Fix renew certificates

.github/workflows/test.yaml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       matrix:
         python-version:
-          - '3.7'
+          - '3.13'
     steps:
 
       - name: Set up Python ${{ matrix.python-version }}
@@ -22,7 +22,7 @@ jobs:
           architecture: x64
 
       - name: Checkout
-        uses: actions/checkout@master
+        uses: actions/checkout@v4
 
       - uses: actions/cache@v4
         with:

dockerize/.env.template

@@ -25,9 +25,10 @@ EMAIL_HOST_USER=''
 EMAIL_HOST_PASSWORD=''
 
 # URL
+DOMAIN_NAME='plugins.qgis.org'
 DEFAULT_PLUGINS_SITE='https://plugins.qgis.org/'
 
-# ENV: debug or prod
+# ENV: debug, staging-ssl, prod, prod-ssl
 QGISPLUGINS_ENV=debug
 
 # Ldap

dockerize/docker-compose.yml

@@ -213,7 +213,7 @@ services:
       - ./certbot-etc:/etc/letsencrypt
     depends_on:
       - web
-    command: certonly --webroot --webroot-path=/var/www/webroot --email [email protected] --agree-tos --no-eff-email --force-renewal -d plugins.qgis.org
+    command: certonly --webroot --webroot-path=/var/www/webroot --email [email protected] --agree-tos --no-eff-email --force-renewal -d ${DOMAIN_NAME:-plugins.qgis.org}
     networks:
       internal:
 

dockerize/sites-enabled/docker-entrypoint.sh

@@ -30,6 +30,14 @@ if [ $# -eq 1 ]; then
 			ln -s /etc/nginx/sites-available/redirections.conf /etc/nginx/redirections.conf
 			exec nginx -g "daemon off;"
 			;;
+		# Staging SSL mode, run using uwsgi
+		[Ss][Tt][Aa][Gg][Ii][Nn][Gg][-][Ss][Ss][Ll])
+			echo "Run in staging SSL mode"
+			CONF_FILE=staging-ssl.conf
+			ln -s /etc/nginx/sites-available/$CONF_FILE /etc/nginx/conf.d/$CONF_FILE
+			ln -s /etc/nginx/sites-available/redirections.conf /etc/nginx/redirections.conf
+			exec nginx -g "daemon off;"
+			;;
 	esac
 fi
 

dockerize/sites-enabled/prod-ssl.conf

@@ -234,5 +234,12 @@ server {
         proxy_pass http://metabase:3000/;
     }
 
+  	location ~ /.well-known/acme-challenge {
+        	# set to webroot path
+        	root /var/www/webroot;
+  		    default_type "text/plain";
+  		    allow all;
+  	}
+
     root /var/www/webroot;
 }

