Cheatsheet for developers (optional)

Locker-server

Dev UWSGI config (.local/locker.ini)

[uwsgi]
module = locker_server:flask_app
venv = /opt/venv/locker/

master = true
processes = 5

plugins-dir=/usr/lib/uwsgi/plugins
plugin=python3

socket = 127.0.0.1:7060
chmod-socket = 660
vacuum = true
die-on-term = true

gevent = 1000
http-raw-body=true

run:

sudo -E -u www-data uwsgi .local/locker.ini

nginx

/etc/nginx/sites-available/locker-https :

server {

    listen 80;
    server_name rudev.www-security.net, *.rudev.www-security.net;

    error_log  /var/log/nginx/locker-error.log;
    access_log /var/log/nginx/locker-access.log;
    
    #location / {
    #    include uwsgi_params;
    #    uwsgi_pass unix:/run/locker-server/locker.sock;
    #}

    location ^~ /.well-known/acme-challenge/ {
      alias /var/www/acme/.well-known/acme-challenge/;
    }   
}

server {
	server_name rudev.www-security.net *.rudev.www-security.net;
    	ssl_certificate /etc/letsencrypt/live/rudev.www-security.net/fullchain.pem; # managed by Certbot
    	ssl_certificate_key /etc/letsencrypt/live/rudev.www-security.net/privkey.pem; # managed by Certbot

	include	include.d/locker.conf;
}

# include vhosts (required. locker must be in same domain as frontend, with certificate)
include vhosts/*.conf;

/etc/nginx/include.d/locker.conf :

	# include.d/locker.conf
	listen 443 ssl;
	ssl_protocols 	    TLSv1.2; # TLSv1.1 TLSv1;

	# openssl dhparam -out /etc/nginx/dhparam.pem 4096
	ssl_dhparam /etc/nginx/dhparam.pem;

	ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';
	ssl_prefer_server_ciphers on;

	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;	
	
	location / {
        	include uwsgi_params;
        	uwsgi_pass 127.0.0.1:7060;
   	}

EXAMPLE vhost file (auto-generated):

#
# Template for locker virtual hosts
#

server {

    listen 80;
    server_name notebook-u1.rudev.www-security.net notebook.l.www-security.com;

    error_log  /var/log/nginx/locker-error.log;
    access_log /var/log/nginx/locker-access.log;
    
    location ^~ /.well-known/acme-challenge/ {
      alias /var/www/acme/.well-known/acme-challenge/;
    }

    location / {
      return 301 https://$host$request_uri;    	
    }

}

server {
	server_name notebook-u1.rudev.www-security.net notebook.l.www-security.com;
    	ssl_certificate /etc/letsencrypt/live/notebook-u1.rudev.www-security.net/fullchain.pem; # managed by Certbot
    	ssl_certificate_key /etc/letsencrypt/live/notebook-u1.rudev.www-security.net/privkey.pem; # managed by Certbot

	include	include.d/locker.conf;
}

tunnel locker-server socket from dev machine (even private IP) to webserver

ssh -fN SERVER -R 7060:localhost:7060