komuw · September 26, 2016 10:07
diff --git a/gistfile1.txt b/gistfile1.txt
 #A very good resource on configuring some webservers with ssl:
 https://wiki.mozilla.org/Security/Server_Side_TLS

 # create a file: /etc/nginx/sites-enabled/app_name.conf and also link to /etc/nginx/sites-available/app_name.conf
 # and edit as:

 log_format timed_combined '$remote_addr - $remote_user [$time_local]  '
                          '"$request" $status $body_bytes_sent '
                          '"$http_referer" "$http_user_agent" $request_time';

 # nginx can't listen on same port for both http and https tarffic #see below for a soln
 # each needs to be in its own port
 # SERVER_IP is public IP or 27.0.0.1 for localhost
 # if HTTP_APP_PORT is any other port instead of 80, it daent seem to work

 server {
    listen {{ HTTP_APP_PORT }};
    #listen {{ SERVER_IP }}:{{ HTTP_APP_PORT }};
    return 301 https://{{ SERVER_IP }}:{{ HTTPS_APP_PORT }}$request_uri;
    # u can also use return 307
    # If you want certain Non-SSL areas on your site, add a location block here
 }

 server {
    listen {{ HTTPS_APP_PORT }} ssl;
    ssl on;
    ssl_certificate /path/to/ssl_cert_signed.cer;
    ssl_certificate_key /path/to/ssl_cert_secret.key;
    ssl_client_certificate /path/to/client_cert_CA.cer;
    #ssl_verify_client optional;

    location /static {
        alias {{ APP_STATIC_DIR }};
    }

    location / {
        proxy_pass_header Server;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_connect_timeout 300;
        proxy_read_timeout 300;
        proxy_pass http://{{ SERVER_IP }}:{{ GUNICORN_PORT }}/;
    }
 }


 #django settings.py
 SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 SESSION_COOKIE_SECURE = True
 CSRF_COOKIE_SECURE = True

 #optional if u decide to use gunicorn for ssl;
 $ gunicorn my_app.wsgi:application --workers=3 --bind="0.0.0.0:3000" --settings="my_app.settings.development" --keyfile=/path/to/ssl_cert_secret.key --certfile=/path/to/ssl_cert_signed.cer --ca-certs=/path/to/client_cert_CA.cer



 # to handle http and http on same port, then use only one server block and:

 server {
    listen {{ HTTPS_APP_PORT }} ssl;
    #u can set it to listen on servers private IP
    #and that way the app-servers wont be accesible from public IP
    #listen {{ ansible_eth0.ipv4.address }}:{{ APP_PORT }};

    ssl_certificate /path/to/ssl_cert_signed.cer;
    ssl_certificate_key /path/to/ssl_cert_secret.key;
    ssl_client_certificate /path/to/client_cert_CA.cer;
    #ssl_verify_client optional;

    # this line is important, for u to handle http and https on same port
    # see: http://bit.ly/1C0kgny
    error_page 497 301 =307 https://{{ SERVER_IP }}:{{ HTTPS_APP_PORT }}$request_uri;
    # in order to preserve the http VERB that the request came with,
    # we use error response redirection(note the space btwn 301 =307 is important)
    # see: http://bit.ly/1uX5jNO

    location /static {
        alias {{ APP_STATIC_DIR }};
    }

    location / {
        proxy_pass_header Server;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_connect_timeout 300;
        proxy_read_timeout 300;
        proxy_pass http://{{ SERVER_IP }}:{{ GUNICORN_PORT }}/;
    }
 }

 #To add HTTP Strict Transport Security (HSTS) to nginx
 #HSTS allows web servers to declare that web browsers (clients) should only interact with it using secure HTTPS & never via HTTP

 server {
 listen 443 ssl;
 server_name my_server_name.com;
 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

 #max-age specifies how long, in seconds, you want the client to treat you as a HSTS host. here its 1 year and each time the client visits my site and receives the header, the timer is reset back to a year.
 #The 'includeSubdomains' directive is fairly self explanatory. If you want the HSTS policy to be enforced on all of your sub-domains, include the directive in your header.
	#A very good resource on configuring some webservers with ssl:
	https://wiki.mozilla.org/Security/Server_Side_TLS

