jhonathan_guevara/Salud_UT
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

manual V1

Browse Source
This commit is contained in:
Jhonathan Guevara 2025-12-28 12:03:24 -05:00
parent 4e4a1707c3
commit d2b8aba6a0
Signed by: jhonathan_guevara
GPG Key ID: 619239F12DCBE55B
14 changed files with 885 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
README.md
View File

@ -16,24 +16,28 @@ rc-service postgresql start
### 2) Crear BD y usuario
```bash
su - postgres
psql -c "CREATE USER saludut_user WITH PASSWORD 'TU_PASSWORD_FUERTE';"
psql -c "CREATE USER saludut_user WITH PASSWORD 'jhyutfgv7745676tfbhjgf687yu87';"
psql -c "CREATE DATABASE saludut_db OWNER saludut_user;"
exit
psql -U postgres -d postgres -c "ALTER ROLE postgres WITH PASSWORD 'JKHUG9876hBhjhvjjhldfuy345trgfdf';"
HBA=$(psql -U postgres -d postgres -Atc "show hba_file"); cp "$HBA" "$HBA.bak"; sed -i 's/\btrust\b/scram-sha-256/g' "$HBA"; rc-service postgresql reload
```
### 3) Subir codigo
```bash
mkdir -p /opt/saludut/backend /opt/saludut/frontend
tar -czf saludut-backend.tar.gz --exclude="node_modules" --exclude=".env" backend
tar -czf saludut-frontend.tar.gz --exclude="node_modules" saludut-inpec
scp -C saludut-backend.tar.gz root@autorizacion.saludut.com:/opt/saludut/
scp -C saludut-frontend.tar.gz root@autorizacion.saludut.com:/opt/saludut/
mkdir -p /opt/saludut/backend
tar -czf backend.tar.gz \
--exclude="node_modules" \
--exclude=".env" \
--exclude="backend.tar.gz" \
.
scp -C backend.tar.gz root@autorizacion.saludut.com:/opt/saludut/
```
En el servidor:
```bash
tar -xzf /opt/saludut/saludut-backend.tar.gz -C /opt/saludut/
tar -xzf /opt/saludut/saludut-frontend.tar.gz -C /opt/saludut/
tar -xzf /opt/saludut/backend.tar.gz -C /opt/saludut/
```
### 4) Inicializar esquema minimo
@ -65,16 +69,16 @@ Crear `backend/.env` en el servidor:
DB_HOST=127.0.0.1
DB_PORT=5432
DB_USER=saludut_user
DB_PASSWORD=TU_PASSWORD_FUERTE
DB_PASSWORD=jhyutfgv7745676tfbhjgf687yu87
DB_NAME=saludut_db
JWT_SECRET=CAMBIA_ESTE_SECRETO
JWT_SECRET=jhyutfgv7745676tfbhjgf687yu87
JWT_EXPIRES_IN=24h
PORT=3000
SOFFICE_PATH=/usr/bin/soffice
PYTHON_PATH=python3
ADMIN_USER=admin
ADMIN_PASS=admin123
ADMIN_EMAIL=admin@saludut.gov.co
ADMIN_EMAIL=admin@saludut.com
ADMIN_NAME=Administrador Sistema
```
@ -113,71 +117,113 @@ rc-update add saludut-backend default
rc-service saludut-backend start
```
### 8) Frontend (build)
### Frontend
```bash
cd /opt/saludut/saludut-inpec
npm ci
npm run build
```
sed -i 's/#Port 22/Port 48952/g' /etc/ssh/sshd_config
rc-service sshd restart
ssh -p 48952 root@autorizacion.saludut.com
apk add nginx certbot certbot-nginx nftables rsync
El build queda en `saludut-inpec/dist/saludut-inpec/`.
#Ejecutar publishNftables.sh
head -n1 ./scripts/publishNftables.sh | cat -A
sed -i 's/\r$//' ./scripts/publishNftables.sh
sed -i '1s|^.*$|#!/usr/bin/env bash|' ./scripts/publishNftables.sh
chmod +x ./scripts/publishNftables.sh
file ./scripts/publishNftables.sh
bash ./scripts/publishNftables.sh
### 9) Configurar API base (sin localhost)
El frontend lee la base desde `window.__SALUDUT_CONFIG__`:
```html
<script>
window.__SALUDUT_CONFIG__ = {
apiBaseUrl: '/api'
};
</script>
```
#Ejecutar publish.sh
head -n1 ./scripts/publish.sh | cat -A
sed -i 's/\r$//' ./scripts/publish.sh
sed -i '1s|^.*$|#!/usr/bin/env bash|' ./scripts/publish.sh
chmod +x ./scripts/publish.sh
file ./scripts/publish.sh
bash ./scripts/publish.sh
Si no usas proxy y expones el puerto directo:
```html
<script>
window.__SALUDUT_CONFIG__ = {
apiBaseUrl: 'https://autorizacion.saludut.com:3000'
};
</script>
```
#Ejecutar el nginx de autorizacion.saludut.com
scp -P 48952 scripts/vhost/autorizacion.saludut.com.conf root@autorizacion.saludut.com:/etc/nginx/http.d/
### 10) Nginx + SSL (ejemplo)
```nginx
server {
listen 80;
listen [::]:80;
server_name autorizacion.saludut.com;
root /var/www/saludut;
client_max_body_size 60m;
root /var/www/autorizacion.saludut.com/htdocs;
index index.html;
location / {
try_files $uri /index.html;
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_pass http://127.0.0.1:3000/;
client_max_body_size 60m;
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 600;
proxy_send_timeout 600;
}
error_page 404 /index.html;
}
}
```
Luego:
```bash
rc-service nginx start
certbot --nginx -d autorizacion.saludut.com
```
sudo certbot --nginx -d autorizacion.saludut.com
## Desarrollo
```bash
cd backend
npm install
node src/server.js
```
scp -P 48952 scripts/vhost/autorizacion.saludut.com.conf root@autorizacion.saludut.com:/etc/nginx/http.d/
server {
listen 80;
listen [::]:80;
server_name autorizacion.saludut.com;
return 301 https://$host$request_uri;
}
server {
http2 on;
listen 443 ssl;
listen [::]:443 ssl;
server_name autorizacion.saludut.com;
client_max_body_size 60m;
# ✅ Angular está dentro de /browser
root /var/www/autorizacion.saludut.com/htdocs/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /api/ {
client_max_body_size 60m;
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 600;
proxy_send_timeout 600;
}
error_page 404 /index.html;
ssl_certificate /etc/letsencrypt/live/autorizacion.saludut.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/autorizacion.saludut.com/privkey.pem;
}
nginx -t && rc-service nginx restart
```bash
cd saludut-inpec
npm install
npm run start
```

