linux_wiki:nginx_http_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:nginx_http_server [2018/03/23 16:06]
billdozor [Configuration] 		linux_wiki:nginx_http_server [2019/05/25 23:50] (current)
Line 23: Line 23:
   * Legacy: 1.6.3 and below   * Legacy: 1.6.3 and below
  
 +  - Import nginx gpg signing key<code bash>rpm --import http://nginx.org/keys/nginx_signing.key</code>
   - Add a nginx repo file   - Add a nginx repo file
     * Stable Repo:<code bash>vim /etc/yum.repos.d/nginx.repo     * Stable Repo:<code bash>vim /etc/yum.repos.d/nginx.repo
Line 84: Line 85:
 ---- ----
  
-====== Main Config: nginx.conf =====+===== Main Config: nginx.conf ====
  
   * Default repo installed file location: /etc/nginx/nginx.conf   * Default repo installed file location: /etc/nginx/nginx.conf
  
 Main nginx.conf config file, in the http context Main nginx.conf config file, in the http context
-<code bash># Context: HTTP - HTTP Server Directives+<code bash>## NGINX - Main Configuration ## 
 + 
 +# Context: Main - General Server Configuration 
 + 
 +# User that worker processes run as 
 +user  nginx; 
 + 
 +# Number of worker processes (auto = set to number of CPUs) 
 +worker_processes  auto; 
 + 
 +# Error Log and PID of main process 
 +error_log  /var/log/nginx/error.log warn; 
 +pid        /var/run/nginx.pid; 
 + 
 + 
 +# Context: Events - Connection Processing 
 +events { 
 +  # Max number of connections per worker process 
 +  worker_connections  1024; 
 +
 + 
 +# Context: HTTP - HTTP Server Directives
 http { http {
-... +  # MIME - Include file and default type 
-  ##-- Security --##+  include       /etc/nginx/mime.types; 
 +  default_type  application/octet-stream; 
 + 
 +  Logging: Format and Main Access Log 
 +  log_format  main  '$remote_addr - $remote_user [$time_local] "$request"
 +                      '$status $body_bytes_sent "$http_referer"
 +                      '"$http_user_agent" "$http_x_forwarded_for"'; 
 +  access_log  /var/log/nginx/access.log  main; 
   # server_tokens off - Disable nginx version on error pages and response headers   # server_tokens off - Disable nginx version on error pages and response headers
   server_tokens off;   server_tokens off;
- +
   ## Headers - Add additional headers ##   ## Headers - Add additional headers ##
   # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin   # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin
   add_header X-Frame-Options SAMEORIGIN;   add_header X-Frame-Options SAMEORIGIN;
- +
   # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks   # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks
   add_header X-Content-Type-Options nosniff;   add_header X-Content-Type-Options nosniff;
- +
   # X-XSS-Protection "1; mode=block" -> Prevent Some Cross Site Scripting   # X-XSS-Protection "1; mode=block" -> Prevent Some Cross Site Scripting
   #   1;mode=block -> XSS filter enabled, prevent rendering the page if attack detected   #   1;mode=block -> XSS filter enabled, prevent rendering the page if attack detected
   add_header X-XSS-Protection "1; mode=block" always;   add_header X-XSS-Protection "1; mode=block" always;
- +  
   # Content-Security-Policy -> Prevent XSS, clickjacking, code injection   # Content-Security-Policy -> Prevent XSS, clickjacking, code injection
   add_header Content-Security-Policy "default-src 'self';" always;   add_header Content-Security-Policy "default-src 'self';" always;
-  ##-- End of Security Settings --## +   
