Skip to content
This repository has been archived by the owner on Dec 17, 2024. It is now read-only.

Nginx hardering and refactor #13

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Nginx hardering and refactor #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e377692
Nginx hardering and refactor
pando85 Oct 20, 2021
fb7674f
Merge remote-tracking branch 'original/master' into securize-nginx
pando85 Oct 31, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions src/modules/fluidd/filesystem/root/etc/nginx/conf.d/common_vars.conf
View file
Open in desktop

This file was deleted.

24 changes: 0 additions & 24 deletions src/modules/fluidd/filesystem/root/etc/nginx/conf.d/upstreams.conf
View file
Open in desktop

This file was deleted.

44 changes: 44 additions & 0 deletions src/modules/fluidd/filesystem/root/etc/nginx/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
user www-data;
worker_processes auto;

pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
keepalive_timeout 65;

gzip on;
gzip_vary on;
gzip_min_length 800;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';

access_log off;

include /etc/nginx/proxy.conf;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
8 changes: 8 additions & 0 deletions src/modules/fluidd/filesystem/root/etc/nginx/proxy.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
30 changes: 30 additions & 0 deletions src/modules/fluidd/filesystem/root/etc/nginx/sites-available/default
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}

## Enable default site
#server {
# server_name _; # This is just an invalid value which will never trigger on a real hostname.
# listen 80;
# listen [::]:80;
# access_log /var/log/nginx/access.log vhost;
# return 503;
#}
#server {
# server_name _; # This is just an invalid value which will never trigger on a real hostname.
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# access_log /var/log/nginx/access.log vhost;
# return 503;
# ssl_certificate /etc/nginx/certs/default.crt;
# ssl_certificate_key /etc/nginx/certs/default.key;
#}
71 changes: 33 additions & 38 deletions src/modules/fluidd/filesystem/root/etc/nginx/sites-available/fluidd
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,41 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
upstream apiserver {
ip_hash;
server 127.0.0.1:7125;
}

access_log /var/log/nginx/fluidd-access.log;
error_log /var/log/nginx/fluidd-error.log;
upstream mjpgstreamer1 {
ip_hash;
server 127.0.0.1:8080;
}

# disable this section on smaller hardware like a pi zero
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_proxied expired no-cache no-store private auth;
gzip_comp_level 4;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;
server {
server_name _;
listen 80;
listen [::]:80;
access_log /var/log/nginx/access.log vhost;
## Enable https
# return 301 https://$host$request_uri;
#}
#
#server {
# server_name _;
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# access_log /var/log/nginx/access.log vhost;
# ssl_protocols TLSv1.1 TLSv1.2;
# ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
# ssl_prefer_server_ciphers on;
# ssl_session_timeout 5m;
# ssl_session_cache shared:SSL:50m;
# ssl_certificate /etc/nginx/certs/fluidd.crt;
# ssl_certificate_key /etc/nginx/certs/fluidd.key;
# add_header Strict-Transport-Security "max-age=31536000";
# add_header X-Frame-Options "SAMEORIGIN";

# web_path from fluidd static files
root /home/pi/fluidd;

index index.html;
server_name _;

# disable max upload size checks
client_max_body_size 0;
Expand All @@ -37,36 +53,15 @@ server {

location /websocket {
proxy_pass http://apiserver/websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 86400;
}

location ~ ^/(printer|api|access|machine|server)/ {
proxy_pass http://apiserver$request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
}

location /webcam/ {
proxy_pass http://mjpgstreamer1/;
}

location /webcam2/ {
proxy_pass http://mjpgstreamer2/;
}

location /webcam3/ {
proxy_pass http://mjpgstreamer3/;
}

location /webcam4/ {
proxy_pass http://mjpgstreamer4/;
}
}

1 change: 1 addition & 0 deletions src/modules/fluidd/filesystem/root/etc/tmpfiles.d/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
d /var/log/nginx 0755 www-data www-data - -
5 changes: 3 additions & 2 deletions src/modules/fluidd/start_chroot_script
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ echo "Installing Fluidd"
apt update
apt install nginx -y
rm /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/fluidd /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/fluidd /etc/nginx/sites-enabled/fluidd
cd /home/pi/
[ ! -d /home/pi/gcode_files ] && su -c "mkdir /home/pi/gcode_files" - pi
su -c "mkdir /home/pi/fluidd" - pi
Expand All @@ -37,4 +38,4 @@ ln -s /var/log/nginx/fluidd-error.log /home/pi/klipper_logs/
# Run installation steps defined above

# Unpack root at the end, so files are modified before
unpack /filesystem/root /
unpack /filesystem/root /
2 changes: 1 addition & 1 deletion src/modules/mjpgstreamer/filesystem/home/pi/klipper_config/webcam.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@
# Current working directory is the mjpg-streamer base directory.
#
#camera_http_webroot="./www-fluidd"
#camera_http_options="-n"
camera_http_options="-n -l 127.0.0.1"

### EXPERIMENTAL
# Support for different streamer types.
Expand Down
4 changes: 2 additions & 2 deletions src/modules/moonraker/filesystem/home/pi/klipper_config/moonraker.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
[server]
host: 0.0.0.0
host: 127.0.0.1
port: 7125
enable_debug_logging: False
config_path: ~/klipper_config
Expand Down Expand Up @@ -37,4 +37,4 @@ enable_auto_refresh: True
[update_manager client fluidd]
type: web
repo: fluidd-core/fluidd
path: ~/fluidd
path: ~/fluidd