssl http2; | ||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | |||
+ | # Secure headers | ||
+ | add_header X-Frame-Options " | ||
+ | add_header Strict-Transport-Security " | ||
+ | add_header X-Xss-Protection "1; mode=block" | ||
+ | add_header Content-Security-Policy " | ||
+ | add_header X-Content-Type-Options " | ||
+ | |||
+ | |||
+ | root / | ||
+ | access_log / | ||
+ | error_log / | ||
+ | index index.html; | ||
+ | |||
+ | location = / | ||
+ | log_not_found off; | ||
+ | access_log off; | ||
+ | } | ||
+ | |||
+ | location = /robots.txt { | ||
+ | allow all; | ||
+ | log_not_found off; | ||
+ | access_log off; | ||
+ | } | ||
+ | | ||
+ | location = /img/ { | ||
+ | allow all; | ||
+ | log_not_found off; | ||
+ | access_log off; | ||
+ | autoindex on; | ||
+ | } | ||
+ | |||
+ | location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { | ||
+ | expires max; | ||
+ | log_not_found off; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | Nous ne fournirons pas tous les détails des configurations pour chaque application, | ||
+ | |||
+ | À terme, nous prévoyons de publier notre configuration complète sur [[https:// | ||
+ | |||
+ | EN COURS DE RÉDACTION... | ||
+ | === CryptPad (Liberta Docs)=== | ||
+ | === Etherpad-Lite (Liberta Pad) === | ||
+ | === Funkwhale (Liberta Audio) === | ||
+ | === Nextcloud (Liberta Cloud) === | ||
+ | === Peertube (Liberta Vidéo) === | ||
+ | === WriteFreely (Liberta Blogs) === | ||