From 4c8af2a4b8c9a95897ae097a2ba173e59e79d798 Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Fri, 9 Dec 2016 10:28:38 -0500 Subject: [PATCH 1/6] update uwsgi/nginx dev configuration --- tools/docker-compose/nginx.conf | 6 ----- tools/docker-compose/nginx.vh.default.conf | 27 ++++++++++++++++++---- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/tools/docker-compose/nginx.conf b/tools/docker-compose/nginx.conf index 4f1f4e986e..9c9b7510e1 100644 --- a/tools/docker-compose/nginx.conf +++ b/tools/docker-compose/nginx.conf @@ -25,12 +25,6 @@ http { sendfile on; #tcp_nopush on; - - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - keepalive_timeout 65; - #gzip on; include /etc/nginx/conf.d/*.conf; diff --git a/tools/docker-compose/nginx.vh.default.conf b/tools/docker-compose/nginx.vh.default.conf index 2325057378..bda25f75d2 100644 --- a/tools/docker-compose/nginx.vh.default.conf +++ b/tools/docker-compose/nginx.vh.default.conf @@ -7,17 +7,32 @@ upstream daphne { } server { - listen 8013 default_server; + listen 8013 default_server; + listen [::]:8013 default_server; + return 301 https://$host:8043$request_uri; +} + +server { listen 8043 default_server ssl; # If you have a domain name, this is where to add it server_name _; - keepalive_timeout 70; + keepalive_timeout 60; ssl_certificate /etc/nginx/nginx.crt; ssl_certificate_key /etc/nginx/nginx.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + # intermediate configuration. tweak to your needs. + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + ssl_prefer_server_ciphers on; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; location /static/ { root /tower_devel; @@ -49,7 +64,9 @@ server { } location / { + uwsgi_read_timeout 30s; + uwsgi_send_timeout 30s; + uwsgi_pass uwsgi; include /etc/nginx/uwsgi_params; - uwsgi_pass uwsgi; } } From 88dc742f423968ebb6ca93ccfb3abc20b85feafd Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Fri, 9 Dec 2016 10:29:03 -0500 Subject: [PATCH 2/6] update uwsgi/nginx production configuration --- config/awx-nginx.conf | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/config/awx-nginx.conf b/config/awx-nginx.conf index 3df3155ec8..a14dd036cf 100644 --- a/config/awx-nginx.conf +++ b/config/awx-nginx.conf @@ -24,12 +24,6 @@ http { sendfile on; #tcp_nopush on; - - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - keepalive_timeout 65; - #gzip on; upstream uwsgi { @@ -42,16 +36,30 @@ http { server { listen 80 default_server; + listen [::]:80 default_server; + return 301 https://$host$request_uri; + } + + server { listen 443 default_server ssl; # If you have a domain name, this is where to add it server_name _; - keepalive_timeout 70; + keepalive_timeout 60; ssl_certificate /etc/tower/tower.cert; ssl_certificate_key /etc/tower/tower.key; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; + + # intermediate configuration ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + ssl_prefer_server_ciphers on; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; } location /static { alias /var/lib/awx/public/static; } @@ -79,8 +87,10 @@ http { } location / { - include /etc/nginx/uwsgi_params; + uwsgi_read_timeout 30s; + uwsgi_send_timeout 30s; uwsgi_pass uwsgi; + include /etc/nginx/uwsgi_params; } } } From 5f5624c5a3dd69fef4e451cf504c8ae5a5b3942f Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Fri, 9 Dec 2016 11:00:52 -0500 Subject: [PATCH 3/6] Update to use Modern values for SSL --- tools/docker-compose/nginx.vh.default.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/docker-compose/nginx.vh.default.conf b/tools/docker-compose/nginx.vh.default.conf index bda25f75d2..98c704671c 100644 --- a/tools/docker-compose/nginx.vh.default.conf +++ b/tools/docker-compose/nginx.vh.default.conf @@ -27,8 +27,8 @@ server { ssl_session_tickets off; # intermediate configuration. tweak to your needs. - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) From fafec3a0e3359cafce2631389179fb4e9ed9407c Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Fri, 9 Dec 2016 11:01:48 -0500 Subject: [PATCH 4/6] Update to use Modern values for SSL --- config/awx-nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/awx-nginx.conf b/config/awx-nginx.conf index a14dd036cf..eefb763834 100644 --- a/config/awx-nginx.conf +++ b/config/awx-nginx.conf @@ -54,8 +54,8 @@ http { ssl_session_tickets off; # intermediate configuration - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) From c6e1598b9cf6c376106dbb1b32eef1e05862ad4d Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Mon, 12 Dec 2016 00:58:06 -0500 Subject: [PATCH 5/6] explicitly set long harakiri time to deal with very large inventory deletes --- Makefile | 2 +- config/awx-nginx.conf | 9 ++++----- tools/docker-compose/nginx.vh.default.conf | 7 +++---- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/Makefile b/Makefile index 8bf3766abd..27aa0419f2 100644 --- a/Makefile +++ b/Makefile @@ -406,7 +406,7 @@ uwsgi: collectstatic @if [ "$(VENV_BASE)" ]; then \ . $(VENV_BASE)/tower/bin/activate; \ fi; \ - uwsgi -b 32768 --socket :8050 --module=awx.wsgi:application --home=/venv/tower --chdir=/tower_devel/ --vacuum --processes=5 --harakiri=60 --master --no-orphans --py-autoreload 1 --max-requests=1000 --stats /tmp/stats.socket --master-fifo=/tmp/awxfifo --lazy-apps + uwsgi -b 32768 --socket :8050 --module=awx.wsgi:application --home=/venv/tower --chdir=/tower_devel/ --vacuum --processes=5 --harakiri=120 --master --no-orphans --py-autoreload 1 --max-requests=1000 --stats /tmp/stats.socket --master-fifo=/tmp/awxfifo --lazy-apps daphne: @if [ "$(VENV_BASE)" ]; then \ diff --git a/config/awx-nginx.conf b/config/awx-nginx.conf index eefb763834..30806cbfe8 100644 --- a/config/awx-nginx.conf +++ b/config/awx-nginx.conf @@ -23,8 +23,8 @@ http { } sendfile on; - #tcp_nopush on; - #gzip on; + tcp_nopush on; + tcp_nodelay on; upstream uwsgi { server 127.0.0.1:8050; @@ -45,7 +45,7 @@ http { # If you have a domain name, this is where to add it server_name _; - keepalive_timeout 60; + keepalive_timeout 65; ssl_certificate /etc/tower/tower.cert; ssl_certificate_key /etc/tower/tower.key; @@ -87,8 +87,7 @@ http { } location / { - uwsgi_read_timeout 30s; - uwsgi_send_timeout 30s; + uwsgi_read_timeout 120s; uwsgi_pass uwsgi; include /etc/nginx/uwsgi_params; } diff --git a/tools/docker-compose/nginx.vh.default.conf b/tools/docker-compose/nginx.vh.default.conf index 98c704671c..456b16953d 100644 --- a/tools/docker-compose/nginx.vh.default.conf +++ b/tools/docker-compose/nginx.vh.default.conf @@ -17,7 +17,7 @@ server { # If you have a domain name, this is where to add it server_name _; - keepalive_timeout 60; + keepalive_timeout 65; ssl_certificate /etc/nginx/nginx.crt; ssl_certificate_key /etc/nginx/nginx.key; @@ -64,9 +64,8 @@ server { } location / { - uwsgi_read_timeout 30s; - uwsgi_send_timeout 30s; - uwsgi_pass uwsgi; + uwsgi_read_timeout 120s; + uwsgi_pass uwsgi; include /etc/nginx/uwsgi_params; } } From 19f7d9e8d8b8830591096cf2083c6adbcfc8fa22 Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Mon, 12 Dec 2016 13:06:42 -0500 Subject: [PATCH 6/6] redirect if no forward-slash --- config/awx-nginx.conf | 2 + tools/docker-compose/nginx.vh.default.conf | 66 +++++++++++----------- 2 files changed, 36 insertions(+), 32 deletions(-) diff --git a/config/awx-nginx.conf b/config/awx-nginx.conf index 30806cbfe8..15e58678ba 100644 --- a/config/awx-nginx.conf +++ b/config/awx-nginx.conf @@ -87,6 +87,8 @@ http { } location / { + # Redirect if there is no forward-slash + rewrite ^(.*[^/])$ $1/ permanent; uwsgi_read_timeout 120s; uwsgi_pass uwsgi; include /etc/nginx/uwsgi_params; diff --git a/tools/docker-compose/nginx.vh.default.conf b/tools/docker-compose/nginx.vh.default.conf index 456b16953d..5cabf89bbb 100644 --- a/tools/docker-compose/nginx.vh.default.conf +++ b/tools/docker-compose/nginx.vh.default.conf @@ -7,20 +7,20 @@ upstream daphne { } server { - listen 8013 default_server; - listen [::]:8013 default_server; - return 301 https://$host:8043$request_uri; + listen 8013 default_server; + listen [::]:8013 default_server; + return 301 https://$host:8043$request_uri; } server { - listen 8043 default_server ssl; + listen 8043 default_server ssl; - # If you have a domain name, this is where to add it + # If you have a domain name, this is where to add it server_name _; - keepalive_timeout 65; + keepalive_timeout 65; - ssl_certificate /etc/nginx/nginx.crt; - ssl_certificate_key /etc/nginx/nginx.key; + ssl_certificate /etc/nginx/nginx.crt; + ssl_certificate_key /etc/nginx/nginx.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; @@ -41,31 +41,33 @@ server { sendfile off; } - location /websocket { - # Pass request to the upstream alias - proxy_pass http://daphne; - # Require http version 1.1 to allow for upgrade requests - proxy_http_version 1.1; - # We want proxy_buffering off for proxying to websockets. - proxy_buffering off; - # http://en.wikipedia.org/wiki/X-Forwarded-For - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # enable this if you use HTTPS: - proxy_set_header X-Forwarded-Proto https; - # pass the Host: header from the client for the sake of redirects - proxy_set_header Host $http_host; - # We've set the Host header, so we don't need Nginx to muddle - # about with redirects - proxy_redirect off; - # Depending on the request value, set the Upgrade and - # connection headers - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } + location /websocket { + # Pass request to the upstream alias + proxy_pass http://daphne; + # Require http version 1.1 to allow for upgrade requests + proxy_http_version 1.1; + # We want proxy_buffering off for proxying to websockets. + proxy_buffering off; + # http://en.wikipedia.org/wiki/X-Forwarded-For + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # enable this if you use HTTPS: + proxy_set_header X-Forwarded-Proto https; + # pass the Host: header from the client for the sake of redirects + proxy_set_header Host $http_host; + # We've set the Host header, so we don't need Nginx to muddle + # about with redirects + proxy_redirect off; + # Depending on the request value, set the Upgrade and + # connection headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } - location / { + location / { + # Add trailing / if missing + rewrite ^(.*[^/])$ $1/ permanent; uwsgi_read_timeout 120s; uwsgi_pass uwsgi; - include /etc/nginx/uwsgi_params; - } + include /etc/nginx/uwsgi_params; + } }