-...+  Combined directives: sendfile, tcp_nopush, tcp_nodelay all on 
 +  sendfile+tcp_nopush = use kernel dma to fill packets up to MSS, then send 
 +  # tcp_nodelay = once the last packet is reached, tcp_nopush auto turned off, 
 +  #               then tcp_nodelay forces the fast sending of the last data 
 + 
 +  # Sendfile Send files directly in kernel space 
 +  # on -> keep on for locally stored files 
 +  # off -> turn off for files served over network mounted storage 
 +  sendfile        on; 
 + 
 +  # tcp_nopush - Do not send data until packet reaches MSS 
 +  # Dependency: sendfile MUST be on for this to work 
 +  #tcp_nopush     on; 
 + 
 +  # tcp_nodelay -  Send packets in buffer as soon as they are available 
 +  #tcp_nodelay on; 
 + 
 +  # Server side keepalive timeout in seconds (default: 75) 
 +  keepalive_timeout  65; 
 + 
 +  # Gzip - Compress responses using gzip 
 +  #gzip  on; 
 + 
 +  # Include enabled configurations 
 +  include /etc/nginx/conf.d/enabled/*.conf; 
 +}</code> 
 + 
 +---- 
 + 
 +===== Default Config: default.conf ==== 
 + 
 +  * Create the available/enabled directories<code bash>mkdir /etc/nginx/conf.d/{available,enabled}</code> 
 +  * Remove default installed config<code bash>rm /etc/nginx/conf.d/default.conf</code> 
 +  * Create new default site/catch all config file<code bash>vim /etc/nginx/conf.d/available/default.conf 
 + 
 +## Default Config - Catch All Matches ## 
 + 
 +# HTTP (Port 80) 
 +server { 
 +    listen 80 default_server; 
 +    server_name  _; 
 + 
 +    # Redirect everything to HTTPS 
 +    return 301 https://$http_host$request_uri; 
 +
 + 
 +# HTTPS (Port 443) 
 +server { 
 +    listen 443 ssl default_server; 
 +    listen [::]:443 ssl default_server; 
 +    server_name _; 
 + 
 +    # HSTS (HTTPS Strict Transport Security
 +    # 63072000 seconds = 2 years 
 +    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always; 
 + 
 +    # SSL - Certificate Config 
 +    ssl on; 
 +    ssl_certificate /etc/pki/tls/mycert.crt; 
 +    ssl_certificate_key /etc/pki/tls/mykey.key; 
 +    ssl_client_certificate /etc/pki/tls/myca.crt; 
 + 
 +    # SSL - Session Config 
 +    ssl_session_timeout 5m; 
 +    ssl_session_cache shared:SSL:50m; 
 + 
 +    # SSL - Protocols and Ciphers 
 +    ssl_protocols TLSv1.2; 
 +    ssl_prefer_server_ciphers on; 
 +    ssl_ciphers "HIGH:!AECDH:!DHE:!EDH:!RC4:!ADH:!3DES:!MEDIUM"; 
 + 
 +    # Location: Webserver root 
 +    location / { 
 +      # autoindex off - Disable directory listing output 
 +      autoindex off; 
 +      root /usr/share/nginx/html; 
 +      index index.html index.htm; 
 +    } 
 +}</code> 
 +  * Create symlink in enabled directory to default config<code bash>ln -s /etc/nginx/conf.d/available/default.conf /etc/nginx/conf.d/enabled/default.conf</code> 
 +  * Deploy your SSL certificates. 
 + 
 +---- 
 + 
 +===== Site Specific Config ==== 
 + 
 +Once the base config is in place, site specific config can be added. 
 +  * Copy the default config to a new file<code bash>cp /etc/nginx/conf.d/available/default.conf /etc/nginx/conf.d/available/mysite.org.conf</code> 
 +  * Edit the new file<code bash>/etc/nginx/conf.d/available/mysite.org.conf</code> 
 +    * Replace server_name directives with system's fully qualified hostname. Example:<code bash>server_name  mywebserver.org;</code> 
 +    * Remove "default_server" from the listen directives<code bash>listen 80; 
 +listen 443 ssl;</code> 