dockerize/sites-enabled/staging-ssl.conf

@@ -0,0 +1,245 @@
+# Define connection details for connecting to django running in
+# a docker container.
+upstream uwsgi {
+    server uwsgi:8080;
+}
+
+# Define the rate limit zone: 10 requests per second for each IP address
+limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
+
+server {
+    # OTF gzip compression
+    gzip on;
+    gzip_min_length 860;
+    gzip_comp_level 5;
+    gzip_proxied expired no-cache no-store private auth;
+    gzip_types text/plain application/xml application/x-javascript text/xml text/css application/json;
+    gzip_disable “MSIE [1-6].(?!.*SV1)”;
+
+    access_log /var/log/nginx/access.log;
+
+    client_max_body_size 20M;
+    error_log /var/log/nginx/error.log;
+
+    # the port your site will be served on
+    listen      80;
+    # the domain name it will serve for
+    server_name staging.plugins.qgis.org;
+
+    # Redirect all HTTP traffic to HTTPS
+    return 301 https://$server_name$request_uri;
+
+    charset     utf-8;
+
+    # Drop any non django related requests
+    # Its probably someone nefarious probing for vulnerabilities...
+    location ~ (\.php|\.asp|myadmin) {
+	    return 404;
+    }
+
+    # Django media
+    location /media  {
+        # your Django project's media files - amend as required
+        alias /home/web/media;
+        expires 21d; # cache for 71 days
+    }
+    location /static {
+        # your Django project's static files - amend as required
+        alias /home/web/static;
+        expires 21d; # cache for 21 days
+    }
+    location /plugins/plugins.xml {
+        if ($request_uri !~ "&package_name(.*)") {
+        	rewrite ^/plugins/plugins.xml /web/media/cached_xmls/plugins_$arg_qgis.xml break;
+            root /home;
+            expires 600s;
+	    }
+    }
+    location /archive {
+        # Changed from http_host to host because of error messages when
+        # bots hit urls like this:
+        #  'REQUEST_URI': '/phpmyadmin/scripts/setup.php',
+        # See https://snakeycode.wordpress.com/2016/11/21/django-nginx-invalid-http_host-header/
+        # for more details.
+        proxy_set_header   Host $host;
+        autoindex on;
+        # your Django project's static files - amend as required
+        alias /home/web/archive;
+        expires 21d; # cache for 21 days
+    }
+    # Finally, send all non-media requests to the Django server.
+    location / {
+
+        # Apply rate limit
+        limit_req zone=one burst=20 nodelay;
+        limit_req_status 429;
+
+        uwsgi_pass  uwsgi;
+        # the uwsgi_params file you installed needs to be passed with each
+        # request.
+        uwsgi_param  QUERY_STRING       $query_string;
+        uwsgi_param  REQUEST_METHOD     $request_method;
+        uwsgi_param  CONTENT_TYPE       $content_type;
+        uwsgi_param  CONTENT_LENGTH     $content_length;
+
+        uwsgi_param  REQUEST_URI        $request_uri;
+        uwsgi_param  PATH_INFO          $document_uri;
+        uwsgi_param  DOCUMENT_ROOT      $document_root;
+        uwsgi_param  SERVER_PROTOCOL    $server_protocol;
+        uwsgi_param  HTTPS              $https if_not_empty;
+
+        uwsgi_param  REMOTE_ADDR        $remote_addr;
+        uwsgi_param  REMOTE_PORT        $remote_port;
+        uwsgi_param  SERVER_PORT        $server_port;
+        uwsgi_param  SERVER_NAME        $server_name;
+