BIN
backend.tar.gz Normal file
View File

Binary file not shown.

154
saludut-inpec/scripts/nftables/nftables.conf Normal file
View File

@ -0,0 +1,154 @@
#!/usr/sbin/nft -f
#--- Hook order is: ingress -> prerouting -> input/output/forward -> postrouting
#--- Flush previous rules
flush ruleset
#--- Definitions
define wan = eth0
define vpn = wg0
define vpn_net = 10.16.40.1/22 #---VPN_NETWORK
#define ipsec_remote = 10.0.0.0/24
#--- "inet" say that this table will handle both ipv4 (ip) and ipv6 (ip6).
table inet firewall {
#--- TCP ports to allow (ssh, http and https).
set tcp_accepted {
#--- "inet_service" are for tcp/udp ports, "flags interval" allows to set intervals.
type inet_service; flags interval;
elements = {80,443,5000,5222,5269,5280,5281,5347,5582,48952} #---OpenTCPports/
}
#--- UDP ports to allow WireGuard.
set udp_accepted {
type inet_service; flags interval;
elements = {500,4500,14801} #---OpenUDPports
}
chain incoming {
type filter hook input priority 0; policy drop;
# Drop invalid packets.
ct state invalid drop
# Drop none SYN packets.
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
# Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/second burst 5 packets drop
# Allow all incmming established and related traffic.
ct state established,related accept
# Allow loopback.
iif lo accept
# Allow certain inbound ICMP types (ping, traceroute).
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
# Without the nd-* ones ipv6 will not work.
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# Allow needed tcp and udp ports.
iifname $wan tcp dport @tcp_accepted ct state new accept
iifname $wan udp dport @udp_accepted ct state new accept
iifname $vpn tcp dport @tcp_accepted ct state new accept
iifname $vpn udp dport @udp_accepted ct state new accept
# Allow all incoming traffic from vpn
iifname $vpn ct state new accept
# Allow WireGuard clients to access DNS and services.
iifname $vpn udp dport 53 ct state new accept
# Allow VPN clients to communicate with each other.
iifname $vpn oifname $vpn ct state new accept
# Allows IPSEC StrongSwan trafic.
# ip protocol { ah, esp } accept
# meta ipsec exists accept # toma los paquetes de ipsec existentes de la metadata
#ipsec in ip saddr $ipsec_remote accept #source addres acepta el rango de conexiones de tipo ipsec
}
chain forwarding { #crea una cadena llamada forwarding
type filter hook forward priority 0; policy drop; #crea uun gancho de tipo filtro capacidad forward
# a la politica dejelo caer
# Drop invalid packets.
ct state invalid drop
# Forward all established and related traffic.
ct state established,related accept #paquetes reenviados
# Forward WireGuard traffic.
# Allow WireGuard traffic to access the internet via wan.
iifname $vpn oifname $wan ct state new accept # permitir el trafico para salir a internet
# Allow VPN clients to communicate with each other.
iifname $vpn oifname $vpn accept
}
chain outgoing {
type filter hook output priority 0; policy drop;
# Drop invalid packets.
ct state invalid drop
# Allow all other outgoing traffic.
# For some reason ipv6 ICMP needs to be explicitly allowed here.
ip6 nexthdr ipv6-icmp accept
ct state new,established,related accept
}
}
# Separate table for hook pre- and postrouting.
# If using kernel 5.2 or later you can replace "ip" with "inet" to also filter IPv6 traffic.
table ip router {
# With kernel 4.17 or earlier both need to be set even when one is empty.
chain prerouting {
type nat hook prerouting priority -100; #nat network address translation ipv4
}
chain postrouting {
type nat hook postrouting priority 100; #despues de todas las reglas que se han definido
# Masquerade WireGuard traffic.
# All WireGuard traffic will look like it comes from the servers IP address.
oifname $wan ip saddr $vpn_net masquerade #cambia tu ip privada por una publica
}
}
# Separate table for hook ingress to filter bad packets early.
table netdev filter {
# List of ipv4 addresses to block.
set blocklist_v4 {
# The "ipv4_addr" are for ipv4 addresses and "flags interval" allows to set intervals.
type ipv4_addr; flags interval;
elements = {172.16.254.1,172.16.254.2} #---BloquedIPs
}
chain ingress {
# For some reason the interface must be hardcoded here, variable do not work.
type filter hook ingress device $wan priority -500;
# Drop all fragments.
ip frag-off & 0x1fff != 0 counter drop
# Drop bad addresses.
ip saddr @blocklist_v4 counter drop
# Drop XMAS packets.
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
# Drop NULL packets.
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
# Drop uncommon MSS values.
tcp flags syn tcp option maxseg size 1-535 counter drop
}
}

154
saludut-inpec/scripts/nftables/nftables_autorizacion.saludut.com.conf Normal file
View File

