staging

GrapheneOS · Apr 24, 2024 · 50ab072 · 50ab072
1 parent ee20afe
commit 50ab072
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 31 deletions.
diff --git a/deploy-server b/deploy-server
@@ -12,7 +12,7 @@ fi
 rm -rf build
 ./gradlew build
 
-remote=root@attestation.app
+remote=root@staging.attestation.app
 path=/opt/attestation
 active=$(ssh $remote readlink $path/deploy)
 

diff --git a/deploy-static b/deploy-static
@@ -12,12 +12,12 @@ fi
 
 ./process-static $fd
 
-remote=root@attestation.app
+remote=root@staging.attestation.app
 
-# use last modified timestamps from attestation.app
-rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate $remote:/srv/attestation.app/ static-production
-rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-tmp/ static-production
-for f in static-production/**.*(br|gz); do
+# use last modified timestamps from staging.attestation.app
+rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate $remote:/srv/attestation.app/ static-staging
+rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-tmp/ static-staging
+for f in static-staging/**.*(br|gz); do
     touch -r "${f%.*}" "$f"
 done
 
@@ -34,7 +34,7 @@ echo target is $target
 echo
 
 ssh $remote "rm -rf $target && cp -a $active $target"
-rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-production/ $remote:$target
+rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-staging/ $remote:$target
 ssh $remote "ln -snf $target /srv/attestation.app && sync /srv/attestation.app"
 
 echo "root $target;" > nginx-tmp/root_attestation.app.conf
@@ -47,4 +47,3 @@ echo active is now $target
 rsync -pcv --chmod=755 --fsync --preallocate remote-backup $remote:/usr/local/bin/
 rsync -pcv --chmod=644 --fsync --preallocate systemd/system/remote-backup.timer $remote:/etc/systemd/system/remote-backup.timer
 rsync -pcv --chmod=644 --fsync --preallocate systemd/system/remote-backup.service $remote:/etc/systemd/system/remote-backup.service
-rsync -pcv --chmod=644 --chown attestation:attestation --fsync --preallocate backup-public-key.txt cloud-archive-password.txt $remote:/var/lib/attestation/
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -71,8 +71,8 @@ http {
     ssl_prefer_server_ciphers on;
     ssl_conf_command Options PrioritizeChaCha;
 
-    ssl_certificate /etc/letsencrypt/live/attestation.app/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/attestation.app/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/staging.attestation.app/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/staging.attestation.app/privkey.pem;
 
     # maintained by nginx-rotate-session-ticket-keys in ramfs
     ssl_session_ticket_key session-ticket-keys/4.key;
@@ -82,11 +82,11 @@ http {
     ssl_session_timeout 1d;
     ssl_buffer_size 4k;
 
-    ssl_trusted_certificate /etc/letsencrypt/live/attestation.app/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/staging.attestation.app/chain.pem;
     ssl_stapling on;
     ssl_stapling_verify on;
     # maintained by certbot-ocsp-fetcher
-    ssl_stapling_file /var/cache/certbot-ocsp-fetcher/attestation.app.der;
+    ssl_stapling_file /var/cache/certbot-ocsp-fetcher/staging.attestation.app.der;
 
     log_format main '$connection-$connection_requests $remote_addr $remote_user $ssl_protocol $server_protocol '
         '$host $request_method "$request_uri" $status $request_length $body_bytes_sent/$bytes_sent '
@@ -126,7 +126,7 @@ http {
     server {
         listen 80;
         listen [::]:80;
-        server_name attestation.app www.attestation.app;
+        server_name staging.attestation.app;
 
         location /.well-known/acme-challenge/ {
             root /srv/certbot;
@@ -151,23 +151,7 @@ http {
     server {
         listen 443 ssl;
         listen [::]:443 ssl;
-        server_name www.attestation.app;
-
-        keepalive_timeout 3m;
-
-        include snippets/security-headers.conf;
-        add_header Cross-Origin-Resource-Policy "same-origin" always;
-
-        # https://trac.nginx.org/nginx/ticket/2012
-        location / {
-            return 301 https://attestation.app$request_uri;
-        }
-    }
-
-    server {
-        listen 443 ssl;
-        listen [::]:443 ssl;
-        server_name attestation.app;
+        server_name staging.attestation.app;
 
         include root_attestation.app.conf;
         error_page 403 =404 /404;

diff --git a/nginx/snippets/security-headers.conf b/nginx/snippets/security-headers.conf
@@ -1,3 +1,6 @@
+# staging site (not a security header)
+add_header X-Robots-Tag "noindex" always;
+
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 add_header X-Content-Type-Options "nosniff" always;
 # Firefox applies Referrer-Policy to the Origin header

diff --git a/src/main/java/app/attestation/server/AttestationServer.java b/src/main/java/app/attestation/server/AttestationServer.java
@@ -82,7 +82,7 @@ public class AttestationServer {
     private static final int HISTORY_PER_PAGE = 20;
     private static final long MMAP_SIZE = 1024 * 1024 * 1024;
 
-    static final String DOMAIN = "attestation.app";
+    static final String DOMAIN = "staging.attestation.app";
     private static final String ORIGIN = "https://" + DOMAIN;
 
     private static final Logger logger = Logger.getLogger(AttestationServer.class.getName());