+        if ($http_user_agent ~* (360Spider|80legs.com|Abonti|AcoonBot|Acunetix|adbeat_bot|AddThis.com|adidxbot|ADmantX|AhrefsBot|AngloINFO|Antelope|Applebot|BaiduSpider|BeetleBot|billigerbot|binlar|bitlybot|BlackWidow|BLP_bbot|BoardReader|Bolt\ 0|BOT\ for\ JCE|Bot\ mailto\:craftbot@yahoo\.com|casper|CazoodleBot|CCBot|checkprivacy|ChinaClaw|chromeframe|Clerkbot|Cliqzbot|clshttp|CommonCrawler|comodo|crawler4j|Crawlera|CRAZYWEBCRAWLER|Curious|Custo|CWS_proxy|Default\ Browser\ 0|diavol|DigExt|Digincore|DIIbot|discobot|DISCo|DoCoMo|DotBot|Download\ Demon|DTS.Agent|EasouSpider|eCatch|ecxi|EirGrabber|Elmer|EmailCollector|EmailSiphon|EmailWolf|Exabot|ExaleadCloudView|ExpertSearchSpider|ExpertSearch|Express\ WebPictures|ExtractorPro|extract|EyeNetIE|Ezooms|F2S|FastSeek|feedfinder|FeedlyBot|FHscan|finbot|Flamingo_SearchEngine|FlappyBot|FlashGet|flicky|Flipboard|g00g1e|Genieo|genieo|GetRight|GetWeb\!|GigablastOpenSource|GozaikBot|Go\!Zilla|Go\-Ahead\-Got\-It|GrabNet|grab|Grafula|GrapeshotCrawler|GTB5|GT\:\:WWW|Guzzle|harvest|HMView|HomePageBot|HTTP\:\:Lite|HubSpot|icarus6|IDBot|id\-search|IlseBot|Image\ Stripper|Image\ Sucker|Indigonet|Indy\ Library|integromedb|InterGET|InternetSeer\.com|Internet\ Ninja|IRLbot|ISC\ Systems\ iRc\ Search\ 2\.1|jakarta|JetCar|JobdiggerSpider|JOC\ Web\ Spider|Jooblebot|kanagawa|KINGSpider|kmccrew|larbin|LeechFTP|libwww|Lingewoud|LinkChecker|linkdexbot|LinksCrawler|LinksManager\.com_bot|linkwalker|LinqiaRSSBot|LivelapBot|ltx71|LubbersBot|lwp\-trivial|Mail.RU_Bot|masscan|Mass\ Downloader|maverick|Maxthon$|Mediatoolkitbot|MegaIndex|MegaIndex|megaindex|MFC_Tear_Sample|Microsoft\ URL\ Control|microsoft\.url|MIDown\ tool|miner|Missigua\ Locator|Mister\ PiX|mj12bot|Mozilla.*Indy|Mozilla.*NEWT|MSFrontPage|msnbot|Navroad|NearSite|NetAnts|netEstate|NetSpider|NetZIP|Net\ Vampire|NextGenSearchBot|nutch|Octopus|Offline\ Explorer|Offline\ Navigator|OpenindexSpider|OpenWebSpider|OrangeBot|Owlin|PageGrabber|PagesInventory|panopta|panscient\.com|Papa\ Foto|pavuk|pcBrowser|PECL\:\:HTTP|PeoplePal|Photon|PHPCrawl|planetwork|PleaseCrawl|PNAMAIN.EXE|PodcastPartyBot|prijsbest|proximic|psbot|purebot|pycurl|QuerySeekerSpider|R6_CommentReader|R6_FeedFetcher|RealDownload|ReGet|Riddler|Rippers\ 0|rogerbot|RSSingBot|rv\:1.9.1|RyzeCrawler|SafeSearch|SBIder|Screaming|search.goo.ne.jp|SearchmetricsBot|search_robot|SemrushBot|Semrush|SentiBot|SEOkicks|SeznamBot|ShowyouBot|SightupBot|SISTRIX|sitecheck\.internetseer\.com|siteexplorer.info|SiteSnagger|skygrid|Slurp|SmartDownload|Snoopy|Sogou|Sosospider|spaumbot|Steeler|sucker|SuperBot|Superfeedr|SuperHTTP|SurdotlyBot|Surfbot|tAkeOut|Teleport\ Pro|TinEye-bot|TinEye|Toata\ dragostea\ mea\ pentru\ diavola|Toplistbot|trendictionbot|TurnitinBot|turnit|URI\:\:Fetch|Vagabondo|Vagabondo|vikspider|VoidEYE|VoilaBot|WBSearchBot|webalta|WebAuto|WebBandit|WebCollage|WebCopier|WebFetch|WebGo\ IS|WebLeacher|WebReaper|WebSauger|Website\ eXtractor|Website\ Quester|WebStripper|WebWhacker|WebZIP|Web\ Image\ Collector|Web\ Sucker|Wells\ Search\ II|WEP\ Search|WeSEE|Widow|WinInet|woobot|woopingbot|worldwebheritage.org|Wotbox|WPScan|WWWOFFLE|WWW\-Mechanize|Xaldon\ WebSpider|XoviBot|yacybot|Yahoo|YandexBot|Yandex|YisouSpider|zermelo|Zeus|zh-CN|ZmEu|ZumBot|ZyBorg) ) {
+            return 403;
+        }
+
+        # Redirect planet and hub resources to the new location
+        include redirections.conf;
+    }
+
+    location /metabase/ {
+        # set to webroot path
+        proxy_pass http://metabase:3000/;
+    }
+
+  	location ~ /.well-known/acme-challenge {
+        	# set to webroot path
+        	root /var/www/webroot;
+  		    default_type "text/plain";
+  		    allow all;
+  	}
+}
+
+
+server {
+    # SSL Cert
