Zenuncl Wiki

Genius only means hard-working all one's life...
Zenuncl
[email protected]
Independent Software Developer DevOps | Open Source
Homepage
Changelog
Database
Backup PostgreSQL
Gaming
Don't Starve Together
Git
Git Branching Model Git Commit Style
Hardware
HPE-ssacli iLO-SSH
Linux & MacOS
Shell
Virtualization
ESXi
Networking
NAT UniFi iptables Packet Flow
Security
Let's Encrypt
Server
SSH crontab ethtool Hostname Conventions NGINX
Sysadmin
Server Backup
Server

NGINX

/ server / NGINX

# Normal NGINX Configuration

# Proxy (HTTP)

resolver 8.8.8.8;
server {
  listen 1188;
  location / {
    proxy_pass http://$http_host$request_uri;
  }
}

# Reverse Proxy

server {
  listen 80;
  server_name example.com;

  location / {
    proxy_pass http://google.com/;
    proxy_redirect default;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    port_in_redirect on;
    server_name_in_redirect off;
    proxy_connect_timeout 300;
  }
}

# Cached Reverse Proxy

Need cache and temp directories for cache

Following code should added below log_format directive in nginx.conf:

client_body_buffer_size  512k;
proxy_connect_timeout    5;
proxy_read_timeout       60;
proxy_send_timeout       5;
proxy_buffer_size        16k;
proxy_buffers            4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_temp_path   /var/cache/nginx/temp;
proxy_cache_path  /var/cache/nginx/cache levels=1:2 keys_zone=cache_one:500m inactive=7d max_size=30g;

VHost configuration:

proxy_cache cache_one;
proxy_cache_valid  200 304 3d;
proxy_cache_key $host$uri$is_args$args;
expires 10d;

# Reverse proxy for subdirectory

server {
  listen 80;
  server_name example.com;
  
  location / {
    proxy_pass http://sub.example.com/path;
    sub_filter /path/ /; # You may need this, otherwise comment it out.
    proxy_redirect off;
  }
}

# Set Expires Headers For Static Content

location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
  expires 1y;
  log_not_found off;
}

# Increase HTTP Post Size Limit

http {
  #...
  client_max_body_size 100m;
  #...
}

# Set Correct Files/Folders Permissions

# Some server may using `www:www` instead of `www-data`
chown -R www-data:www-data .

# Find files type and change it to 644 (rw-r--r--)
# Find directory type and change it to 755 (drwxr-xr-x)
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

# Setup Basic-Auth on NGINX

Install apache2-utils

apt-get install apache2-utils

Create User and Password

htpasswd -c /etc/nginx/.htpasswd user

NGINX Configuration

server {
  #...
  location / {
    ...
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth User and Password
  }
  #...
}

# NGINX with SSL

# Global Configuration

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

keepalive_timeout    70;
ssl_session_cache    shared:SSL:10m;
ssl_session_timeout  10m;

IE8/XP support

ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4";

# Site Configuration

server {
  listen 443 ssl;
  ssl_certificate /etc/nginx/server.crt;
  ssl_certificate_key /etc/nginx/server.key;  
}

# Redirect to HTTPS

server {
  listen 80;
  server_name example.com;

  # Main part for redirect
  location / {
    return 301 https://example.com$request_uri;
  }
}

# As A Force-HTTPS Reverse Proxy

proxy_redirect   http:// $scheme://
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Scheme $scheme;

# HSTS

location / {
  add_header Strict-Transport-Security max-age=63072000;
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
}

# Enable CORS (Wide-open CORS configuration for NGINX)

location / {
  add_header 'Access-Control-Allow-Origin' "*"; # Change this to domain name 
  add_header 'Access-Control-Allow-Credentials' 'true';
  add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
  add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
}

Tell client that this pre-flight info is valid for 20 days

add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;

# SSL

# Verify A .crt matches A .key

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

# Generating a .csr

openssl req -new -newkey rsa:2048 -nodes -keyout $DOMAIN.key -out $DOMAIN.csr

# Concatenate Certificates

cat domain.crt intermediate.pem root.pem > domain.signed.crt

# Avoid using SHA-1 as key exchange method, use Diffie Hellman Ephemeral parameters.

Generating DHE key

openssl dhparam -out dhparam.pem 4096 # use 2048 if you are on a low-end-box.

Set Nginx to use DHE key-exchange

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Reference:

Last Update: 2024-11-11 03:31:49 Source File

Copyright © Zenuncl Wiki Porwered By MinoriWiki