@ -0,0 +1,154 @@
#!/usr/sbin/nft -f
#--- Hook order is: ingress -> prerouting -> input/output/forward -> postrouting
#--- Flush previous rules
flush ruleset
#--- Definitions
define wan = eth0
define vpn = wg0
define vpn_net = 10.16.76.1/22 #---VPN_NETWORK
#define ipsec_remote = 10.0.0.0/24
#--- "inet" say that this table will handle both ipv4 (ip) and ipv6 (ip6).
table inet firewall {
#--- TCP ports to allow (ssh, http and https).
set tcp_accepted {
#--- "inet_service" are for tcp/udp ports, "flags interval" allows to set intervals.
type inet_service; flags interval;
elements = {80,443,48952} #---OpenTCPports/
}
#--- UDP ports to allow WireGuard.
set udp_accepted {
type inet_service; flags interval;
elements = {53,500,4500,25237} #---OpenUDPports
}
chain incoming {
type filter hook input priority 0; policy drop;
# Drop invalid packets.
ct state invalid drop
# Drop none SYN packets.
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
# Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/second burst 5 packets drop
# Allow all incmming established and related traffic.
ct state established,related accept
# Allow loopback.
iif lo accept
# Allow certain inbound ICMP types (ping, traceroute).
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
# Without the nd-* ones ipv6 will not work.
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# Allow needed tcp and udp ports.
iifname $wan tcp dport @tcp_accepted ct state new accept
iifname $wan udp dport @udp_accepted ct state new accept
#iifname $vpn tcp dport @tcp_accepted ct state new accept
#iifname $vpn udp dport @udp_accepted ct state new accept
# Allow all incoming traffic from vpn
iifname $vpn ct state new accept
# Allow WireGuard clients to access DNS and services.
iifname $vpn udp dport 53 ct state new accept
# Allow VPN clients to communicate with each other.
iifname $vpn oifname $vpn ct state new accept
# Allows IPSEC StrongSwan trafic.
ip protocol { ah, esp } accept
meta ipsec exists accept
#ipsec in ip saddr $ipsec_remote accept
}
chain forwarding {
type filter hook forward priority 0; policy drop;
# Drop invalid packets.
ct state invalid drop
# Forward all established and related traffic.
ct state established,related accept
# Forward WireGuard traffic.
# Allow WireGuard traffic to access the internet via wan.
iifname $vpn oifname $wan ct state new accept
# Allow VPN clients to communicate with each other.
iifname $vpn oifname $vpn accept
}
chain outgoing {
type filter hook output priority 0; policy drop;
# Drop invalid packets.
ct state invalid drop
# Allow all other outgoing traffic.
# For some reason ipv6 ICMP needs to be explicitly allowed here.
ip6 nexthdr ipv6-icmp accept
ct state new,established,related accept
}
}
# Separate table for hook pre- and postrouting.
# If using kernel 5.2 or later you can replace "ip" with "inet" to also filter IPv6 traffic.
table ip router {
# With kernel 4.17 or earlier both need to be set even when one is empty.
chain prerouting {
type nat hook prerouting priority -100;
}
chain postrouting {
type nat hook postrouting priority 100;
# Masquerade WireGuard traffic.
# All WireGuard traffic will look like it comes from the servers IP address.
oifname $wan ip saddr $vpn_net masquerade
}
}
# Separate table for hook ingress to filter bad packets early.
table netdev filter {
# List of ipv4 addresses to block.
set blocklist_v4 {
# The "ipv4_addr" are for ipv4 addresses and "flags interval" allows to set intervals.
type ipv4_addr; flags interval;
elements = {172.16.254.1,172.16.254.2} #---BloquedIPs
}
chain ingress {
# For some reason the interface must be hardcoded here, variable do not work.
type filter hook ingress device $wan priority -500;
# Drop all fragments.
ip frag-off & 0x1fff != 0 counter drop
# Drop bad addresses.
ip saddr @blocklist_v4 counter drop
# Drop XMAS packets.
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
# Drop NULL packets.
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
# Drop uncommon MSS values.
tcp flags syn tcp option maxseg size 1-535 counter drop
}
}

