Last active
February 13, 2016 09:44
-
-
Save StephenRadachy/fe29780d2d4b73a3c1ac to your computer and use it in GitHub Desktop.
HIDE WWHack Presentation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################### | |
# # | |
# Basics # | |
# # | |
################### | |
# Updating | |
sudo apt-get -y update | |
sudo apt-get -y upgrade | |
sudo apt-get -y dist-upgrade | |
# install webserver + git | |
sudo apt-get -y install nginx git | |
# setup git repo | |
sudo mkdir -p /var/www/app | |
sudo chown ubuntu:www-data /var/www/app | |
sudo mkdir -p /git | |
cd /git | |
git init --bare | |
cd hooks | |
printf '#!/bin/sh\nGIT_WORK_TREE=/var/www/app git checkout -f\n' >> post-receive | |
chmod +x post-receive | |
# let's encrypt (https) | |
git clone https://github.com/letsencrypt/letsencrypt | |
cd letsencrypt | |
./letsencrypt-auto certonly --standalone --email sjradach@mtu.edu -d rainbowmonkeys.net | |
cd /etc/nginx | |
sudo mkdir ssl | |
cd ssl | |
sudo openssl dhparam -out dhparam.pem 4096 # note this takes a LONG time to run | |
################### | |
# # | |
# PHP5 # | |
# # | |
################### | |
# install php5 fastcgi for nginx | |
sudo apt-get -y php5-fpm | |
# nginx configuration for php app | |
server { | |
listen 80; | |
server_name rainbowmonkeys.net; | |
return 301 https://$server_name$request_uri; | |
} | |
# HTTPS server | |
server { | |
listen 443; | |
server_name rainbowmonkeys.net; | |
root /var/www/app; | |
index index.html index.htm index.php; | |
ssl on; | |
ssl_certificate /etc/letsencrypt/live/rainbowmonkeys.net/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/rainbowmonkeys.net/privkey.pem; | |
ssl_session_timeout 5m; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
ssl_prefer_server_ciphers on; | |
ssl_session_cache shared:SSL:10m; | |
ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
add_header Strict-Transport-Security "max-age=63072000; preload"; | |
location / { | |
# First attempt to serve request as file, then | |
# as directory, then fall back to displaying a 404. | |
try_files $uri $uri/ =404; | |
ssi on; | |
} | |
location ~ \.php$ { | |
fastcgi_pass unix:/var/run/php5-fpm.sock; | |
fastcgi_index index.php; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
include fastcgi_params; | |
} | |
} | |
sudo service nginx reload | |
################### | |
# # | |
# Node.JS # | |
# # | |
################### | |
# install node, npm, and pm2 | |
sudo apt-get -y install nodejs npm | |
sudo ln -s /usr/bin/nodejs /usr/bin/node | |
sudo npm install -g pm2 | |
# add to git post-receive | |
sudo printf 'cd /var/www/app\n' >> /git/post-receive | |
sudo printf 'npm update\n' >> /git/post-receive | |
# setup pm2 | |
cd /var/www/app | |
pm2 start --watch --name "app" index.js | |
pm2 save | |
pm2 startup ubuntu | |
# nginx configuration for Node.JS app | |
server { | |
listen 80; | |
server_name rainbowmonkeys.net; | |
return 301 https://$server_name$request_uri; | |
} | |
# HTTPS server | |
server { | |
listen 443; | |
server_name rainbowmonkeys.net; | |
root /var/www/app; | |
index index.html index.htm index.php; | |
ssl on; | |
ssl_certificate /etc/letsencrypt/live/rainbowmonkeys.net/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/rainbowmonkeys.net/privkey.pem; | |
ssl_session_timeout 5m; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
ssl_prefer_server_ciphers on; | |
ssl_session_cache shared:SSL:10m; | |
ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
add_header Strict-Transport-Security "max-age=63072000; preload"; | |
location / { | |
proxy_pass http://127.0.0.1:3000; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_buffering off; | |
} | |
} | |
sudo service nginx reload | |
################### | |
# # | |
# Clientside # | |
# # | |
################### | |
# from your local git repo | |
git remote add prod ssh://ubuntu@rainbowmonkeys.net:/git | |
git push -u prod master | |
git push prod |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment