about summary refs log tree commit diff stats
path: root/src/config/files.h
Commit message (Collapse)AuthorAgeFilesLines
* add profanity-specific CAfileSteffen Jaeckel2022-03-221-0/+1
| | | | | | | | The profanity-internal mechanism to allow connecting to a server isn't easily portable to cURL. Therefor introduce a profanity-specific CAfile which is managed individually and will be configured in libcurl calls. Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
* add `files_file_in_account_data_path()`Steffen Jaeckel2022-03-131-0/+3
| | | | | | | | | | | | As all parts of the code invoking the `files_get_account_data_path()` function did the same afterwards, a function has been added with the same behavior. 1. create path 2. `mkdir` of that path 3. return final path Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
* editor: Use datadir instead of tmp dirMichael Vetter2021-06-101-0/+1
| | | | | See https://github.com/profanity-im/profanity/issues/1521#issue-860017824
* Refactor for threaded external executable for built-in download methodsWilliam Wennerström2020-12-031-9/+10
|
* Apply coding styleMichael Vetter2020-07-071-18/+18
|
* Revert "Apply coding style"Michael Vetter2020-07-071-18/+18
| | | | | | This reverts commit 9b55f2dec0ea27a9ce4856e303425e12f866cea2. Sorting the includes creates some problems.
* Apply coding styleMichael Vetter2020-07-071-18/+18
| | | | Regards https://github.com/profanity-im/profanity/issues/1396
* files.c: use const char *const where appropriateMichael Vetter2020-07-011-2/+2
|
* Use files_get_account_data_path instead of duplicate codeMichael Vetter2020-07-011-1/+2
| | | | | We often had a use case where we want the account specific data dir. Let's create a function for this instead of doing it by hand each time.
* Define POSIX macro to have strdupMichael Vetter2020-06-121-4/+4
| | | | | | | | | | | | | | https://github.com/profanity-im/profanity/commit/98c38dc6d6d29333c63f80327774f094610d8602 sets C99 as standard. strdup() is not part of C99. For now set `-D_POSIX_C_SOURCE=200809L` macro to have strdup() in C99. Using `gnu99` instead would be another option. We should take more care to use glib functions whenever possible. Regards https://github.com/profanity-im/profanity/issues/1357
* PoC for bookmark ignoreMichael Vetter2020-05-241-0/+1
| | | | | | | | | | ``` ~/.local/share/profanity % cat bookmark_ignore [ignore] profanity@rooms.dismail.de= ``` Regards https://github.com/profanity-im/profanity/issues/1115
* db: Have one database per accountMichael Vetter2020-04-061-1/+1
|
* database: Define chatlog database locationMichael Vetter2020-04-061-0/+1
|
* Allow setting custom log file via -f FILENAMEMichael Vetter2020-02-211-1/+1
| | | | | `profanity -f TEST` will use `~/.local/share/profanity/logs/TEST.log` as the log file.
* Add vim modelineMichael Vetter2019-11-131-0/+1
|
* Rename identification fileMichael Vetter2019-10-161-1/+2
|
* Create random-bytes fileMichael Vetter2019-10-161-0/+1
| | | | | | | | | | So far only with dummy value. We will need an identifier that we can hash together with a message ID and put in as the origin-id. So when we receive message we can unsplit it and see if it was sent from this client. Regards https://github.com/profanity-im/profanity/issues/1207
* Add OMEMO identity materials long term storagePaul Fariello2019-04-101-0/+1
|
* Update copyright to include 2019Michael Vetter2019-01-221-1/+1
|
* Update copyrightJames Booth2018-01-211-1/+1
|
* Update CopyrightJames Booth2017-01-281-1/+1
|
* Move all filepath handling to files.cJames Booth2016-07-241-3/+19
|
* Move xgd functionsJames Booth2016-07-241-2/+5
|
* Add config/files.cJames Booth2016-07-241-0/+44
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-11-09 09:55:07 +0000
o { color: #003366; font-weight: bold } /* Name.Constant */ .highlight .nd { color: #555555 } /* Name.Decorator */ .highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */ .highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */ .highlight .nl { color: #336699; font-style: italic } /* Name.Label */ .highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */ .highlight .py { color: #336699; font-weight: bold } /* Name.Property */ .highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */ .highlight .nv { color: #336699 } /* Name.Variable */ .highlight .ow { color: #008800 } /* Operator.Word */ .highlight .w { color: #bbbbbb } /* Text.Whitespace */ .highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */ .highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */ .highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */ .highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */ .highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */ .highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */ .highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */ .highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */ .highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */ .highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */ .highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */ .highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */ .highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */ .highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */ .highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */ .highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */ .highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */ .highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */ .highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>Nginx</title>
    </head>
    <body>
        <a href="index.html">Tools Index</a>

        <h1>Nginx</h1>

        <h2 id="install">1. Install Nginx</h2>

        <pre>
        $  prt-get depinst nginx
        </pre>

        <p>Allow minimal privileges via mount options, view /etc/fstab;</p>

        <pre>
        UID=xxxxx-xxx-xxx-xxx-xxxxxxxx  /srv/www                ext4 defaults,nosuid,noexec,nodev,noatime       1 2
        </pre>

        <p>Add user nginx to www group;</p>

        <pre>
        # usermod -a -G www nginx
        </pre>

        <p>Change default home directory of nginx user;</p>

        <pre>
        # usermod -m -d /srv/www nginx
        </pre>

        <p>Create configuration directory's for better organization;</p>

        <pre>
        $ sudo mkdir /etc/nginx/conf.d
        $ sudo mkdir /etc/nginx/sites-enable
        $ sudo mkdir /etc/nginx/sites
        </pre>

        <h2 id="certs">2. Certificates</h2>

        <h3 id="letsencrypt">2.1. Lets encrypt</h3>

        <p>Example of nginx location block on public pmwiki setup;</p>

        <pre>
        #ACME challenge
        location ^~ /.well-known {
              allow all;
              alias /srv/www/machine-pmwiki/pub/cert/.well-known/;
              default_type "text/plain";
              try_files $uri =404;
        }
        </pre>

        <p>First run dryrun to test if everything is ok;</p>

        <pre>
        # certbot certonly --dry-run --email user@mail.org --webroot -w /srv/www/machine-pmwiki/pub/cert/-d machine.example.org
        </pre>

        <pre>
        # certbot certonly --email user@mail.org --webroot -w /srv/www/machine-pmwiki/pub/cert/-d machine.example.org
        </pre>

        <h3 id="mancert">2.2. Self certificate</h2>
        <p>Certificates allow a more secure connection. Lets create
        self-signed certificate;</p>

        <p>Create private key;</p>

        <pre>
        $ sudo openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048
        Password:
        Generating RSA private key, 2048 bit long modulus
        ..............................+++
        ............+++
        e is 65537 (0x10001)
        Enter pass phrase for /etc/ssl/keys/nginx.key:
        Verifying - Enter pass phrase for /etc/ssl/keys/nginx.key:
        </pre>

        <p>Create ceritificate signing request. For "Common Name"
        provide domain name or ip address, leave challange password
        and optional company name blank;</p>

        <pre>
        $ sudo openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr
        Enter pass phrase for /etc/ssl/keys/nginx.key:
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter '.', the field will be left blank.
        -----
        Country Name (2 letter code) [AU]:PT
        State or Province Name (full name) [Some-State]:
        Locality Name (eg, city) []:
        Organization Name (eg, company) [Internet Widgits Pty Ltd]:
        Organizational Unit Name (eg, section) []:
        Common Name (e.g. server FQDN or YOUR name) []:machine.example.org
        Email Address []:

        Please enter the following 'extra' attributes
        to be sent with your certificate request
        A challenge password []:
        An optional company name []:
        $
        </pre>

        <p>Having password is a good idea, but requires it every
        time nginx is restarted. To remove;</p>

        <pre>
        $ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass
        $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key
        </pre>

        <pre>
        Enter pass phrase for /etc/ssl/keys/nginx.key.pass:
        writing RSA key
        </pre>

        <pre>
        $ sudo chown nginx /etc/ssl/keys/nginx.key*
        $ sudo chmod 0600 /etc/ssl/keys/nginx.key*
	# chmod 644 /etc/ssl/certs/exim.cert
        </pre>

