Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:nginx_http_server [2018/04/09 00:24] billdozor [Main Config: nginx.conf] |
linux_wiki:nginx_http_server [2019/05/25 23:50] (current) |
||
---|---|---|---|
Line 166: | Line 166: | ||
include / | include / | ||
}</ | }</ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Default Config: default.conf ==== | ||
+ | |||
+ | * Create the available/ | ||
+ | * Remove default installed config< | ||
+ | * Create new default site/catch all config file< | ||
+ | |||
+ | ## Default Config - Catch All Matches ## | ||
+ | |||
+ | # HTTP (Port 80) | ||
+ | server { | ||
+ | listen 80 default_server; | ||
+ | server_name | ||
+ | |||
+ | # Redirect everything to HTTPS | ||
+ | return 301 https:// | ||
+ | } | ||
+ | |||
+ | # HTTPS (Port 443) | ||
+ | server { | ||
+ | listen 443 ssl default_server; | ||
+ | listen [::]:443 ssl default_server; | ||
+ | server_name _; | ||
+ | |||
+ | # HSTS (HTTPS Strict Transport Security) | ||
+ | # 63072000 seconds = 2 years | ||
+ | add_header Strict-Transport-Security " | ||
+ | |||
+ | # SSL - Certificate Config | ||
+ | ssl on; | ||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | ssl_client_certificate / | ||
+ | |||
+ | # SSL - Session Config | ||
+ | ssl_session_timeout 5m; | ||
+ | ssl_session_cache shared: | ||
+ | |||
+ | # SSL - Protocols and Ciphers | ||
+ | ssl_protocols TLSv1.2; | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | ssl_ciphers " | ||
+ | |||
+ | # Location: Webserver root | ||
+ | location / { | ||
+ | # autoindex off - Disable directory listing output | ||
+ | autoindex off; | ||
+ | root / | ||
+ | index index.html index.htm; | ||
+ | } | ||
+ | }</ | ||
+ | * Create symlink in enabled directory to default config< | ||
+ | * Deploy your SSL certificates. | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Site Specific Config ==== | ||
+ | |||
+ | Once the base config is in place, site specific config can be added. | ||
+ | * Copy the default config to a new file< | ||
+ | * Edit the new file< | ||
+ | * Replace server_name directives with system' | ||
+ | * Remove " | ||
+ | listen 443 ssl;</ | ||
+ | * Make any other additional site specific config changes. | ||
+ | |||
+ | * Create symlink to enable the new site< | ||
+ | * Disable the default.conf catch all config if you don't want it to function on a non-match to your site specific config< | ||
+ | * Restart nginx for changes to take affect | ||
+ | * CentOS 6<code bash>/ | ||
+ | * CentOS 7<code bash> | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Example: Reverse Proxy ===== | ||
+ | |||
+ | Nginx can function as a reverse proxy. This is particularly useful for: | ||
+ | * Accepting connections on secure standard ports and forwarding them to non-secure/ | ||
+ | * Sitting in front of an application server (that might be listening on localhost) | ||
+ | * Load balancing | ||
+ | |||
+ | ==== Forward to Non Standard Port ==== | ||
+ | |||
+ | This example accepts connections on standard port 443/tcp and forwards the request to a Java application listening on localhost, port 8080/tcp. | ||
+ | <code bash> | ||
+ | server { | ||
+ | .... | ||
+ | # Location: Reverse Proxy to Java App | ||
+ | location /myapp/ { | ||
+ | # Forward /myapp/ requests to correct port | ||
+ | proxy_pass http:// | ||
+ | |||
+ | # Additional headers to pass | ||
+ | proxy_set_header | ||
+ | proxy_set_header | ||
+ | proxy_set_header | ||
+ | } | ||
+ | } | ||
+ | </ | ||
---- | ---- | ||
Line 233: | Line 334: | ||
# HSTS (HTTPS Strict Transport Security) | # HSTS (HTTPS Strict Transport Security) | ||
# 63072000 seconds = 2 years | # 63072000 seconds = 2 years | ||
- | add_header Strict-Transport-Security " | + | add_header Strict-Transport-Security " |
.... | .... | ||
}</ | }</ |