|
|
@@ -6761,6 +6761,16 @@ function install_gogs {
|
|
6761
|
6761
|
echo 'and within the [server] section set:' >> /home/$MY_USERNAME/README
|
|
6762
|
6762
|
echo "DOMAIN = $GIT_DOMAIN_NAME" >> /home/$MY_USERNAME/README
|
|
6763
|
6763
|
echo "ROOT_URL = https://$GIT_DOMAIN_NAME/" >> /home/$MY_USERNAME/README
|
|
|
6764
|
+ echo '' >> /home/$MY_USERNAME/README
|
|
|
6765
|
+ echo "Note that there's a security compromise here." >> /home/$MY_USERNAME/README
|
|
|
6766
|
+ echo "In order to allow git clone via http we don't redirect everything" >> /home/$MY_USERNAME/README
|
|
|
6767
|
+ echo 'over https. Instead only critical things such as user login,' >> /home/$MY_USERNAME/README
|
|
|
6768
|
+ echo 'settings and admin are encrypted.' >> /home/$MY_USERNAME/README
|
|
|
6769
|
+ echo 'There are also potential security issues with cloning/pulling/pushing' >> /home/$MY_USERNAME/README
|
|
|
6770
|
+ echo 'code over http, since a determined adversary could inject malware' >> /home/$MY_USERNAME/README
|
|
|
6771
|
+ echo 'into the stream as it passes, so beware.' >> /home/$MY_USERNAME/README
|
|
|
6772
|
+ echo 'If you have a bought domain and a non-self signed cert then you' >> /home/$MY_USERNAME/README
|
|
|
6773
|
+ echo "should change /etc/nginx/sites-available/$GIT_DOMAIN_NAME to redirect everything over https." >> /home/$MY_USERNAME/README
|
|
6764
|
6774
|
fi
|
|
6765
|
6775
|
|
|
6766
|
6776
|
echo "create database gogs;
|
|
|
@@ -6796,7 +6806,15 @@ quit" > $INSTALL_DIR/batch.sql
|
|
6796
|
6806
|
echo " error_log /var/log/nginx/$GIT_DOMAIN_NAME_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6797
|
6807
|
echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6798
|
6808
|
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6799
|
|
- echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6809
|
+ echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6810
|
+ echo ' proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6811
|
+ echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6812
|
+ echo ' location ^~ /user/ {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6813
|
+ echo ' rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6814
|
+ echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6815
|
+ echo ' location ^~ /admin/ {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6816
|
+ echo ' rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6817
|
+ echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6800
|
6818
|
echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6801
|
6819
|
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6802
|
6820
|
echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
@@ -6820,7 +6838,7 @@ quit" > $INSTALL_DIR/batch.sql
|
|
6820
|
6838
|
echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6821
|
6839
|
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6822
|
6840
|
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6823
|
|
- echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
|
6841
|
+ echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6824
|
6842
|
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6825
|
6843
|
echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
|
6826
|
6844
|
echo ' proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
|
Bob Mottram
10 lat temu