Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:nginx_http_server [2018/03/23 16:06] billdozor [Configuration] |
linux_wiki:nginx_http_server [2019/05/25 23:50] (current) |
||
---|---|---|---|
Line 23: | Line 23: | ||
* Legacy: 1.6.3 and below | * Legacy: 1.6.3 and below | ||
+ | - Import nginx gpg signing key<code bash>rpm --import http:// | ||
- Add a nginx repo file | - Add a nginx repo file | ||
* Stable Repo:< | * Stable Repo:< | ||
Line 84: | Line 85: | ||
---- | ---- | ||
- | ====== Main Config: nginx.conf | + | ===== Main Config: nginx.conf ==== |
* Default repo installed file location: / | * Default repo installed file location: / | ||
Main nginx.conf config file, in the http context | Main nginx.conf config file, in the http context | ||
- | <code bash># Context: HTTP - HTTP Server Directives | + | <code bash>## NGINX - Main Configuration ## |
+ | |||
+ | # Context: Main - General Server Configuration | ||
+ | |||
+ | # User that worker processes run as | ||
+ | user nginx; | ||
+ | |||
+ | # Number of worker processes (auto = set to number of CPUs) | ||
+ | worker_processes | ||
+ | |||
+ | # Error Log and PID of main process | ||
+ | error_log | ||
+ | pid / | ||
+ | |||
+ | |||
+ | # Context: Events - Connection Processing | ||
+ | events { | ||
+ | # Max number of connections per worker process | ||
+ | worker_connections | ||
+ | } | ||
+ | |||
+ | # Context: HTTP - HTTP Server Directives | ||
http { | http { | ||
- | ... | + | # MIME - Include file and default type |
- | | + | include |
+ | | ||
+ | |||
+ | | ||
+ | log_format | ||
+ | ' | ||
+ | '" | ||
+ | access_log | ||
# server_tokens off - Disable nginx version on error pages and response headers | # server_tokens off - Disable nginx version on error pages and response headers | ||
server_tokens off; | server_tokens off; | ||
- | + | ||
## Headers - Add additional headers ## | ## Headers - Add additional headers ## | ||
# X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin | # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin | ||
add_header X-Frame-Options SAMEORIGIN; | add_header X-Frame-Options SAMEORIGIN; | ||
- | + | ||
# X-Content-Type-Options nosniff -> Prevent MIME Type Attacks | # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks | ||
add_header X-Content-Type-Options nosniff; | add_header X-Content-Type-Options nosniff; | ||
- | + | ||
# X-XSS-Protection "1; mode=block" | # X-XSS-Protection "1; mode=block" | ||
# | # | ||
add_header X-XSS-Protection "1; mode=block" | add_header X-XSS-Protection "1; mode=block" | ||
- | + | | |
# Content-Security-Policy -> Prevent XSS, clickjacking, | # Content-Security-Policy -> Prevent XSS, clickjacking, | ||
add_header Content-Security-Policy " | add_header Content-Security-Policy " | ||
- | ##-- End of Security Settings --## | + | |
- | ... | + | |
+ | | ||
+ | # tcp_nodelay = once the last packet is reached, tcp_nopush auto turned off, | ||
+ | # then tcp_nodelay forces the fast sending of the last data | ||
+ | |||
+ | # Sendfile | ||
+ | # on -> keep on for locally stored files | ||
+ | # off -> turn off for files served over network mounted storage | ||
+ | sendfile | ||
+ | |||
+ | # tcp_nopush - Do not send data until packet reaches MSS | ||
+ | # Dependency: sendfile MUST be on for this to work | ||
+ | # | ||
+ | |||
+ | # tcp_nodelay - Send packets in buffer as soon as they are available | ||
+ | # | ||
+ | |||
+ | # Server side keepalive timeout in seconds (default: 75) | ||
+ | keepalive_timeout | ||
+ | |||
+ | # Gzip - Compress responses using gzip | ||
+ | #gzip on; | ||
+ | |||
+ | # Include enabled configurations | ||
+ | include / | ||
+ | }</ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Default Config: default.conf ==== | ||
+ | |||
+ | * Create the available/ | ||
+ | * Remove default installed config< | ||
+ | * Create new default site/catch all config file< | ||
+ | |||
+ | ## Default Config - Catch All Matches ## | ||
+ | |||
+ | # HTTP (Port 80) | ||
+ | server { | ||
+ | listen 80 default_server; | ||
+ | server_name | ||
+ | |||
+ | # Redirect everything to HTTPS | ||
+ | return 301 https:// | ||
+ | } | ||
+ | |||
+ | # HTTPS (Port 443) | ||
+ | server { | ||
+ | listen 443 ssl default_server; | ||