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name staging.plugins.qgis.org;
+
+    server_tokens off;
+
+    ssl_certificate /etc/letsencrypt/live/staging.plugins.qgis.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/staging.plugins.qgis.org/privkey.pem;
+
+    ssl_buffer_size 8k;
+
+    # ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+    ssl_prefer_server_ciphers on;
+
+    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
+
+    ssl_ecdh_curve secp384r1;
+    ssl_session_tickets off;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.8.8;
+
+    # OTF gzip compression
+    gzip on;
+    gzip_min_length 860;
+    gzip_comp_level 5;
+    gzip_proxied expired no-cache no-store private auth;
+    gzip_types text/plain application/xml application/x-javascript text/xml text/css application/json;
+    gzip_disable “MSIE [1-6].(?!.*SV1)”;
+
+    access_log /var/log/nginx/access.log;
+
+    client_max_body_size 20M;
+    error_log /var/log/nginx/error.log;
+
+    charset     utf-8;
+
+    # Drop any non django related requests
+    # Its probably someone nefarious probing for vulnerabilities...
+    location ~ (\.php|\.asp|myadmin) {
+	    return 404;
+    }
+
+    # Django media
+    location /media  {
+        # your Django project's media files - amend as required
+        alias /home/web/media;
+        expires 21d; # cache for 71 days
+    }
+    location /static {
+        # your Django project's static files - amend as required
+        alias /home/web/static;
+        expires 21d; # cache for 21 days
+    }
+    location /plugins/plugins.xml {
+        if ($request_uri !~ "&package_name(.*)") {
+        	rewrite ^/plugins/plugins.xml /web/media/cached_xmls/plugins_$arg_qgis.xml break;
+            root /home;
+            expires 600s;
+	    }
+    }
+    location /archive {
+        # Changed from http_host to host because of error messages when
+        # bots hit urls like this:
+        #  'REQUEST_URI': '/phpmyadmin/scripts/setup.php',
+        # See https://snakeycode.wordpress.com/2016/11/21/django-nginx-invalid-http_host-header/
+        # for more details.
+        proxy_set_header   Host $host;
+        autoindex on;
+        # your Django project's static files - amend as required
+        alias /home/web/archive;
+        expires 21d; # cache for 21 days
+    }
+    # Finally, send all non-media requests to the Django server.
+    location / {
+
+        # Apply rate limit
+        limit_req zone=one burst=20 nodelay;
+        limit_req_status 429;
+
+        uwsgi_pass  uwsgi;
+        # the uwsgi_params file you installed needs to be passed with each
+        # request.
+        uwsgi_param  QUERY_STRING       $query_string;
+        uwsgi_param  REQUEST_METHOD     $request_method;
+        uwsgi_param  CONTENT_TYPE       $content_type;
+        uwsgi_param  CONTENT_LENGTH     $content_length;
+
+        uwsgi_param  REQUEST_URI        $request_uri;
+        uwsgi_param  PATH_INFO          $document_uri;
+        uwsgi_param  DOCUMENT_ROOT      $document_root;
+        uwsgi_param  SERVER_PROTOCOL    $server_protocol;
+        uwsgi_param  HTTPS              $https if_not_empty;
+
+        uwsgi_param  REMOTE_ADDR        $remote_addr;
+        uwsgi_param  REMOTE_PORT        $remote_port;
+        uwsgi_param  SERVER_PORT        $server_port;
+        uwsgi_param  SERVER_NAME        $server_name;
+