        <p>Sign SSL cetificate;</p>

        <pre>
        $ sudo openssl x509 -req -days 365 \
            -in /etc/ssl/certs/nginx.csr \
            -signkey /etc/ssl/keys/nginx.key \
            -out /etc/ssl/certs/nginx.crt
        </pre>

        Signature ok
        subject=/C=PT/ST=Some-State/O=Internet Widgits Pty Ltd/CN=machine.example.org
        Getting Private key
        Enter pass phrase for /etc/ssl/keys/nginx.key:
        </pre>

        <pre>
        $ sudo chown nginx:nginx /etc/ssl/keys/nginx.key*
        $ sudo chmod 0600 /etc/ssl/keys/nginx.key*
	$ sudo chmod 644 /etc/ssl/certs/nginx.crt
        </pre>

        <h2 id="nginxconf">3. Nginx Configuration</h2>

        <p>This is the "main" nginx configuration not the servers, the way this configuration is setup nginx will load virtual servers configuration files with extension .conf from /etc/nginx/sites-enabled/.</p>

        <p>Number of worker_processes must be equal or less than
       the number of available cpu cores. This is set to auto.</p>

        <pre>
        $ nproc
        2
        </pre>

        <p>Number of worker_connections must be equal or less than
        the number file-size writing limit, you can get it by;</p>

        <pre>
        $ nlimit -n
        1024
        </pre>

        <p>Edit ngnix configutarion;</p>

        <pre>
        #
        # /etc/nginx/nginx.conf - nginx server configuration
        #


        user www;
        worker_processes auto;

        error_log syslog:server=unix:/dev/log debug;

        pid /var/run/nginx.pid;

        events {
            worker_connections  1024;
        }

        http {
            include       mime.types;
            default_type  application/octet-stream;

            log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                              '$status $body_bytes_sent "$http_referer" '
                              '"$http_user_agent" "$http_x_forwarded_for"';

            sendfile        on;
            #tcp_nopush     on;

            # Allow attach iso to wiki
            #client_max_body_size 8M;
            client_max_body_size 30M;
            #keepalive_timeout  65;
            keepalive_timeout  120;
            #client_body_timeout 12;
            client_body_timeout 24;
            #client_header_timeout 12;
            client_header_timeout 24;

            send_timeout 65;

            gzip  on;
            gzip_vary on;
            #gzip_proxied any;
            gzip_comp_level 9;
            # gzip_buffers 16 8k;
            # gzip_http_version 1.1;
            gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;


            include /etc/nginx/conf.d/*.conf;
            include /etc/nginx/sites-enabled/*.conf;
        }
        # End of file
        </pre>


        <h2 id="server">4. Virtual servers</h2>

        <p>Read <a href="http://wiki.nginx.org/Pitfalls">nginx pitfalls</a> and
        <a href="https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration">configuration optimization</a>.<p>

        <p>This setup uses default virtual server as a proxy, this allows to have a clean configuration file and delegate application specific settings to other servers. Other virtual servers can run on same machine or other machines, allowing greater compartmentalization.</p>

        <p>When testing or debugging configurations is useful to run nginx with following option;</p>

        <pre>
        nginx -V
        </pre>

        <h3>4.1. Setup PHP</h3>

        <p> Install php and setup php.ini as development mode;</p>

        <pre>
        $ sudo prt-get depinst php php-fpm php-gd php-pdo-pgsql php-postgresql
        </pre>

        <p>Setup php ini in development mode;<p/>

        <pre>
        $ sudo cp /etc/php/php.ini-development /etc/php/php.ini
        </pre>

        <pre>
        $ php --ini
        Configuration File (php.ini) Path: /etc/php
        Loaded Configuration File:         /etc/php/php.ini
        Scan for additional .ini files in: /etc/php/conf.d
        Additional .ini files parsed:      /etc/php/conf.d/extensions.ini,
        /etc/php/conf.d/pdo_pgsql.ini
        </pre>

        <h3 id="default-server">4.2. Setup default server</h3>

        <p>Default server that acts as a proxy except for /doc, with ssl certificates (serves port 443 and 80). Each location is proxy ed to correspondent virtual server.</p>

        <pre>
        server {
        #if ($http_user_agent ~* (AhrefsBot|SemrushBot|MJ12Bot|DotBot)) {
        #     return 410;
        #}
            server_name tribu.semdestino.org;
            listen 80 default_server;
            listen 443 ssl default_server;

            access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main;
            error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug;

            root /etc/nginx/html/;

            ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem;
            ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem;

            ssl_session_timeout 1d;
            ssl_session_cache shared:SSL:50m;
            ssl_session_tickets off;
            ssl_protocols TLSv1.2;
            ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
            ssl_prefer_server_ciphers on;
            add_header Strict-Transport-Security max-age=15768000;
            ssl_stapling on;
            ssl_stapling_verify on;

            #proxy_redirect off;
            #proxy_set_header Host $http_host;
            #proxy_set_header X-Forwarded-Host $http_host;
            #proxy_set_header X-Real-IP $remote_addr;
            #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

           location /doc {
               alias /srv/www/doc;
               index index.html;
                autoindex on;
            }

           location /mirror {
               proxy_pass http://ports.ank;
           }

           location /pub {
               proxy_pass http://wiki.server.ank:8080;
           }
           location ^~ /.well-known {
               # ACME challenge
               proxy_pass http://wiki.server.ank;
           }
           location /wiki {
                proxy_pass http://wiki.server.ank:8080;
           }

           location /git {
               proxy_pass http://git.server.ank:8080;
           }

           location /forum/ {
                proxy_pass http://forum.server.ank:8080/;
           }

           location /task {
               proxy_pass http://task.server.ank:8080;
           }

           location /shop {
                proxy_pass http://shop.server.ank:8080;
           }

           location /vexim/ {
               proxy_pass http://vexim.server.ank:8080/;
           }

           location /email {
               proxy_pass http://email.server.ank:8080;
           }

           location /awstats {
               proxy_pass http://awstats.server.ank:8080;
           }

           location /stats {
               proxy_pass http://stats.server.ank:8080;
           }

           location / {
                proxy_pass http://frontpage.server.ank:8080/;
            }
        }
        </pre>

        <h3 id="virtual-server">4.3. Setup virtual server</h3>

        <p>Example of pmwiki virtual server, check <a href="conf/etc/nginx/sites-enabled/">/etc/nginx/sites-enabled</a> for the rest of examples mentioned <a href="#default-server">default server</a>. If wiki server is running on same machine add following to /etc/hosts;</p>

        <pre>
        127.0.0.1 wiki.c2.ank
        </pre>

        <p>Edit /etc/nginx/sites-enabled/wiki.c2.ank.conf;</p>

        <pre>
        server {
            listen 8080;
            server_name wiki.server.ank;

            access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main;
            error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug;

            root /srv/www/;

            location /pub {
                alias /srv/www/wiki/pub;
            }
            # ACME challenge
            location ^~ /.well-known {
                allow all;
                alias /srv/www/wiki/pub/cert/.well-known/;
                default_type "text/plain";
                try_files $uri =404;
            }

            location @pmwiki {
                rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1;
            }

            location /wiki {
                index pmwiki.php;
                try_files $uri $uri/ @pmwiki;
            }

            location ~  ^\/wiki(.+\.php)$ {
                index pmwiki.php;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index pmwiki.php;
                try_files $uri /pmwiki.php =404;
                include /etc/nginx/fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_pass 127.0.0.1:9000;
            }
        }
        </pre>

        <h2 id="userdir">5. User Directory</h2>

        <p><a href="http://wiki.nginx.org/UserDir">Nginx Wiki UserDir</a></p>

        <pre>
         location ~ ^/~(.+?)(/.*)?$ {
            alias /home/$1/public_html$2;
            index  index.html index.htm;
            autoindex on;
         }
        </pre>

        <p>Directories should have 644 or 664 and
        files chmod 755 or 775;</p>

        <pre>
        $ sudo find . -type f -print0 | xargs -0 chmod 644
        $ sudo find . -type d -print0 | xargs -0 chmod 755
        </pre>

        <h2 id="logs">6. Logs</h2>

        <pre>
        $ sudo grep "login" /var/log/nginx/vhost_access
        $ sudo grep "etc/passwd" /var/log/nginx/vhost_access
        $ sudo egrep -i "denied|error|warn" /var/log/nginx_error
        </pre>

        <a href="index.html">Tools Index</a>

        <p>This is part of the Tribu System Documentation.
        Copyright (C) 2020
        Tribu Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>
    </body>
</html>
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-11-09 09:55:06 +0000