From cf40deb97c81e0a793001b69154b86efa66e2753 Mon Sep 17 00:00:00 2001
From: virusdefender <virusdefender@outlook.com>
Date: Sat, 25 Nov 2017 12:30:00 +0800
Subject: [PATCH] add ssl cert

---
 .gitignore                            |  4 +-
 data/{testcase => test_case}/.gitkeep |  0
 deploy/nginx/common.conf              | 20 +++++++++
 deploy/nginx/nginx.conf               | 56 ++++++++++++++++++++++++
 deploy/oj.conf                        | 62 ---------------------------
 deploy/run.sh                         | 22 ++++++----
 deploy/supervisor.conf                |  2 +-
 oj/settings.py                        |  2 +-
 8 files changed, 93 insertions(+), 75 deletions(-)
 rename data/{testcase => test_case}/.gitkeep (100%)
 create mode 100644 deploy/nginx/common.conf
 create mode 100644 deploy/nginx/nginx.conf
 delete mode 100644 deploy/oj.conf

diff --git a/.gitignore b/.gitignore
index 822575d..66e0910 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,8 +61,8 @@ custom_settings.py
 
 data/log/*
 !data/log/.gitkeep
-data/testcase/*
-!data/testcase/.gitkeep
+data/test_case/*
+!data/test_case/.gitkeep
 data/ssl/*
 !data/ssl/.gitkeep
 data/static/upload/*
diff --git a/data/testcase/.gitkeep b/data/test_case/.gitkeep
similarity index 100%
rename from data/testcase/.gitkeep
rename to data/test_case/.gitkeep
diff --git a/deploy/nginx/common.conf b/deploy/nginx/common.conf
new file mode 100644
index 0000000..478e288
--- /dev/null
+++ b/deploy/nginx/common.conf
@@ -0,0 +1,20 @@
+location /public {
+    root /app/data;
+}
+
+location /api {
+    proxy_pass http://backend;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $http_host;
+    client_max_body_size 200M;
+}
+
+location /admin {
+    root /app/dist/admin;
+    try_files $uri $uri/ /index.html =404;
+}
+
+location / {
+    root /app/dist;
+    try_files $uri $uri/ /index.html =404;
+}
\ No newline at end of file
diff --git a/deploy/nginx/nginx.conf b/deploy/nginx/nginx.conf
new file mode 100644
index 0000000..54eb7ed
--- /dev/null
+++ b/deploy/nginx/nginx.conf
@@ -0,0 +1,56 @@
+user nobody;
+daemon off;
+pid /tmp/nginx.pid;
+worker_processes auto;
+pcre_jit on;
+error_log /data/log/nginx_error.log warn;
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+	server_tokens off;
+	keepalive_timeout 65;
+	sendfile on;
+	tcp_nodelay on;
+
+	gzip on;
+	gzip_vary on;
+	gzip_types application/javascript text/css;
+
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+			'$status $body_bytes_sent "$http_referer" '
+			'"$http_user_agent" "$http_x_forwarded_for"';
+
+	access_log /data/log/nginx_access.log main;
+
+    upstream backend {
+        server 127.0.0.1:8080;
+        keepalive 32;
+    }
+
+    server {
+        listen 8000 default_server;
+        server_name _;
+
+        include common.conf;
+    }
+
+    server {
+        listen 1443 ssl http2 default_server;
+        server_name _;
+        ssl_certificate /data/ssl/server.crt;
+        ssl_certificate_key /data/ssl/server.key;
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+
+        include common.conf;
+    }
+
+}
+
diff --git a/deploy/oj.conf b/deploy/oj.conf
deleted file mode 100644
index 504de81..0000000
--- a/deploy/oj.conf
+++ /dev/null
@@ -1,62 +0,0 @@
-user nobody;
-daemon off;
-pid /tmp/nginx.pid;
-worker_processes auto;
-pcre_jit on;
-error_log /data/log/nginx_error.log warn;
-
-events {
-	worker_connections 1024;
-}
-
-http {
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-	server_tokens off;
-	keepalive_timeout 65;
-	sendfile on;
-	tcp_nodelay on;
-
-	gzip on;
-	gzip_vary on;
-
-	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-			'$status $body_bytes_sent "$http_referer" '
-			'"$http_user_agent" "$http_x_forwarded_for"';
-
-	access_log /app/data/log/nginx_access.log main;
-
-    upstream backend {
-        server 127.0.0.1:8080;
-        keepalive 32;
-    }
-
-    server {
-        listen 8000 default_server;
-        server_name _;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header Host $http_host;
-        client_max_body_size 200M;
-
-        location /public {
-            root /app/data;
-        }
-
-        location /api {
-            proxy_pass http://backend;
-            proxy_set_header Host $host;
-        }
-
-        location /admin {
-            root /app/dist/admin;
-            try_files $uri $uri/ /index.html =404;
-        }
-
-        location / {
-            root /app/dist;
-            try_files $uri $uri/ /index.html =404;
-        }
-    }
-
-}
-
diff --git a/deploy/run.sh b/deploy/run.sh
index 64a13b5..356ee94 100644
--- a/deploy/run.sh
+++ b/deploy/run.sh
@@ -1,15 +1,21 @@
 #!/bin/bash
 
