diff --git a/deploy-server b/deploy-server index 92e30ff1..845e551e 100755 --- a/deploy-server +++ b/deploy-server @@ -12,7 +12,7 @@ fi rm -rf build ./gradlew build -remote=root@attestation.app +remote=root@staging.attestation.app path=/opt/attestation active=$(ssh $remote readlink $path/deploy) diff --git a/deploy-static b/deploy-static index ce664878..5eb6b530 100755 --- a/deploy-static +++ b/deploy-static @@ -12,12 +12,12 @@ fi ./process-static $fd -remote=root@attestation.app +remote=root@staging.attestation.app -# use last modified timestamps from attestation.app -rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate $remote:/srv/attestation.app/ static-production -rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-tmp/ static-production -for f in static-production/**.*(br|gz); do +# use last modified timestamps from staging.attestation.app +rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate $remote:/srv/attestation.app/ static-staging +rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-tmp/ static-staging +for f in static-staging/**.*(br|gz); do touch -r "${f%.*}" "$f" done @@ -34,7 +34,7 @@ echo target is $target echo ssh $remote "rm -rf $target && cp -a $active $target" -rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-production/ $remote:$target +rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-staging/ $remote:$target ssh $remote "ln -snf $target /srv/attestation.app && sync /srv/attestation.app" echo "root $target;" > nginx-tmp/root_attestation.app.conf @@ -47,4 +47,3 @@ echo active is now $target rsync -pcv --chmod=755 --fsync --preallocate remote-backup $remote:/usr/local/bin/ rsync -pcv --chmod=644 --fsync --preallocate systemd/system/remote-backup.timer $remote:/etc/systemd/system/remote-backup.timer rsync -pcv --chmod=644 --fsync --preallocate systemd/system/remote-backup.service $remote:/etc/systemd/system/remote-backup.service -rsync -pcv --chmod=644 --chown attestation:attestation --fsync --preallocate backup-public-key.txt cloud-archive.sh $remote:/var/lib/attestation/ diff --git a/nginx/nginx.conf b/nginx/nginx.conf index b2a5e547..e1f66fdf 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -69,8 +69,8 @@ http { ssl_prefer_server_ciphers on; ssl_conf_command Options PrioritizeChaCha; - ssl_certificate /etc/letsencrypt/live/attestation.app/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/attestation.app/privkey.pem; + ssl_certificate /etc/letsencrypt/live/staging.attestation.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/staging.attestation.app/privkey.pem; # maintained by nginx-rotate-session-ticket-keys in ramfs ssl_session_ticket_key session-ticket-keys/4.key; @@ -80,11 +80,11 @@ http { ssl_session_timeout 1d; ssl_buffer_size 4k; - ssl_trusted_certificate /etc/letsencrypt/live/attestation.app/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/staging.attestation.app/chain.pem; ssl_stapling on; ssl_stapling_verify on; # maintained by certbot-ocsp-fetcher - ssl_stapling_file /var/cache/certbot-ocsp-fetcher/attestation.app.der; + ssl_stapling_file /var/cache/certbot-ocsp-fetcher/staging.attestation.app.der; log_format main '$connection-$connection_requests $remote_addr $remote_user $ssl_session_reused $ssl_protocol $server_protocol ' '$host $request_method "$request_uri" $status $request_length $body_bytes_sent/$bytes_sent ' @@ -124,7 +124,7 @@ http { server { listen 80; listen [::]:80; - server_name attestation.app www.attestation.app; + server_name staging.attestation.app; location /.well-known/acme-challenge/ { root /srv/certbot; @@ -151,24 +151,7 @@ http { listen 443 ssl; listen [::]:443 ssl; http2 on; - server_name www.attestation.app; - - keepalive_timeout 3m; - - include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin" always; - - # https://trac.nginx.org/nginx/ticket/2012 - location / { - return 301 https://attestation.app$request_uri; - } - } - - server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; - server_name attestation.app; + server_name staging.attestation.app; include root_attestation.app.conf; error_page 403 =404 /404; diff --git a/nginx/snippets/security-headers.conf b/nginx/snippets/security-headers.conf index e2b306d1..09531757 100644 --- a/nginx/snippets/security-headers.conf +++ b/nginx/snippets/security-headers.conf @@ -1,3 +1,6 @@ +# staging site (not a security header) +add_header X-Robots-Tag "noindex" always; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; add_header X-Content-Type-Options "nosniff" always; # Firefox applies Referrer-Policy to the Origin header diff --git a/src/main/java/app/attestation/server/AttestationServer.java b/src/main/java/app/attestation/server/AttestationServer.java index fb93abee..67af40a2 100644 --- a/src/main/java/app/attestation/server/AttestationServer.java +++ b/src/main/java/app/attestation/server/AttestationServer.java @@ -82,7 +82,7 @@ public class AttestationServer { private static final int HISTORY_PER_PAGE = 20; private static final long MMAP_SIZE = 1024 * 1024 * 1024; - static final String DOMAIN = "attestation.app"; + static final String DOMAIN = "staging.attestation.app"; private static final String ORIGIN = "https://" + DOMAIN; private static final Logger logger = Logger.getLogger(AttestationServer.class.getName());