====== NGINX ======
Setup NGINX as reverse proxy server
===== Install =====
Only nginx (or nginx-full) is required. But other tools are likely needed with running NGINX as reverse proxy
aptitude install nginx-full apache2-utils certbot python3-certbot-nginx curl ethtool fail2ban git gzip iputils-tracepath nmap openbsd-inetd tcpdump ufw
===== System Config =====
==== Setting number of open files allowed ====
Setting NGINX user www-data to have 8192 files open. This should be same (or higher than) ''worker_rlimit_nofile'' setting in NGINX config.\\
Create and append to file ''/etc/security/limits.d/10-nofile.conf''
www-data soft nofile 8192
=== Related commands ===
Soft Limit
ulimit -S -a
Hard Limit
ulimit -H -a
===== NGINX Config =====
==== SSL ====
=== Resources ===
* [[https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6|SSL Configuration Generator]]
* [[https://medium.com/@mvuksano/how-to-properly-configure-your-nginx-for-tls-564651438fe0|How to properly configure your nginx for TLS]]
* [[https://gist.github.com/gavinhungry/7a67174c18085f4a23eb|Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating]]
* Run online test with [[https://www.ssllabs.com/ssltest/|Quarlys SSL Server Test]]
* [[https://scaron.info/blog/improve-your-nginx-ssl-configuration.html|Improve your Nginx SSL configuration]]
* [[https://blog.qualys.com/product-tech/2017/03/13/caa-mandated-by-cabrowser-forum|CAA Mandated by CA/Browser Forum]]
Create file ''conf.d/ssl.conf'' with
ssl_prefer_server_ciphers on;
#ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# Configure a shared memory cache of 4 MB
ssl_session_cache shared:SSL:4m;
# Expire individual sessions after 2 hours.
ssl_session_timeout 2h;
#
#ssl_certificate /etc/nginx/ssl/nginx.crt;
#ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
#
# Enable OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
THIS IS NOT REQUIRED! Generate Certificates - Here we are just doing a self-signed cert to get started
mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
openssl req -x509 -nodes -days 36524 -newkey rsa:2048 -keyout nginx.key -out nginx.crt
cat nginx.crt nginx.key > nginx.pem
Improve Diffie-Hellman keys
openssl dhparam 4096 -out /etc/nginx/ssl/dhparam.pem
===== Harden =====
Use ufw to restrict connections going out of NGINX server to minimum required.
# Reset if needed
ufw reset
# Turn on logging
ufw logging on
# Allow ALL incoming - Depend on the network to only allow 80, 443. If network itself is hacked you have bigger problems!
ufw default allow incoming
# Deny ALL outgoing - You want to limit outgoing to just what is required
ufw default deny outgoing
# Allow server to access DNS servers
ufw allow out 53
# Allow server to access Web/Application servers
ufw allow out to 192.168.1.123 port 8080
ufw allow out to 192.168.1.234 port 4200
ufw allow out 80
ufw allow out 443
# Allow server to access Mail server
ufw allow out to 192.168.1.111 port 25
# Allow Time Sync
ufw allow out 123
# Enable and check status
ufw enable
ufw status verbose
# Disable command - in case you need to disable
# ufw disable
===== Other configuration =====
==== Syntax highlighting ====
In order to do syntax highlighting when using ''vim'' while editing NGINX config files, install ''Vim plugin for Nginx''.
Follow the steps found in: https://github.com/chr4/nginx.vim
==== Logrotate ====
Update nginx logrotate ''/etc/logrotate.d/nginx'' to include ''/var/log/nginx/*/*.log'' to existing ''/var/log/nginx/*.log''
/var/log/nginx/*.log
/var/log/nginx/*/*.log
{
daily
...
...
}
==== Default ====
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
server {
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
#
ssl_certificate /etc/nginx/ssl/nginx.pem;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
server {
# SSL configuration
#
listen 8443 ssl default_server;
listen [::]:8443 ssl default_server;
#
ssl_certificate /etc/nginx/ssl/nginx.pem;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
access_log /var/log/nginx/access_8443.log apache;
}
server {
listen 8080 default_server;
listen [::]:8080 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
access_log /var/log/nginx/access_8080.log apache;
}
==== fail2ban ====
Setup for WordPress filter.
===== Testing configuration changes =====
nginx -t
===== Reload without restarting =====
nginx -s reload