-BASE=/app
-DATA=$BASE/data
+APP=/app
+DATA=/data
 
-if [ ! -f "$BASE/oj/custom_settings.py" ]; then
-    echo SECRET_KEY=\"$(cat /dev/urandom | head -1 | md5sum | head -c 32)\" >> $BASE/oj/custom_settings.py
+if [ ! -f "$APP/oj/custom_settings.py" ]; then
+    echo SECRET_KEY=\"$(cat /dev/urandom | head -1 | md5sum | head -c 32)\" >> $APP/oj/custom_settings.py
 fi
 
-mkdir -p $DATA/log $DATA/testcase $DATA/public/upload
+mkdir -p $DATA/log $DATA/ssl $DATA/test_case $DATA/public/upload
 
-cd $BASE
+SSL="$DATA/ssl"
+if [ ! -f "$SSL/server.key" ]; then
+    openssl req -x509 -newkey rsa:2048 -keyout "$SSL/server.key" -out "$SSL/server.crt" -days 1000 \
+        -subj "/C=CN/ST=Beijing/L=Beijing/O=Beijing OnlineJudge Technology Co., Ltd./OU=Service Infrastructure Department/CN=`hostname`" -nodes
+fi
+
+cd $APP
 
 n=0
 while [ $n -lt 5 ]
@@ -22,7 +28,5 @@ do
     sleep 8
 done
 
-cp $BASE/deploy/oj.conf /etc/nginx/conf.d/default.conf
-
-chown -R nobody:nogroup $DATA $BASE/dist
+chown -R nobody:nogroup $DATA $APP/dist
 exec supervisord -c /app/deploy/supervisor.conf
diff --git a/deploy/supervisor.conf b/deploy/supervisor.conf
index f36cf83..c9e5032 100644
--- a/deploy/supervisor.conf
+++ b/deploy/supervisor.conf
@@ -11,7 +11,7 @@ childlogdir=/app/data/log/
 serverurl=unix:///tmp/supervisor.sock
 
 [program:nginx]
-command=nginx -c /app/deploy/oj.conf
+command=nginx -c /app/deploy/nginx/nginx.conf
 directory=/app/
 stdout_logfile=/app/data/log/nginx.log
 stderr_logfile=/app/data/log/nginx.log
diff --git a/oj/settings.py b/oj/settings.py
index e1de79b..52c3f2c 100644
--- a/oj/settings.py
+++ b/oj/settings.py
@@ -113,7 +113,7 @@ STATIC_URL = '/storage/'
 
 AUTH_USER_MODEL = 'account.User'
 
-TEST_CASE_DIR = os.path.join(DATA_DIR, "testcase")
+TEST_CASE_DIR = os.path.join(DATA_DIR, "test_case")
 LOG_PATH = os.path.join(DATA_DIR, "log")
 
 AVATAR_URI_PREFIX = "/public/avatar"