Differences

This shows you the differences between two versions of the page.

--- linux_wiki:nginx_http_server [2016/04/13 23:28]
billdozor [Restart]
+++ linux_wiki:nginx_http_server [2019/05/25 23:50] (current)
@@ Line 23: / Line 23: @@
   * Legacy: 1.6.3 and below
+  - Import nginx gpg signing key<code bash>rpm --import http://nginx.org/keys/nginx_signing.key</code>
   - Add a nginx repo file
     * Stable Repo:<code bash>vim /etc/yum.repos.d/nginx.repo
@@ Line 81: / Line 82: @@
     * Alt Additional Config (Compiled): No default
     * Alt Additional Config (Software Collections): /etc/opt/rh/rh-nginx18/nginx/conf.d/
+----
+===== Main Config: nginx.conf ====
+  * Default repo installed file location: /etc/nginx/nginx.conf
+Main nginx.conf config file, in the http context
+<code bash>## NGINX - Main Configuration ##
+# Context: Main - General Server Configuration
+# User that worker processes run as
+user  nginx;
+# Number of worker processes (auto = set to number of CPUs)
+worker_processes  auto;
+# Error Log and PID of main process
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+# Context: Events - Connection Processing
+events {
+  # Max number of connections per worker process
+  worker_connections  1024;
+}
+# Context: HTTP - HTTP Server Directives
+http {
+  # MIME - Include file and default type
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+  # Logging: Format and Main Access Log
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+  access_log  /var/log/nginx/access.log  main;
+  # server_tokens off - Disable nginx version on error pages and response headers
+  server_tokens off;
+  ## Headers - Add additional headers ##
+  # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin
+  add_header X-Frame-Options SAMEORIGIN;
+  # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks
+  add_header X-Content-Type-Options nosniff;
+  # X-XSS-Protection "1; mode=block" -> Prevent Some Cross Site Scripting
+  #   1;mode=block -> XSS filter enabled, prevent rendering the page if attack detected
+  add_header X-XSS-Protection "1; mode=block" always;
+  # Content-Security-Policy -> Prevent XSS, clickjacking, code injection
+  add_header Content-Security-Policy "default-src 'self';" always;
+  # Combined directives: sendfile, tcp_nopush, tcp_nodelay all on
+  # sendfile+tcp_nopush = use kernel dma to fill packets up to MSS, then send
+  # tcp_nodelay = once the last packet is reached, tcp_nopush auto turned off,
+  #               then tcp_nodelay forces the fast sending of the last data
+  # Sendfile - Send files directly in kernel space
+  # on -> keep on for locally stored files
+  # off -> turn off for files served over network mounted storage
+  sendfile        on;
+  # tcp_nopush - Do not send data until packet reaches MSS
+  # Dependency: sendfile MUST be on for this to work
+  #tcp_nopush     on;
+  # tcp_nodelay -  Send packets in buffer as soon as they are available
+  #tcp_nodelay on;
+  # Server side keepalive timeout in seconds (default: 75)
+  keepalive_timeout  65;
+  # Gzip - Compress responses using gzip
+  #gzip  on;
+  # Include enabled configurations
+  include /etc/nginx/conf.d/enabled/*.conf;
+}</code>
+----
+===== Default Config: default.conf ====
+  * Create the available/enabled directories<code bash>mkdir /etc/nginx/conf.d/{available,enabled}</code>
+  * Remove default installed config<code bash>rm /etc/nginx/conf.d/default.conf</code>
+  * Create new default site/catch all config file<code bash>vim /etc/nginx/conf.d/available/default.conf
+## Default Config - Catch All Matches ##
+# HTTP (Port 80)
+server {
+    listen 80 default_server;
+    server_name  _;
+    # Redirect everything to HTTPS
+    return 301 https://$http_host$request_uri;
+}
+# HTTPS (Port 443)
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    server_name _;
+    # HSTS (HTTPS Strict Transport Security)
+    # 63072000 seconds = 2 years
+    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
+    # SSL - Certificate Config
+    ssl on;
+    ssl_certificate /etc/pki/tls/mycert.crt;
+    ssl_certificate_key /etc/pki/tls/mykey.key;
+    ssl_client_certificate /etc/pki/tls/myca.crt;
+    # SSL - Session Config
+    ssl_session_timeout 5m;
+    ssl_session_cache shared:SSL:50m;
+    # SSL - Protocols and Ciphers
+    ssl_protocols TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "HIGH:!AECDH:!DHE:!EDH:!RC4:!ADH:!3DES:!MEDIUM";
+    # Location: Webserver root
+    location / {
+      # autoindex off - Disable directory listing output
+      autoindex off;
+      root /usr/share/nginx/html;
+      index index.html index.htm;
+    }
+}</code>
+  * Create symlink in enabled directory to default config<code bash>ln -s /etc/nginx/conf.d/available/default.conf /etc/nginx/conf.d/enabled/default.conf</code>
+  * Deploy your SSL certificates.
