Setup NGINX as reverse proxy server
Only nginx (or nginx-full) is required. But other tools are likely needed with running NGINX as reverse proxy
aptitude install nginx-full apache2-utils certbot python3-certbot-nginx curl ethtool fail2ban git gzip iputils-tracepath nmap openbsd-inetd tcpdump ufw
Setting NGINX user www-data to have 8192 files open. This should be same (or higher than) worker_rlimit_nofile
setting in NGINX config.
Create and append to file /etc/security/limits.d/10-nofile.conf
www-data soft nofile 8192
Soft Limit
ulimit -S -a
Hard Limit
ulimit -H -a
Create file conf.d/ssl.conf
with
ssl_prefer_server_ciphers on; #ssl_prefer_server_ciphers off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; # Configure a shared memory cache of 4 MB ssl_session_cache shared:SSL:4m; # Expire individual sessions after 2 hours. ssl_session_timeout 2h; # #ssl_certificate /etc/nginx/ssl/nginx.crt; #ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_dhparam /etc/nginx/ssl/dhparam.pem; # # Enable OCSP stapling ssl_stapling on; ssl_stapling_verify on;
THIS IS NOT REQUIRED! Generate Certificates - Here we are just doing a self-signed cert to get started
mkdir /etc/nginx/ssl cd /etc/nginx/ssl openssl req -x509 -nodes -days 36524 -newkey rsa:2048 -keyout nginx.key -out nginx.crt cat nginx.crt nginx.key > nginx.pem
Improve Diffie-Hellman keys
openssl dhparam 4096 -out /etc/nginx/ssl/dhparam.pem
Use ufw to restrict connections going out of NGINX server to minimum required.
# Reset if needed ufw reset # Turn on logging ufw logging on # Allow ALL incoming - Depend on the network to only allow 80, 443. If network itself is hacked you have bigger problems! ufw default allow incoming # Deny ALL outgoing - You want to limit outgoing to just what is required ufw default deny outgoing # Allow server to access DNS servers ufw allow out 53 # Allow server to access Web/Application servers ufw allow out to 192.168.1.123 port 8080 ufw allow out to 192.168.1.234 port 4200 ufw allow out 80 ufw allow out 443 # Allow server to access Mail server ufw allow out to 192.168.1.111 port 25 # Allow Time Sync ufw allow out 123 # Enable and check status ufw enable ufw status verbose # Disable command - in case you need to disable # ufw disable
In order to do syntax highlighting when using vim
while editing NGINX config files, install Vim plugin for Nginx
.
Follow the steps found in: https://github.com/chr4/nginx.vim
Update nginx logrotate /etc/logrotate.d/nginx
to include /var/log/nginx/*/*.log
to existing /var/log/nginx/*.log
/var/log/nginx/*.log /var/log/nginx/*/*.log { daily ... ... }
server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } server { # SSL configuration # listen 443 ssl default_server; listen [::]:443 ssl default_server; # ssl_certificate /etc/nginx/ssl/nginx.pem; ssl_certificate_key /etc/nginx/ssl/nginx.key; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } } server { # SSL configuration # listen 8443 ssl default_server; listen [::]:8443 ssl default_server; # ssl_certificate /etc/nginx/ssl/nginx.pem; ssl_certificate_key /etc/nginx/ssl/nginx.key; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } access_log /var/log/nginx/access_8443.log apache; } server { listen 8080 default_server; listen [::]:8080 default_server; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } access_log /var/log/nginx/access_8080.log apache; }
Setup for WordPress filter.
nginx -t
nginx -s reload