 +    * Make any other additional site specific config changes. 
 + 
 +  * Create symlink to enable the new site<code bash>ln -s /etc/nginx/conf.d/available/mysite.org.conf /etc/nginx/conf.d/enabled/mysite.org.conf</code> 
 +  * Disable the default.conf catch all config if you don't want it to function on a non-match to your site specific config<code bash>unlink /etc/nginx/conf.d/enabled/default.conf</code> 
 +  * Restart nginx for changes to take affect 
 +    * CentOS 6<code bash>/etc/init.d/nginx restart</code> 
 +    * CentOS 7<code bash>systemctl restart nginx</code> 
 + 
 +---- 
 + 
 +===== Example: Reverse Proxy ===== 
 + 
 +Nginx can function as a reverse proxy. This is particularly useful for: 
 +  * Accepting connections on secure standard ports and forwarding them to non-secure/standard ports for applications 
 +  * Sitting in front of an application server (that might be listening on localhost) 
 +  * Load balancing 
 + 
 +==== Forward to Non Standard Port ==== 
 + 
 +This example accepts connections on standard port 443/tcp and forwards the request to a Java application listening on localhost, port 8080/tcp. 
 +<code bash> 
 +server { 
 +.... 
 +# Location: Reverse Proxy to Java App 
 +    location /myapp/ { 
 +      # Forward /myapp/ requests to correct port 
 +      proxy_pass http://127.0.0.1:8080/myapp/; 
 + 
 +      # Additional headers to pass 
 +      proxy_set_header        Host            $host; 
 +      proxy_set_header        X-Real-IP       $remote_addr; 
 +      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for; 
 +    } 
 +
 +</code> 
 + 
 +---- 
 + 
 +===== SSL: Enforce Strong Encryption ===== 
 + 
 +  * Default file location: /etc/nginx/nginx.conf OR an included file 
 + 
 +==== SSL: All in One ==== 
 + 
 +All in one copy/paste most secure SSL settings.<code bash>ssl_protocols TLSv1.2; 
 +ssl_ciphers "HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4"; 
 +ssl_prefer_server_ciphers on;</code> 
 + 
 +---- 
 + 
 +==== SSL: Protocols ==== 
 + 
 +**Protocols** - Use only TLS (1.2 only if possible) 
 +  * TLSv1.2 only (**Preferred**)<code bash>ssl_protocols TLSv1.2;</code> 
 +  * TLS<code bash>ssl_protocols TLSv1.2 TLSv1.1 TLSv1;</code> 
 + 
 +---- 
 + 
 +==== SSL: Ciphers ==== 
 + 
 +**Ciphers** - Config 
 +<code bash> 
 +ssl_ciphers "HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4"; 
 +</code> 
 + 
 +\\ 
 +**Ciphers** - Server picks compatible cipher 
 +<code bash> 
 +ssl_prefer_server_ciphers on; 
 +</code> 
 + 
 +---- 
 + 
 +===== Other Settings ===== 
 + 
 +Other secure settings. 
 + 
 +==== Redirect HTTP to HTTPS ==== 
 + 
 +Redirect all HTTP to HTTPS<code bash> 
 +server { 
 +    listen 80 default_server; 
 +    server_name  _; 
 +  
 +    # Redirect everything to HTTPS 
 +    return 301 https://$http_host$request_uri; 
 +}</code> 
 + 
 +---- 
 + 
 +==== HSTS ==== 
 + 
 +Enabling HTTPS Strict Transport Security (HSTS). 
 + 
 +Add the strict transport security header to the listening HTTPS server section 
 +<code bash>server { 
 +  listen 443 ssl; 
 +  listen [::]:443 ssl; 
 +  server_name HOSTNAME-HERE; 
 + 
 +  HSTS (HTTPS Strict Transport Security) 
 +  63072000 seconds = 2 years 
 +  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always; 
 +....
 }</code> }</code>
 +  * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited.
  
 ---- ----
  • linux_wiki/nginx_http_server.1521835580.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)