2e20de348c5ffcd2809be51bc9362fde5f29c8ae
services/Distributed-Wiki.md
| ... | ... | @@ -4,6 +4,7 @@ The local webserver is monitored with a simple [[shell script|Distributed-Wiki#e |
| 4 | 4 | ## Network |
| 5 | 5 | |
| 6 | 6 | - Install wiki anycast address `172.23.0.80/32` on the system |
| 7 | + - Assign a unicast address to be used by Nginx |
|
| 7 | 8 | - Setup tunnel(s) to the dn42 network (routing daemon not required) |
| 8 | 9 | |
| 9 | 10 | ## Setup gollum |
| ... | ... | @@ -34,7 +35,22 @@ gollum --css <path>/custom.css --gollum-path <path> --host 127.0.0.1 --port 456 |
| 34 | 35 | |
| 35 | 36 | A custom header `X-SiteID` identifies the site you're connecting to: |
| 36 | 37 | |
| 37 | - + X-SiteID: `AS number`-`ISO country code` |
|
| 38 | + - `add_header X-SiteID '<AS number>-<ISO country code>'` |
|
| 39 | + |
|
| 40 | +##### Enabling [HPKP](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning) |
|
| 41 | + |
|
| 42 | + - Extract base64 encoded SPKI fingerprint from private key: |
|
| 43 | + |
|
| 44 | + `openssl rsa -in wiki.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64` |
|
| 45 | + |
|
| 46 | + - Configure Nginx to send the fingerprint in header: |
|
| 47 | + |
|
| 48 | + `add_header Public-Key-Pins 'pin-sha256="<primary>";pin-sha256="<backup>"; max-age=0; includeSubDomains';` |
|
| 49 | + |
|
| 50 | + + `<primary>` - the fingerprint extracted from your wiki.key |
|
| 51 | + + `<backup>` - the CA fingerprint: `mJ1xUCzfru8Ckq2+M6VkNKGOGgSETImRAHBF24mjalw=` |
|
| 52 | + |
|
| 53 | + Read more about this [here](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning). |
|
| 38 | 54 | |
| 39 | 55 | #### Domains |
| 40 | 56 | |
| ... | ... | @@ -42,7 +58,10 @@ The proxy should accept the following domain names: |
| 42 | 58 | |
| 43 | 59 | - internal.dn42 (not anycasted yet) |
| 44 | 60 | - wiki.dn42 |
| 45 | - - as`aut-num`-`CC`.wiki.dn42 |
|
| 61 | + |
|
| 62 | +Nginx should listen on a unicast address as well, so your site can be reached exclusively. Assign an IP address for the occasion and send it to [XUU-DN42](https://io.nixnodes.net?t=person&l=XUU-DN42) including your AS `<aut-num>` and the country code `<CC>` where your site is located. A forward DNS record will be created, pointing to the unicast IP address: |
|
| 63 | + |
|
| 64 | + - as`<aut-num>`-`<CC>`.wiki.dn42 |
|
| 46 | 65 | |
| 47 | 66 | #### Config example |
| 48 | 67 | |
| ... | ... | @@ -60,6 +79,7 @@ server { |
| 60 | 79 | server_name internal.dn42 wiki.dn42 as<aut-num>-<cc>.wiki.dn42; |
| 61 | 80 | |
| 62 | 81 | listen 172.23.0.80:80 default; |
| 82 | + listen <unicast-address>:80 default; |
|
| 63 | 83 | |
| 64 | 84 | add_header strict-transport-security "max-age=0; includeSubDomains"; |
| 65 | 85 | add_header X-SiteID '<aut-num>-<cc>'; |
| ... | ... | @@ -76,13 +96,14 @@ server { |
| 76 | 96 | server_name internal.dn42 wiki.dn42 as<aut-num>-<cc>.wiki.dn42; |
| 77 | 97 | |
| 78 | 98 | listen 172.23.0.80:443 ssl default; |
| 99 | + listen <unicast-address>:443 ssl default; |
|
| 79 | 100 | |
| 80 | 101 | ssl on; |
| 81 | 102 | ssl_certificate <path>/ssl.crt; |
| 82 | 103 | ssl_certificate_key <path>/ssl.key; |
| 83 | 104 | |
| 84 | 105 | add_header strict-transport-security "max-age=0; includeSubDomains"; |
| 85 | - add_header Public-Key-Pins 'pin-sha256="mJ1xUCzfru8Ckq2+M6VkNKGOGgSETImRAHBF24mjalw="; pin-sha256="/gOyi7syRMR+d2jZoB/MzcSD++8ciZkSl/hZAQgzWws="; max-age=0; includeSubDomains'; |
|
| 106 | + add_header Public-Key-Pins 'pin-sha256="<primary-pin>";pin-sha256="<backup-pin>"; max-age=0; includeSubDomains'; |
|
| 86 | 107 | add_header X-SiteID '<aut-num>-<cc>'; |
| 87 | 108 | |
| 88 | 109 | location / { |