linux_wiki:nginx_http_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:nginx_http_server [2018/03/23 16:08]
billdozor [Main Config: nginx.conf] 		linux_wiki:nginx_http_server [2019/05/25 23:50] (current)
Line 23: Line 23:
   * Legacy: 1.6.3 and below   * Legacy: 1.6.3 and below
  
 +  - Import nginx gpg signing key<code bash>rpm --import http://nginx.org/keys/nginx_signing.key</code>
   - Add a nginx repo file   - Add a nginx repo file
     * Stable Repo:<code bash>vim /etc/yum.repos.d/nginx.repo     * Stable Repo:<code bash>vim /etc/yum.repos.d/nginx.repo
Line 89: Line 90:
  
 Main nginx.conf config file, in the http context Main nginx.conf config file, in the http context
-<code bash># Context: HTTP - HTTP Server Directives+<code bash>## NGINX - Main Configuration ## 
 + 
 +# Context: Main - General Server Configuration 
 + 
 +# User that worker processes run as 
 +user  nginx; 
 + 
 +# Number of worker processes (auto = set to number of CPUs) 
 +worker_processes  auto; 
 + 
 +# Error Log and PID of main process 
 +error_log  /var/log/nginx/error.log warn; 
 +pid        /var/run/nginx.pid; 
 + 
 + 
 +# Context: Events - Connection Processing 
 +events { 
 +  # Max number of connections per worker process 
 +  worker_connections  1024; 
 +
 + 
 +# Context: HTTP - HTTP Server Directives
 http { http {
-... +  # MIME - Include file and default type 
-  ##-- Security --##+  include       /etc/nginx/mime.types; 
 +  default_type  application/octet-stream; 
 + 
 +  Logging: Format and Main Access Log 
 +  log_format  main  '$remote_addr - $remote_user [$time_local] "$request"
 +                      '$status $body_bytes_sent "$http_referer"
 +                      '"$http_user_agent" "$http_x_forwarded_for"'; 
 +  access_log  /var/log/nginx/access.log  main; 
   # server_tokens off - Disable nginx version on error pages and response headers   # server_tokens off - Disable nginx version on error pages and response headers
   server_tokens off;   server_tokens off;
- +
   ## Headers - Add additional headers ##   ## Headers - Add additional headers ##
   # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin   # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin
   add_header X-Frame-Options SAMEORIGIN;   add_header X-Frame-Options SAMEORIGIN;
- +
   # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks   # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks
   add_header X-Content-Type-Options nosniff;   add_header X-Content-Type-Options nosniff;
- +
   # X-XSS-Protection "1; mode=block" -> Prevent Some Cross Site Scripting   # X-XSS-Protection "1; mode=block" -> Prevent Some Cross Site Scripting
   #   1;mode=block -> XSS filter enabled, prevent rendering the page if attack detected   #   1;mode=block -> XSS filter enabled, prevent rendering the page if attack detected
   add_header X-XSS-Protection "1; mode=block" always;   add_header X-XSS-Protection "1; mode=block" always;
- +  
   # Content-Security-Policy -> Prevent XSS, clickjacking, code injection   # Content-Security-Policy -> Prevent XSS, clickjacking, code injection
   add_header Content-Security-Policy "default-src 'self';" always;   add_header Content-Security-Policy "default-src 'self';" always;
-  ##-- End of Security Settings --## +   
-...+  Combined directives: sendfile, tcp_nopush, tcp_nodelay all on 
 +  sendfile+tcp_nopush = use kernel dma to fill packets up to MSS, then send 
 +  # tcp_nodelay = once the last packet is reached, tcp_nopush auto turned off, 
 +  #               then tcp_nodelay forces the fast sending of the last data 
 + 
 +  # Sendfile Send files directly in kernel space 
 +  # on -> keep on for locally stored files 
 +  # off -> turn off for files served over network mounted storage 
 +  sendfile        on; 
 + 
 +  # tcp_nopush Do not send data until packet reaches MSS 
 +  Dependency: sendfile MUST be on for this to work 
 +  #tcp_nopush     on; 
 + 
 +  # tcp_nodelay -  Send packets in buffer as soon as they are available 
 +  #tcp_nodelay on; 
 + 
 +  # Server side keepalive timeout in seconds (default: 75) 
 +  keepalive_timeout  65; 
 + 
 +  # Gzip - Compress responses using gzip 
 +  #gzip  on; 
 + 
 +  # Include enabled configurations 
 +  include /etc/nginx/conf.d/enabled/*.conf;
 }</code> }</code>
 +
 +----
 +
 +===== Default Config: default.conf ====
 +
 +  * Create the available/enabled directories<code bash>mkdir /etc/nginx/conf.d/{available,enabled}</code>
