linux_wiki:nginx_http_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:nginx_http_server [2018/04/09 00:24]
billdozor [Main Config: nginx.conf] 		linux_wiki:nginx_http_server [2019/05/25 23:50] (current)
Line 166: Line 166:
   include /etc/nginx/conf.d/enabled/*.conf;   include /etc/nginx/conf.d/enabled/*.conf;
 }</code> }</code>
 +
 +----
 +
 +===== Default Config: default.conf ====
 +
 +  * Create the available/enabled directories<code bash>mkdir /etc/nginx/conf.d/{available,enabled}</code>
 +  * Remove default installed config<code bash>rm /etc/nginx/conf.d/default.conf</code>
 +  * Create new default site/catch all config file<code bash>vim /etc/nginx/conf.d/available/default.conf
 +
 +## Default Config - Catch All Matches ##
 +
 +# HTTP (Port 80)
 +server {
 +    listen 80 default_server;
 +    server_name  _;
 +
 +    # Redirect everything to HTTPS
 +    return 301 https://$http_host$request_uri;
 +}
 +
 +# HTTPS (Port 443)
 +server {
 +    listen 443 ssl default_server;
 +    listen [::]:443 ssl default_server;
 +    server_name _;
 +
 +    # HSTS (HTTPS Strict Transport Security)
 +    # 63072000 seconds = 2 years
 +    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
 +
 +    # SSL - Certificate Config
 +    ssl on;
 +    ssl_certificate /etc/pki/tls/mycert.crt;
 +    ssl_certificate_key /etc/pki/tls/mykey.key;
 +    ssl_client_certificate /etc/pki/tls/myca.crt;
 +
 +    # SSL - Session Config
 +    ssl_session_timeout 5m;
 +    ssl_session_cache shared:SSL:50m;
 +
 +    # SSL - Protocols and Ciphers
 +    ssl_protocols TLSv1.2;
 +    ssl_prefer_server_ciphers on;
 +    ssl_ciphers "HIGH:!AECDH:!DHE:!EDH:!RC4:!ADH:!3DES:!MEDIUM";
 +
 +    # Location: Webserver root
 +    location / {
 +      # autoindex off - Disable directory listing output
 +      autoindex off;
 +      root /usr/share/nginx/html;
 +      index index.html index.htm;
 +    }
 +}</code>
 +  * Create symlink in enabled directory to default config<code bash>ln -s /etc/nginx/conf.d/available/default.conf /etc/nginx/conf.d/enabled/default.conf</code>
 +  * Deploy your SSL certificates.
 +
 +----
 +
 +===== Site Specific Config ====
 +
 +Once the base config is in place, site specific config can be added.
 +  * Copy the default config to a new file<code bash>cp /etc/nginx/conf.d/available/default.conf /etc/nginx/conf.d/available/mysite.org.conf</code>
 +  * Edit the new file<code bash>/etc/nginx/conf.d/available/mysite.org.conf</code>
 +    * Replace server_name directives with system's fully qualified hostname. Example:<code bash>server_name  mywebserver.org;</code>
 +    * Remove "default_server" from the listen directives<code bash>listen 80;
 +listen 443 ssl;</code>
 +    * Make any other additional site specific config changes.
 +
 +  * Create symlink to enable the new site<code bash>ln -s /etc/nginx/conf.d/available/mysite.org.conf /etc/nginx/conf.d/enabled/mysite.org.conf</code>
 +  * Disable the default.conf catch all config if you don't want it to function on a non-match to your site specific config<code bash>unlink /etc/nginx/conf.d/enabled/default.conf</code>
 +  * Restart nginx for changes to take affect
 +    * CentOS 6<code bash>/etc/init.d/nginx restart</code>
 +    * CentOS 7<code bash>systemctl restart nginx</code>
 +
 +----
 +
 +===== Example: Reverse Proxy =====
 +
 +Nginx can function as a reverse proxy. This is particularly useful for:
 +  * Accepting connections on secure standard ports and forwarding them to non-secure/standard ports for applications
 +  * Sitting in front of an application server (that might be listening on localhost)
 +  * Load balancing
 +
 +==== Forward to Non Standard Port ====
 +
 +This example accepts connections on standard port 443/tcp and forwards the request to a Java application listening on localhost, port 8080/tcp.
 +<code bash>
 +server {
 +....
 +# Location: Reverse Proxy to Java App
 +    location /myapp/ {
 +      # Forward /myapp/ requests to correct port
 +      proxy_pass http://127.0.0.1:8080/myapp/;
 +
 +      # Additional headers to pass
 +      proxy_set_header        Host            $host;
 +      proxy_set_header        X-Real-IP       $remote_addr;
 +      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
 +    }
 +}
 +</code>
  
 ---- ----
Line 233: Line 334:
   # HSTS (HTTPS Strict Transport Security)   # HSTS (HTTPS Strict Transport Security)
   # 63072000 seconds = 2 years   # 63072000 seconds = 2 years
-  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";+  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
 .... ....
 }</code> }</code>
  • linux_wiki/nginx_http_server.1523247880.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)