Table of Contents

NGINX

Setup NGINX as reverse proxy server

Install

Only nginx (or nginx-full) is required. But other tools are likely needed with running NGINX as reverse proxy

aptitude install nginx-full apache2-utils certbot python3-certbot-nginx curl ethtool fail2ban git gzip iputils-tracepath nmap openbsd-inetd tcpdump ufw

System Config

Setting number of open files allowed

Setting NGINX user www-data to have 8192 files open. This should be same (or higher than) worker_rlimit_nofile setting in NGINX config.
Create and append to file /etc/security/limits.d/10-nofile.conf

www-data soft nofile 8192

Soft Limit

ulimit -S -a

Hard Limit

ulimit -H -a

NGINX Config

SSL

Resources

Create file conf.d/ssl.conf with

ssl_prefer_server_ciphers on;
#ssl_prefer_server_ciphers off;
ssl_protocols           TLSv1.2 TLSv1.3;
ssl_ciphers             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# Configure a shared memory cache of 4 MB
ssl_session_cache       shared:SSL:4m;
# Expire individual sessions after 2 hours.
ssl_session_timeout     2h;
#
#ssl_certificate         /etc/nginx/ssl/nginx.crt;
#ssl_certificate_key     /etc/nginx/ssl/nginx.key;
ssl_dhparam             /etc/nginx/ssl/dhparam.pem;
#
# Enable OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

THIS IS NOT REQUIRED! Generate Certificates - Here we are just doing a self-signed cert to get started

mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
openssl req -x509 -nodes -days 36524 -newkey rsa:2048 -keyout nginx.key -out nginx.crt
cat nginx.crt nginx.key > nginx.pem

Improve Diffie-Hellman keys

openssl dhparam 4096 -out /etc/nginx/ssl/dhparam.pem

Harden

Use ufw to restrict connections going out of NGINX server to minimum required.

# Reset if needed
ufw reset
# Turn on logging
ufw logging on
# Allow ALL incoming - Depend on the network to only allow 80, 443.  If network itself is hacked you have bigger problems!
ufw default allow incoming 
# Deny ALL outgoing - You want to limit outgoing to just what is required
ufw default deny outgoing
# Allow server to access DNS servers
ufw allow out 53
# Allow server to access Web/Application servers
ufw allow out to 192.168.1.123 port 8080
ufw allow out to 192.168.1.234 port 4200
ufw allow out 80
ufw allow out 443
# Allow server to access Mail server
ufw allow out to 192.168.1.111 port 25
# Allow Time Sync
ufw allow out 123
# Enable and check status
ufw enable
ufw status verbose
# Disable command - in case you need to disable
# ufw disable

Other configuration

Syntax highlighting

In order to do syntax highlighting when using vim while editing NGINX config files, install Vim plugin for Nginx.

Follow the steps found in: https://github.com/chr4/nginx.vim

Logrotate

Update nginx logrotate /etc/logrotate.d/nginx to include /var/log/nginx/*/*.log to existing /var/log/nginx/*.log

/var/log/nginx/*.log
/var/log/nginx/*/*.log
{
    daily
    ...
    ...
}

Default

server {
    listen 80 default_server;
    listen [::]:80 default_server;
 
    root /var/www/html;
 
    index index.html index.htm index.nginx-debian.html;
 
    server_name _;
 
    location / {
        try_files $uri $uri/ =404;
    }
 
server {
    # SSL configuration
    #
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    #
    ssl_certificate     /etc/nginx/ssl/nginx.pem;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
 
    root /var/www/html;
 
    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
 
    server_name _;
 
    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }
 
}
 
server {
    # SSL configuration
    #
    listen 8443 ssl default_server;
    listen [::]:8443 ssl default_server;
    #
    ssl_certificate     /etc/nginx/ssl/nginx.pem;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
 
    root /var/www/html;
 
    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
 
    server_name _;
 
    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }
 
    access_log /var/log/nginx/access_8443.log      apache;
 
}
 
server {
    listen 8080 default_server;
    listen [::]:8080 default_server;
 
    root /var/www/html;
 
    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
 
    server_name _;
 
    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }
 
    access_log /var/log/nginx/access_8080.log      apache;
 
}

fail2ban

Setup for WordPress filter.

Testing configuration changes

nginx -t

Reload without restarting

nginx -s reload