27
saludut-inpec/scripts/paginaweb Normal file
View File

@ -0,0 +1,27 @@
sed -i 's/#Port 22/Port 48952/g' /etc/ssh/sshd_config
rc-service sshd restart
ssh -p 48952 root@autorizacion.saludut.com
apk add nginx certbot certbot-nginx nftables rsync
#Ejecutar publishNftables.sh
head -n1 ./scripts/publishNftables.sh | cat -A
sed -i 's/\r$//' ./scripts/publishNftables.sh
sed -i '1s|^.*$|#!/usr/bin/env bash|' ./scripts/publishNftables.sh
chmod +x ./scripts/publishNftables.sh
file ./scripts/publishNftables.sh
bash ./scripts/publishNftables.sh
#Ejecutar publish.sh
head -n1 ./scripts/publish.sh | cat -A
sed -i 's/\r$//' ./scripts/publish.sh
sed -i '1s|^.*$|#!/usr/bin/env bash|' ./scripts/publish.sh
chmod +x ./scripts/publish.sh
file ./scripts/publish.sh
bash ./scripts/publish.sh
#Ejecutar el nginx de autorizacion.saludut.com
scp -P 48952 scripts/vhost/autorizacion.saludut.com.conf root@autorizacion.saludut.com:/etc/nginx/http.d/
rc-service nginx start
sudo certbot --nginx -d autorizacion.saludut.com

