Only encrypt critical gogs screens in order to allow http clone
This commit is contained in:
Bob Mottram
parent
323662e5f6
commit
b9d7737728
|
|
@ -6761,6 +6761,16 @@ function install_gogs {
|
|||
echo 'and within the [server] section set:' >> /home/$MY_USERNAME/README
|
||||
echo "DOMAIN = $GIT_DOMAIN_NAME" >> /home/$MY_USERNAME/README
|
||||
echo "ROOT_URL = https://$GIT_DOMAIN_NAME/" >> /home/$MY_USERNAME/README
|
||||
echo '' >> /home/$MY_USERNAME/README
|
||||
echo "Note that there's a security compromise here." >> /home/$MY_USERNAME/README
|
||||
echo "In order to allow git clone via http we don't redirect everything" >> /home/$MY_USERNAME/README
|
||||
echo 'over https. Instead only critical things such as user login,' >> /home/$MY_USERNAME/README
|
||||
echo 'settings and admin are encrypted.' >> /home/$MY_USERNAME/README
|
||||
echo 'There are also potential security issues with cloning/pulling/pushing' >> /home/$MY_USERNAME/README
|
||||
echo 'code over http, since a determined adversary could inject malware' >> /home/$MY_USERNAME/README
|
||||
echo 'into the stream as it passes, so beware.' >> /home/$MY_USERNAME/README
|
||||
echo 'If you have a bought domain and a non-self signed cert then you' >> /home/$MY_USERNAME/README
|
||||
echo "should change /etc/nginx/sites-available/$GIT_DOMAIN_NAME to redirect everything over https." >> /home/$MY_USERNAME/README
|
||||
fi
|
||||
|
||||
echo "create database gogs;
|
||||
|
|
@ -6796,7 +6806,15 @@ quit" > $INSTALL_DIR/batch.sql
|
|||
echo " error_log /var/log/nginx/$GIT_DOMAIN_NAME_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' location ^~ /user/ {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' location ^~ /admin/ {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
|
|
@ -6820,7 +6838,7 @@ quit" > $INSTALL_DIR/batch.sql
|
|||
echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
echo ' proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
||||
|
|
|
|||
Loading…
Reference in New Issue