The mailing list for listmasters using Sympa

["Stefan Hornburg (Racke)" <address@concealed>]

On 29/03/2022 11:08, Rob Lister wrote:
> I think the "wws" in an old reference in the Debian package, and should be 
> changed.
> (I changed it to match the sympa documentation)
>
>
> My sympa.conf:
>
> static_content_path     /usr/share/sympa/static_content
> css_path        /var/lib/sympa/css
> css_url /css-sympa
> pictures_path   /var/lib/sympa/pictures
> pictures_url    /pictures-sympa
> use_fast_cgi    1
> wwsympa_url     https://lists.lonap.net/sympa
>
>
> My nginx conf:
>
>
> server {
>    listen          80 default_server;
>    listen          [::]:80 default_server;
>    listen          [::]:443 ssl default_server ipv6only=on;
>    listen          443 ssl default_server;
>
>    server_name     lists.lonap.net;
>
>    root            /var/www/html;
>    autoindex       off;
>
>      location /sympa {
>          include       /etc/nginx/fastcgi_params;
>          fastcgi_pass  unix:/run/sympa/wwsympa.socket;
>      }
>
>     location /static-sympa {
>          alias /usr/share/sympa/static_content;
>      }
>
>     location /pictures-sympa {
>          alias /var/lib/sympa/pictures;
>      }
>
>     location /css-sympa {
>          alias /var/lib/sympa/css;
>     }
>
>
>
>    ssl_certificate /etc/ssl/lonap/fullchain.pem;
>    ssl_certificate_key /etc/ssl/lonap/privkey.pem;
>
>
>    # ssl_dhparam /etc/nginx/dhparam.pem;
>
>    ssl_session_cache shared:le_nginx_SSL:1m;
>    ssl_session_timeout 1440m;
>
>    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>    ssl_prefer_server_ciphers on;
>
>    ssl_ciphers 
> "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
>
>    if ($scheme != "https") {
>      return 301 https://$host$request_uri;
>    }
> }

Please don't use insecure SSL protocols. You can also reduce the number of 
ciphers.

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_ecdh_curve prime256v1:secp384r1;

Make sure to check your SSL setup mit SSL Labs or testssl.sh.

Regards
        Racke

> On 2022-03-27 17:01, Ruud Baart wrote:
>
> > Hi,
> >
> > I have installed new servers and changing from Apache to nginx. I'm almost 
> > ready but I have a problem with sympa and nginx. A check and upgrade command 
> > give no problem. But the web interface is not working correctly. Clearly I'm 
> > missing something. Some one an idea?
> >
> > Server: Debian 11 (bullseye with backports). Server serves also other 
> > websites with php and perl.
> >
> > nginx: 1.18
> >
> > Sympa: latest (6.2.68), installed from source.
> >
> > in sympa.conf:
> >
> > > domain   listserver.tiswe.fr
> > > wwsympa_url https://listserver.tiswe.fr/wws
> > > static_content_path  /usr/local/sympa/static_content
> > > static_content_url   /static-sympa
> >
> > nginx setup:
> >
> > > server_name listserver.tiswe.fr    listen 443 ssl;
> > > ssl_certificate /etc/letsencrypt/.....
> > > ssl_certificate_key /etc/letsencrypt/...
> > > include /etc/letsencrypt/options-ssl-nginx.conf;
> > > ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
> > >
> > > location /wws {
> > > include       /etc/nginx/fastcgi_params;
> > > fastcgi_pass  unix:/run/sympa/wwsympa.socket;
> > > }
> > >
> > > location /static-sympa {
> > > alias /usr/local/sympa/static_content;


--
Automation expert - Ansible and friends
Linux administrator & Debian maintainer
Perl Dancer & conference hopper

Attachment: OpenPGP_signature
Description: OpenPGP digital signature