98
saludut-inpec/scripts/publish.sh Executable file
View File

@ -0,0 +1,98 @@
#!/usr/bin/env bash
#ssh -p 48952 root@autorizacion.saludut.com
echo "Preparando proyacto para produccion"
ng build
echo "Crear el directorio de destino en el servidor"
SSH_PORT=48952
SERVER_IP4="172.238.203.98"
SERVER_HOSTNAME=autorizacion.saludut.com
REMOTE_USER=root
SITE_NAME="autorizacion.saludut.com"
SITE_DOMAINS="autorizacion.saludut.com"
PROJECT_NAME="saludut-inpec"
#DEPLOYED_TMP_FOLDER="/tmp/www.calacloud.com"
#ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${DEPLOYED_DATA_FOLDER};chgrp -R deploy ${DEPLOYED_DATA_FOLDER};chmod -R 770 ${DEPLOYED_DATA_FOLDER}'"
#DEPLOYED_DATA_FOLDER="/var/www/static/${SITE_NAME}"
DEPLOYED_WEB_DOMAIN_FOLDER=/var/www/${SITE_NAME}
DEPLOYED_WEB_DOMAIN_FOLDER=/var/www/autorizacion.saludut.com
DEPLOYED_WEB_DATA_FOLDER=/var/www/autorizacion.saludut.com/htdocs
DEPLOYED_WEB_DATA_FOLDER="${DEPLOYED_WEB_DOMAIN_FOLDER}/htdocs"
#Inicio de fase de DATA
echo "Se preparan los directorios de destino"
ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${DEPLOYED_WEB_DOMAIN_FOLDER};chown -R ${REMOTE_USER}:${REMOTE_USER} ${DEPLOYED_WEB_DOMAIN_FOLDER};chmod -R 775 ${DEPLOYED_WEB_DOMAIN_FOLDER}'"
ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${DEPLOYED_WEB_DATA_FOLDER};chown -R ${REMOTE_USER}:www-data ${DEPLOYED_WEB_DATA_FOLDER};chmod -R 775 ${DEPLOYED_WEB_DATA_FOLDER}'"
ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 31756 root@172.238.203.98 "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p /var/www/autorizacion.saludut.com;chown -R root:root /var/www/autorizacion.saludut.com;chmod -R 775 /var/www/autorizacion.saludut.com/htdocs'"
##ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${DEPLOYED_DATA_FOLDER};chgrp -R deploy ${DEPLOYED_DATA_FOLDER};chmod -R 770 ${DEPLOYED_DATA_FOLDER}'"
#ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${DEPLOYED_DATA_FOLDER};chown -R ${REMOTE_USER}:deploy ${DEPLOYED_DATA_FOLDER};chmod -R 775 ${DEPLOYED_DATA_FOLDER}'"
echo "Subir los archivos en ${DEPLOYED_WEB_DATA_FOLDER}"
DIST_FOLDER="dist/${PROJECT_NAME}"
#echo "rsync -arvz ${DIST_FOLDER} -e \"ssh -p ${SSH_PORT}\" ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}"
# rsync -arvz ${DIST_FOLDER} -e "ssh -p ${SSH_PORT}" ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}
echo "rsync -arvz -e \"ssh -p ${SSH_PORT}\" --progress --delete ${DIST_FOLDER}/ ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}"
rsync -arvz -e "ssh -p ${SSH_PORT}" --progress --delete ${DIST_FOLDER}/ ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}