 +  * Remove default installed config<code bash>rm /etc/nginx/conf.d/default.conf</code>
 +  * Create new default site/catch all config file<code bash>vim /etc/nginx/conf.d/available/default.conf
 +
 +## Default Config - Catch All Matches ##
 +
 +# HTTP (Port 80)
 +server {
 +    listen 80 default_server;
 +    server_name  _;
 +
 +    # Redirect everything to HTTPS
 +    return 301 https://$http_host$request_uri;
 +}
 +
 +# HTTPS (Port 443)
 +server {
 +    listen 443 ssl default_server;
 +    listen [::]:443 ssl default_server;
 +    server_name _;
 +
 +    # HSTS (HTTPS Strict Transport Security)
 +    # 63072000 seconds = 2 years
 +    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
 +
 +    # SSL - Certificate Config
 +    ssl on;
 +    ssl_certificate /etc/pki/tls/mycert.crt;
 +    ssl_certificate_key /etc/pki/tls/mykey.key;
 +    ssl_client_certificate /etc/pki/tls/myca.crt;
 +
 +    # SSL - Session Config
 +    ssl_session_timeout 5m;
 +    ssl_session_cache shared:SSL:50m;
 +
 +    # SSL - Protocols and Ciphers
 +    ssl_protocols TLSv1.2;
 +    ssl_prefer_server_ciphers on;
 +    ssl_ciphers "HIGH:!AECDH:!DHE:!EDH:!RC4:!ADH:!3DES:!MEDIUM";
 +
 +    # Location: Webserver root
 +    location / {
 +      # autoindex off - Disable directory listing output
 +      autoindex off;
 +      root /usr/share/nginx/html;
 +      index index.html index.htm;
 +    }
 +}</code>
 +  * Create symlink in enabled directory to default config<code bash>ln -s /etc/nginx/conf.d/available/default.conf /etc/nginx/conf.d/enabled/default.conf</code>
 +  * Deploy your SSL certificates.
 +
 +----
 +
 +===== Site Specific Config ====
 +
 +Once the base config is in place, site specific config can be added.
 +  * Copy the default config to a new file<code bash>cp /etc/nginx/conf.d/available/default.conf /etc/nginx/conf.d/available/mysite.org.conf</code>
 +  * Edit the new file<code bash>/etc/nginx/conf.d/available/mysite.org.conf</code>
 +    * Replace server_name directives with system's fully qualified hostname. Example:<code bash>server_name  mywebserver.org;</code>
 +    * Remove "default_server" from the listen directives<code bash>listen 80;
 +listen 443 ssl;</code>
 +    * Make any other additional site specific config changes.
 +
 +  * Create symlink to enable the new site<code bash>ln -s /etc/nginx/conf.d/available/mysite.org.conf /etc/nginx/conf.d/enabled/mysite.org.conf</code>
 +  * Disable the default.conf catch all config if you don't want it to function on a non-match to your site specific config<code bash>unlink /etc/nginx/conf.d/enabled/default.conf</code>
 +  * Restart nginx for changes to take affect
 +    * CentOS 6<code bash>/etc/init.d/nginx restart</code>
 +    * CentOS 7<code bash>systemctl restart nginx</code>
 +
 +----
 +
 +===== Example: Reverse Proxy =====
 +
 +Nginx can function as a reverse proxy. This is particularly useful for:
 +  * Accepting connections on secure standard ports and forwarding them to non-secure/standard ports for applications
 +  * Sitting in front of an application server (that might be listening on localhost)
 +  * Load balancing
 +
 +==== Forward to Non Standard Port ====
 +
 +This example accepts connections on standard port 443/tcp and forwards the request to a Java application listening on localhost, port 8080/tcp.
 +<code bash>
 +server {
 +....
 +# Location: Reverse Proxy to Java App
 +    location /myapp/ {
 +      # Forward /myapp/ requests to correct port
 +      proxy_pass http://127.0.0.1:8080/myapp/;
 +
 +      # Additional headers to pass
 +      proxy_set_header        Host            $host;
 +      proxy_set_header        X-Real-IP       $remote_addr;
 +      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
 +    }
 +}
 +</code>
  
 ---- ----
Line 118: Line 273:
  
   * Default file location: /etc/nginx/nginx.conf OR an included file   * Default file location: /etc/nginx/nginx.conf OR an included file
-  * Typical compiled location: /opt/cots/nginx/conf/nginx.conf OR an included file 
  
 ==== SSL: All in One ==== ==== SSL: All in One ====
Line 180: Line 334:
   # HSTS (HTTPS Strict Transport Security)   # HSTS (HTTPS Strict Transport Security)
   # 63072000 seconds = 2 years   # 63072000 seconds = 2 years
-  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";+  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
 .... ....
 }</code> }</code>
  • linux_wiki/nginx_http_server.1521835702.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)