	# create a file: /etc/nginx/sites-enabled/app_name.conf and also link to /etc/nginx/sites-available/app_name.conf
	# and edit as:

	log_format timed_combined '$remote_addr - $remote_user [$time_local] '
	'"$request" $status $body_bytes_sent '
	'"$http_referer" "$http_user_agent" $request_time';

	# nginx can't listen on same port for both http and https tarffic #see below for a soln
	# each needs to be in its own port
	# SERVER_IP is public IP or 27.0.0.1 for localhost
	# if HTTP_APP_PORT is any other port instead of 80, it daent seem to work

	server {
	listen {{ HTTP_APP_PORT }};
	#listen {{ SERVER_IP }}:{{ HTTP_APP_PORT }};
	return 301 https://{{ SERVER_IP }}:{{ HTTPS_APP_PORT }}$request_uri;
	# u can also use return 307
	# If you want certain Non-SSL areas on your site, add a location block here
	}

	server {
	listen {{ HTTPS_APP_PORT }} ssl;
	ssl on;
	ssl_certificate /path/to/ssl_cert_signed.cer;
	ssl_certificate_key /path/to/ssl_cert_secret.key;
	ssl_client_certificate /path/to/client_cert_CA.cer;
	#ssl_verify_client optional;

	location /static {
	alias {{ APP_STATIC_DIR }};
	}

	location / {
	proxy_pass_header Server;
	proxy_set_header Host $http_host;
	proxy_redirect off;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Protocol $scheme;
	proxy_connect_timeout 300;
	proxy_read_timeout 300;
	proxy_pass http://{{ SERVER_IP }}:{{ GUNICORN_PORT }}/;
	}
	}


	#django settings.py
	SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
	SESSION_COOKIE_SECURE = True
	CSRF_COOKIE_SECURE = True

	#optional if u decide to use gunicorn for ssl;
	$ gunicorn my_app.wsgi:application --workers=3 --bind="0.0.0.0:3000" --settings="my_app.settings.development" --keyfile=/path/to/ssl_cert_secret.key --certfile=/path/to/ssl_cert_signed.cer --ca-certs=/path/to/client_cert_CA.cer



	# to handle http and http on same port, then use only one server block and:

	server {
	listen {{ HTTPS_APP_PORT }} ssl;
	#u can set it to listen on servers private IP
	#and that way the app-servers wont be accesible from public IP
	#listen {{ ansible_eth0.ipv4.address }}:{{ APP_PORT }};

	ssl_certificate /path/to/ssl_cert_signed.cer;
	ssl_certificate_key /path/to/ssl_cert_secret.key;
	ssl_client_certificate /path/to/client_cert_CA.cer;
	#ssl_verify_client optional;

	# this line is important, for u to handle http and https on same port
	# see: http://bit.ly/1C0kgny
	error_page 497 301 =307 https://{{ SERVER_IP }}:{{ HTTPS_APP_PORT }}$request_uri;
	# in order to preserve the http VERB that the request came with,
	# we use error response redirection(note the space btwn 301 =307 is important)
	# see: http://bit.ly/1uX5jNO

	location /static {
	alias {{ APP_STATIC_DIR }};
	}

	location / {
	proxy_pass_header Server;
	proxy_set_header Host $http_host;
	proxy_redirect off;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Protocol $scheme;
	proxy_connect_timeout 300;
	proxy_read_timeout 300;
	proxy_pass http://{{ SERVER_IP }}:{{ GUNICORN_PORT }}/;
	}
	}

	#To add HTTP Strict Transport Security (HSTS) to nginx
	#HSTS allows web servers to declare that web browsers (clients) should only interact with it using secure HTTPS & never via HTTP

	server {
	listen 443 ssl;
	server_name my_server_name.com;
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

	#max-age specifies how long, in seconds, you want the client to treat you as a HSTS host. here its 1 year and each time the client visits my site and receives the header, the timer is reset back to a year.
	#The 'includeSubdomains' directive is fairly self explanatory. If you want the HSTS policy to be enforced on all of your sub-domains, include the directive in your header.