#echo "scp -r -P ${SSH_PORT} ${DIST_FOLDER}/* ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}"
#scp -r -P ${SSH_PORT} ${DIST_FOLDER}/* ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_WEB_DATA_FOLDER}
#exit 0 #HABILITARLO CUANDO LA PAGINA YA ESTE ARRIBA
#rsync -arvz ${DIST_FOLDER} -e \"ssh -p ${SSH_PORT}\" ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_DATA_FOLDER}
#scp -r -P ${SSH_PORT} ${DIST_FOLDER} ${REMOTE_USER}@${SERVER_IP4}:${DEPLOYED_DATA_FOLDER}
echo "Ajustando permisos web"
ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "\
chown -R root:root '${DEPLOYED_WEB_DOMAIN_FOLDER}' && \
find '${DEPLOYED_WEB_DOMAIN_FOLDER}' -type d -exec chmod 755 {} \; && \
find '${DEPLOYED_WEB_DOMAIN_FOLDER}' -type f -exec chmod 644 {} \; \
"
#Fin de fase de DATA
VHOST_FILE="${SITE_NAME}"
LOCAL_VHOST_FILE="scripts/${VHOST_FILE}"
LOCAL_VHOST_TEMPLATE_FILE="scripts/virtualhost.template"
TMP_VHOST_FILE="/tmp/${VHOST_FILE}"
DEPLOYED_VHOST_FILE="/etc/nginx/http.d/${VHOST_FILE}"
ENABLED_VHOST_FILE="/etc/nginx/http.d/${VHOST_FILE}"
echo "preparando directorio de logs"
#Inicio de fase LOGS
LOGS_FOLDER="/var/www/log/${SITE_NAME}"
ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${LOGS_FOLDER};chown -R root:root ${LOGS_FOLDER};chmod -R 755 ${LOGS_FOLDER}'"
#Fin de fase LOGS
exit 0
# EL EXIT VA HASTA ACA LA PRIMERA VEZ QUE VAYA A SUBIR LA MAQUINA
#Inicio de fase VHOST
echo "generando virtualhost: ${VHOST_FILE}"
cat "${LOCAL_VHOST_TEMPLATE_FILE}" | sed "s/%SITE_NAME%/${SITE_NAME}/g" | sed "s/%SITE_DOMAINS%/${SITE_DOMAINS}/g" > "${TMP_VHOST_FILE}"
echo "copiando vistualhost"
scp -r -P ${SSH_PORT} ${TMP_VHOST_FILE} ${REMOTE_USER}@${SERVER_IP4}:${TMP_VHOST_FILE}
rm "${TMP_VHOST_FILE}"
#scp -r -P ${SSH_PORT} ${LOCAL_VHOST_FILE} ${REMOTE_USER}@${SERVER_IP4}:${TMP_VHOST_FILE}
echo "instalando virtualhost"
#ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'cp ${TMP_VHOST_FILE} ${DEPLOYED_VHOST_FILE};ln -s ${DEPLOYED_VHOST_FILE} ${ENABLED_VHOST_FILE};systemctl reload nginx'"
ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'cp -n ${TMP_VHOST_FILE} ${DEPLOYED_VHOST_FILE};ln -s ${DEPLOYED_VHOST_FILE} ${ENABLED_VHOST_FILE};systemctl reload nginx'"
#Fin de fase VHOST
#echo "Copiar los archivos al servidor web"
#REMOTE_SITE_DIR="/var/www/static/www.calacloud.net"
#DEPLOYED_DIST_FOLDER="${DEPLOYED_DATA_FOLDER}/dist/calacloud"
#ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'cp -R ${DEPLOYED_DIST_FOLDER}/* ${REMOTE_SITE_DIR}'"
echo "Cambios publicados en produccion"