+----
+===== Site Specific Config ====
+Once the base config is in place, site specific config can be added.
+  * Copy the default config to a new file<code bash>cp /etc/nginx/conf.d/available/default.conf /etc/nginx/conf.d/available/mysite.org.conf</code>
+  * Edit the new file<code bash>/etc/nginx/conf.d/available/mysite.org.conf</code>
+    * Replace server_name directives with system's fully qualified hostname. Example:<code bash>server_name  mywebserver.org;</code>
+    * Remove "default_server" from the listen directives<code bash>listen 80;
+listen 443 ssl;</code>
+    * Make any other additional site specific config changes.
+  * Create symlink to enable the new site<code bash>ln -s /etc/nginx/conf.d/available/mysite.org.conf /etc/nginx/conf.d/enabled/mysite.org.conf</code>
+  * Disable the default.conf catch all config if you don't want it to function on a non-match to your site specific config<code bash>unlink /etc/nginx/conf.d/enabled/default.conf</code>
+  * Restart nginx for changes to take affect
+    * CentOS 6<code bash>/etc/init.d/nginx restart</code>
+    * CentOS 7<code bash>systemctl restart nginx</code>
+----
+===== Example: Reverse Proxy =====
+Nginx can function as a reverse proxy. This is particularly useful for:
+  * Accepting connections on secure standard ports and forwarding them to non-secure/standard ports for applications
+  * Sitting in front of an application server (that might be listening on localhost)
+  * Load balancing
+==== Forward to Non Standard Port ====
+This example accepts connections on standard port 443/tcp and forwards the request to a Java application listening on localhost, port 8080/tcp.
+<code bash>
+server {
+....
+# Location: Reverse Proxy to Java App
+    location /myapp/ {
+      # Forward /myapp/ requests to correct port
+      proxy_pass http://127.0.0.1:8080/myapp/;
+      # Additional headers to pass
+      proxy_set_header        Host            $host;
+      proxy_set_header        X-Real-IP       $remote_addr;
+      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+}
+</code>
+----
+===== SSL: Enforce Strong Encryption =====
+  * Default file location: /etc/nginx/nginx.conf OR an included file
+==== SSL: All in One ====
+All in one copy/paste most secure SSL settings.<code bash>ssl_protocols TLSv1.2;
+ssl_ciphers "HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4";
+ssl_prefer_server_ciphers on;</code>
+----
+==== SSL: Protocols ====
+**Protocols** - Use only TLS (1.2 only if possible)
+  * TLSv1.2 only (**Preferred**)<code bash>ssl_protocols TLSv1.2;</code>
+  * TLS<code bash>ssl_protocols TLSv1.2 TLSv1.1 TLSv1;</code>
+----
+==== SSL: Ciphers ====
+**Ciphers** - Config
+<code bash>
+ssl_ciphers "HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4";
+</code>
+\\
+**Ciphers** - Server picks compatible cipher
+<code bash>
+ssl_prefer_server_ciphers on;
+</code>
+----
+===== Other Settings =====
+Other secure settings.
+==== Redirect HTTP to HTTPS ====
+Redirect all HTTP to HTTPS<code bash>
+server {
+    listen 80 default_server;
+    server_name  _;
+    # Redirect everything to HTTPS
+    return 301 https://$http_host$request_uri;
+}</code>
+----
+==== HSTS ====
+Enabling HTTPS Strict Transport Security (HSTS).
+Add the strict transport security header to the listening HTTPS server section
+<code bash>server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name HOSTNAME-HERE;
+  # HSTS (HTTPS Strict Transport Security)
+  # 63072000 seconds = 2 years
+  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
+....
+}</code>
+  * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited.
 ----
@@ Line 93: / Line 350: @@
     * Alt main nginx executable (Compiled): /usr/local/nginx/sbin/nginx
     * Alt main nginx executable (Software Collections): /opt/rh/rh-nginx18/root/sbin/nginx
+**Note**: If using the software collections method, that environment must be enabled before you attempt to operate the web server.<code bash>scl enable rh-nginx18 bash</code>
+  * This could be put in a user's .bashrc for easier use if needed.
 ----