+ | listen [::]:443 ssl default_server; | ||
+ | server_name _; | ||
+ | |||
+ | # HSTS (HTTPS Strict Transport | ||
+ | # 63072000 seconds = 2 years | ||
+ | add_header Strict-Transport-Security " | ||
+ | |||
+ | # SSL - Certificate Config | ||
+ | ssl on; | ||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | ssl_client_certificate / | ||
+ | |||
+ | # SSL - Session Config | ||
+ | ssl_session_timeout 5m; | ||
+ | ssl_session_cache shared: | ||
+ | |||
+ | # SSL - Protocols and Ciphers | ||
+ | ssl_protocols TLSv1.2; | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | ssl_ciphers " | ||
+ | |||
+ | # Location: Webserver root | ||
+ | location / { | ||
+ | # autoindex off - Disable directory listing output | ||
+ | autoindex off; | ||
+ | root / | ||
+ | index index.html index.htm; | ||
+ | } | ||
+ | }</ | ||
+ | * Create symlink in enabled directory to default config< | ||
+ | * Deploy your SSL certificates. | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Site Specific Config ==== | ||
+ | |||
+ | Once the base config is in place, site specific config can be added. | ||
+ | * Copy the default config to a new file< | ||
+ | * Edit the new file< | ||
+ | * Replace server_name directives with system' | ||
+ | * Remove " | ||
+ | listen 443 ssl;</ | ||
+ | * Make any other additional site specific config changes. | ||
+ | |||
+ | * Create symlink to enable the new site< | ||
+ | * Disable the default.conf catch all config if you don't want it to function on a non-match to your site specific config< | ||
+ | * Restart nginx for changes to take affect | ||
+ | * CentOS 6<code bash>/ | ||
+ | * CentOS 7<code bash> | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Example: Reverse Proxy ===== | ||
+ | |||
+ | Nginx can function as a reverse proxy. This is particularly useful for: | ||
+ | * Accepting connections on secure standard ports and forwarding them to non-secure/ | ||
+ | * Sitting in front of an application server (that might be listening on localhost) | ||
+ | * Load balancing | ||
+ | |||
+ | ==== Forward to Non Standard Port ==== | ||
+ | |||
+ | This example accepts connections on standard port 443/tcp and forwards the request to a Java application listening on localhost, port 8080/tcp. | ||
+ | <code bash> | ||
+ | server { | ||
+ | .... | ||
+ | # Location: Reverse Proxy to Java App | ||
+ | location /myapp/ { | ||
+ | # Forward /myapp/ requests to correct port | ||
+ | proxy_pass http:// | ||
+ | |||
+ | # Additional headers to pass | ||
+ | proxy_set_header | ||
+ | proxy_set_header | ||
+ | proxy_set_header | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== SSL: Enforce Strong Encryption ===== | ||
+ | |||
+ | * Default file location: / | ||
+ | |||
+ | ==== SSL: All in One ==== | ||
+ | |||
+ | All in one copy/paste most secure SSL settings.< | ||
+ | ssl_ciphers " | ||
+ | ssl_prefer_server_ciphers on;</ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ==== SSL: Protocols ==== | ||
+ | |||
+ | **Protocols** - Use only TLS (1.2 only if possible) | ||
+ | * TLSv1.2 only (**Preferred**)< | ||
+ | * TLS<code bash> | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ==== SSL: Ciphers ==== | ||
+ | |||
+ | **Ciphers** - Config | ||
+ | <code bash> | ||
+ | ssl_ciphers " | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | **Ciphers** - Server picks compatible cipher | ||
+ | <code bash> | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Other Settings | ||
+ | |||
+ | Other secure settings. | ||
+ | |||
+ | ==== Redirect HTTP to HTTPS ==== | ||
+ | |||
+ | Redirect all HTTP to HTTPS< | ||
+ | server { | ||
+ | listen 80 default_server; | ||
+ | server_name | ||
+ | |||
+ | # Redirect everything to HTTPS | ||
+ | return 301 https:// | ||
+ | }</ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ==== HSTS ==== | ||
+ | |||
+ | Enabling HTTPS Strict Transport Security (HSTS). | ||
+ | |||
+ | Add the strict transport security header to the listening HTTPS server section | ||
+ | <code bash> | ||
+ | listen 443 ssl; | ||
+ | listen [::]:443 ssl; | ||
+ | server_name HOSTNAME-HERE; | ||
+ | |||
+ | | ||
+ | | ||
+ | add_header Strict-Transport-Security " | ||
+ | .... | ||
}</ | }</ | ||
+ | * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited. | ||
---- | ---- |