16
saludut-inpec/scripts/publishNftables.sh Executable file
View File

@ -0,0 +1,16 @@
#!/usr/bin/env bash
#ssh -p 48952 root@autorizacion.saludut.com
echo "Crear el directorio de destino en el servidor"
SSH_PORT=48952
SERVER_IP4="172.238.203.98"
REMOTE_USER=root
SERVER_HOSTNAME=autorizacion.saludut.com
scp -P $SSH_PORT scripts/nftables/nftables.conf $REMOTE_USER@$SERVER_HOSTNAME:/etc/nftables.nft
echo "Cambios anviados a produccion"

27
saludut-inpec/scripts/publishVhost.sh Normal file
View File

@ -0,0 +1,27 @@
#!/bin/bash
#ssh -p 31756 root@www.ajsystem23.com
SSH_PORT=31756
REMOTE_USER=root
SERVER_HOSTNAME=www.ajsystem23.com
SRC_VHOST=scripts/vhost/www.ajsystem23.com.conf
SRC_SNIPPETS=scripts/vhost/snippets
echo "Crear el VHOST en el servidor"
scp -P $SSH_PORT $SRC_VHOST $REMOTE_USER@$SERVER_HOSTNAME:/etc/nginx/http.d/
SNIPPETS_FOLDER=/etc/nginx/snippets
echo "Subiendo snippets en el servidor"
ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'mkdir -p ${SNIPPETS_FOLDER};chown -R ${REMOTE_USER}:${REMOTE_USER} ${SNIPPETS_FOLDER};chmod -R 775 ${SNIPPETS_FOLDER}'"
echo "scp -P $SSH_PORT -r $SRC_SNIPPETS $REMOTE_USER@$SERVER_HOSTNAME:$SNIPPETS_FOLDER"
scp -P $SSH_PORT -r $SRC_SNIPPETS $REMOTE_USER@$SERVER_HOSTNAME:$SNIPPETS_FOLDER
echo "Cambios anviados a produccion"

36
saludut-inpec/scripts/unpublish.sh Normal file
View File

@ -0,0 +1,36 @@
#!/bin/bash
echo "Crear el directorio de destino en el servidor"
SSH_PORT=19247
SERVER_IP4="172.105.103.215"
if [ $USER = "jorgeescallon" ]; then
REMOTE_USER="deeeijppnwkr"
REMOTE_PWD="jcapuQfNM6gYrZyX7Q991UWU"
else
REMOTE_USER="sceovddutywx"
REMOTE_PWD="3tAcbDCqhV1a7n9fa6QZJXoO"
fi
SITE_NAME="www.calacloud.net"
SITE_DOMAINS="calacloud.net www.calacloud.net"
PROJECT_NAME="calacloud"
DEPLOYED_DATA_FOLDER="/var/www/static/${SITE_NAME}"
VHOST_FILE="${SITE_NAME}"
TMP_VHOST_FILE="/tmp/${VHOST_FILE}"
DEPLOYED_VHOST_FILE="/etc/nginx/sites-available/${VHOST_FILE}"
ENABLED_VHOST_FILE="/etc/nginx/sites-enabled/${VHOST_FILE}"
echo "retirando virtualhost"
ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'rm ${TMP_VHOST_FILE} ${DEPLOYED_VHOST_FILE} ${ENABLED_VHOST_FILE};systemctl reload nginx'"
echo "retirando logs"
LOGS_FOLDER="/var/www/log/${SITE_NAME}"
ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'rm -r ${LOGS_FOLDER}'"
echo "Elimiando deployed data"
ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p ${SSH_PORT} ${REMOTE_USER}@${SERVER_IP4} "echo ${REMOTE_PWD} | sudo -S -- sh -c 'rm -r ${DEPLOYED_DATA_FOLDER}'"
echo "Cambios aplicados en produccion. Se eliminó: ${SITE_NAME}"

106
saludut-inpec/scripts/vhost/autorizacion.saludut.com-origin.conf Normal file
View File