+        if ($http_user_agent ~* (360Spider|80legs.com|Abonti|AcoonBot|Acunetix|adbeat_bot|AddThis.com|adidxbot|ADmantX|AhrefsBot|AngloINFO|Antelope|Applebot|BaiduSpider|BeetleBot|billigerbot|binlar|bitlybot|BlackWidow|BLP_bbot|BoardReader|Bolt\ 0|BOT\ for\ JCE|Bot\ mailto\:craftbot@yahoo\.com|casper|CazoodleBot|CCBot|checkprivacy|ChinaClaw|chromeframe|Clerkbot|Cliqzbot|clshttp|CommonCrawler|comodo|crawler4j|Crawlera|CRAZYWEBCRAWLER|Curious|Custo|CWS_proxy|Default\ Browser\ 0|diavol|DigExt|Digincore|DIIbot|discobot|DISCo|DoCoMo|DotBot|Download\ Demon|DTS.Agent|EasouSpider|eCatch|ecxi|EirGrabber|Elmer|EmailCollector|EmailSiphon|EmailWolf|Exabot|ExaleadCloudView|ExpertSearchSpider|ExpertSearch|Express\ WebPictures|ExtractorPro|extract|EyeNetIE|Ezooms|F2S|FastSeek|feedfinder|FeedlyBot|FHscan|finbot|Flamingo_SearchEngine|FlappyBot|FlashGet|flicky|Flipboard|g00g1e|Genieo|genieo|GetRight|GetWeb\!|GigablastOpenSource|GozaikBot|Go\!Zilla|Go\-Ahead\-Got\-It|GrabNet|grab|Grafula|GrapeshotCrawler|GTB5|GT\:\:WWW|Guzzle|harvest|HMView|HomePageBot|HTTP\:\:Lite|HubSpot|icarus6|IDBot|id\-search|IlseBot|Image\ Stripper|Image\ Sucker|Indigonet|Indy\ Library|integromedb|InterGET|InternetSeer\.com|Internet\ Ninja|IRLbot|ISC\ Systems\ iRc\ Search\ 2\.1|jakarta|JetCar|JobdiggerSpider|JOC\ Web\ Spider|Jooblebot|kanagawa|KINGSpider|kmccrew|larbin|LeechFTP|libwww|Lingewoud|LinkChecker|linkdexbot|LinksCrawler|LinksManager\.com_bot|linkwalker|LinqiaRSSBot|LivelapBot|ltx71|LubbersBot|lwp\-trivial|Mail.RU_Bot|masscan|Mass\ Downloader|maverick|Maxthon$|Mediatoolkitbot|MegaIndex|MegaIndex|megaindex|MFC_Tear_Sample|Microsoft\ URL\ Control|microsoft\.url|MIDown\ tool|miner|Missigua\ Locator|Mister\ PiX|mj12bot|Mozilla.*Indy|Mozilla.*NEWT|MSFrontPage|msnbot|Navroad|NearSite|NetAnts|netEstate|NetSpider|NetZIP|Net\ Vampire|NextGenSearchBot|nutch|Octopus|Offline\ Explorer|Offline\ Navigator|OpenindexSpider|OpenWebSpider|OrangeBot|Owlin|PageGrabber|PagesInventory|panopta|panscient\.com|Papa\ Foto|pavuk|pcBrowser|PECL\:\:HTTP|PeoplePal|Photon|PHPCrawl|planetwork|PleaseCrawl|PNAMAIN.EXE|PodcastPartyBot|prijsbest|proximic|psbot|purebot|pycurl|QuerySeekerSpider|R6_CommentReader|R6_FeedFetcher|RealDownload|ReGet|Riddler|Rippers\ 0|rogerbot|RSSingBot|rv\:1.9.1|RyzeCrawler|SafeSearch|SBIder|Screaming|search.goo.ne.jp|SearchmetricsBot|search_robot|SemrushBot|Semrush|SentiBot|SEOkicks|SeznamBot|ShowyouBot|SightupBot|SISTRIX|sitecheck\.internetseer\.com|siteexplorer.info|SiteSnagger|skygrid|Slurp|SmartDownload|Snoopy|Sogou|Sosospider|spaumbot|Steeler|sucker|SuperBot|Superfeedr|SuperHTTP|SurdotlyBot|Surfbot|tAkeOut|Teleport\ Pro|TinEye-bot|TinEye|Toata\ dragostea\ mea\ pentru\ diavola|Toplistbot|trendictionbot|TurnitinBot|turnit|URI\:\:Fetch|Vagabondo|Vagabondo|vikspider|VoidEYE|VoilaBot|WBSearchBot|webalta|WebAuto|WebBandit|WebCollage|WebCopier|WebFetch|WebGo\ IS|WebLeacher|WebReaper|WebSauger|Website\ eXtractor|Website\ Quester|WebStripper|WebWhacker|WebZIP|Web\ Image\ Collector|Web\ Sucker|Wells\ Search\ II|WEP\ Search|WeSEE|Widow|WinInet|woobot|woopingbot|worldwebheritage.org|Wotbox|WPScan|WWWOFFLE|WWW\-Mechanize|Xaldon\ WebSpider|XoviBot|yacybot|Yahoo|YandexBot|Yandex|YisouSpider|zermelo|Zeus|zh-CN|ZmEu|ZumBot|ZyBorg) ) {
+            return 403;
+        }
+
+        # Redirect planet and hub resources to the new location
+        include redirections.conf;
+
+    }
+
+
+    location /metabase/ {
+        # set to webroot path
+        proxy_pass http://metabase:3000/;
+    }
+
+  	location ~ /.well-known/acme-challenge {
+        	# set to webroot path
+        	root /var/www/webroot;
+  		    default_type "text/plain";
+  		    allow all;
+  	}
+
+    root /var/www/webroot;
+}