@ -0,0 +1,106 @@
server {
listen 80;
listen [::]:80;
server_name ajsystem23.com www.ajsystem23.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
server_name ajsystem23.com www.ajsystem23.com;
#resolver 8.8.8.8 8.8.4.4 valid=300s;
#resolver_timeout 5s;
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
#ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Add some protection headers for ClickJacking
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header 'Access-Control-Allow-Origin' '*';
# Configura http2
#http2_max_field_size 16k;
#http2_max_header_size 32k;
large_client_header_buffers 4 8k;
# Habilita compresion
gzip on;
gzip_comp_level 6;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_buffers 16 8k;
# Remove server identifiers to help against enumeration
server_tokens off;
root /var/www/www.ajsystem23.com/htdocs;
try_files $uri $uri/ /index.html;
location ~ \.svgz$ {
add_header Content-Encoding gzip;
}
error_page 404 /errors/404.html;
location = /errors/404.html {
#root /var/www/static/%SITE_NAME%/errors;
root /var/www/www.ajsystem23.com/errors;
internal;
}
access_log /var/www/log/www.ajsystem23.com/static.access.log;
error_log /var/www/log/www.ajsystem23.com/static.error.log;
index index.html index.htm;
#location ~* ^.+.(htm|html|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js)$ {
location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ {
#access_log off;
expires max;
}
location ~* \.(json|html)$ {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
#
# Om nom nom cookies
#
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
}
location ~ /\.ht {
deny all;
}
}

44
saludut-inpec/scripts/vhost/autorizacion.saludut.com.conf Normal file
View File

@ -0,0 +1,44 @@
server {
listen 80;
listen [::]:80;
server_name autorizacion.saludut.com;
return 301 https://$host$request_uri;
}
server {
http2 on;
listen 443 ssl;
listen [::]:443 ssl;
server_name autorizacion.saludut.com;
client_max_body_size 60m;
# ✅ Angular está dentro de /browser
root /var/www/autorizacion.saludut.com/htdocs/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /api/ {
client_max_body_size 60m;
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 600;
proxy_send_timeout 600;
}
error_page 404 /index.html;
ssl_certificate /etc/letsencrypt/live/autorizacion.saludut.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/autorizacion.saludut.com/privkey.pem;
}

2
saludut-inpec/scripts/vhost/snippets/self-signed.conf Normal file
View File

@ -0,0 +1,2 @@
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

18
saludut-inpec/scripts/vhost/snippets/ssl-params.conf Normal file
View File

@ -0,0 +1,18 @@
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
#ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

103
saludut-inpec/scripts/virtualhost.template Normal file
View File

@ -0,0 +1,103 @@
server {
listen 80;
#listen [::]:80;
server_name %SITE_DOMAINS%;
return 301 https://%SITE_NAME%request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
server_name %SITE_DOMAINS%;
#resolver 8.8.8.8 8.8.4.4 valid=300s;
#resolver_timeout 5s;
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
#ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Add some protection headers for ClickJacking
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header 'Access-Control-Allow-Origin' '*';
# Configura http2
#http2_max_field_size 16k;
#http2_max_header_size 32k;
large_client_header_buffers 4 8k;
# Habilita compresion
gzip on;
gzip_comp_level 6;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_buffers 16 8k;
# Remove server identifiers to help against enumeration
server_tokens off;
root /var/www/static/%SITE_NAME%;
try_files $uri $uri/ /index.html;
location ~ \.svgz$ {
add_header Content-Encoding gzip;
}
error_page 404 /errors/404.html;
location = /errors/404.html {
root /var/www/static/%SITE_NAME%/errors;
internal;
}
access_log /var/www/log/%SITE_NAME%/static.access.log;
error_log /var/www/log/%SITE_NAME%/static.error.log;
index index.html index.htm;
#location ~* ^.+.(htm|html|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js)$ {
location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ {
#access_log off;
expires max;
}
location ~* \.(json|html)$ {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
#
# Om nom nom cookies
#
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
}
location ~ /\.ht {
deny all;
}
}