Differences
This shows you the differences between two versions of the page.
tech:others:nginx [2015/06/06 06:29] |
tech:others:nginx [2022/11/02 06:29] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== NGINX ====== | ||
+ | Setup NGINX as reverse proxy server | ||
+ | |||
+ | ===== Install ===== | ||
+ | Only nginx (or nginx-full) is required. But other tools are likely needed with running NGINX as reverse proxy | ||
+ | <code bash> | ||
+ | aptitude install nginx-full apache2-utils certbot python3-certbot-nginx curl ethtool fail2ban git gzip iputils-tracepath nmap openbsd-inetd tcpdump ufw | ||
+ | </code> | ||
+ | |||
+ | ===== System Config ===== | ||
+ | ==== Setting number of open files allowed ==== | ||
+ | Setting NGINX user www-data to have 8192 files open. This should be same (or higher than) ''worker_rlimit_nofile'' setting in NGINX config.\\ | ||
+ | Create and append to file ''/etc/security/limits.d/10-nofile.conf'' | ||
+ | <code> | ||
+ | www-data soft nofile 8192 | ||
+ | </code> | ||
+ | |||
+ | === Related commands === | ||
+ | Soft Limit | ||
+ | <code bash> | ||
+ | ulimit -S -a | ||
+ | </code> | ||
+ | Hard Limit | ||
+ | <code bash> | ||
+ | ulimit -H -a | ||
+ | </code> | ||
+ | |||
+ | ===== NGINX Config ===== | ||
+ | ==== SSL ==== | ||
+ | === Resources === | ||
+ | * [[https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6|SSL Configuration Generator]] | ||
+ | * [[https://medium.com/@mvuksano/how-to-properly-configure-your-nginx-for-tls-564651438fe0|How to properly configure your nginx for TLS]] | ||
+ | * [[https://gist.github.com/gavinhungry/7a67174c18085f4a23eb|Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating]] | ||
+ | * Run online test with [[https://www.ssllabs.com/ssltest/|Quarlys SSL Server Test]] | ||
+ | * [[https://scaron.info/blog/improve-your-nginx-ssl-configuration.html|Improve your Nginx SSL configuration]] | ||
+ | * [[https://blog.qualys.com/product-tech/2017/03/13/caa-mandated-by-cabrowser-forum|CAA Mandated by CA/Browser Forum]] | ||
+ | |||
+ | Create file ''conf.d/ssl.conf'' with | ||
+ | <code nginx> | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | #ssl_prefer_server_ciphers off; | ||
+ | ssl_protocols TLSv1.2 TLSv1.3; | ||
+ | ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | ||
+ | # Configure a shared memory cache of 4 MB | ||
+ | ssl_session_cache shared:SSL:4m; | ||
+ | # Expire individual sessions after 2 hours. | ||
+ | ssl_session_timeout 2h; | ||
+ | # | ||
+ | #ssl_certificate /etc/nginx/ssl/nginx.crt; | ||
+ | #ssl_certificate_key /etc/nginx/ssl/nginx.key; | ||
+ | ssl_dhparam /etc/nginx/ssl/dhparam.pem; | ||
+ | # | ||
+ | # Enable OCSP stapling | ||
+ | ssl_stapling on; | ||
+ | ssl_stapling_verify on; | ||
+ | </code> | ||
+ | |||
+ | THIS IS NOT REQUIRED! Generate Certificates - Here we are just doing a self-signed cert to get started | ||
+ | <code bash> | ||
+ | mkdir /etc/nginx/ssl | ||
+ | cd /etc/nginx/ssl | ||
+ | openssl req -x509 -nodes -days 36524 -newkey rsa:2048 -keyout nginx.key -out nginx.crt | ||
+ | cat nginx.crt nginx.key > nginx.pem | ||
+ | </code> | ||
+ | |||
+ | Improve Diffie-Hellman keys | ||
+ | <code bash> | ||
+ | openssl dhparam 4096 -out /etc/nginx/ssl/dhparam.pem | ||
+ | </code> | ||
+ | |||
+ | ===== Harden ===== | ||
+ | Use ufw to restrict connections going out of NGINX server to minimum required. | ||
+ | <code bash> | ||
+ | # Reset if needed | ||
+ | ufw reset | ||
+ | # Turn on logging | ||
+ | ufw logging on | ||
+ | # Allow ALL incoming - Depend on the network to only allow 80, 443. If network itself is hacked you have bigger problems! | ||
+ | ufw default allow incoming | ||
+ | # Deny ALL outgoing - You want to limit outgoing to just what is required | ||
+ | ufw default deny outgoing | ||
+ | # Allow server to access DNS servers | ||
+ | ufw allow out 53 | ||
+ | # Allow server to access Web/Application servers | ||
+ | ufw allow out to 192.168.1.123 port 8080 | ||
+ | ufw allow out to 192.168.1.234 port 4200 | ||
+ | ufw allow out 80 | ||
+ | ufw allow out 443 | ||
+ | # Allow server to access Mail server | ||
+ | ufw allow out to 192.168.1.111 port 25 | ||
+ | # Allow Time Sync | ||
+ | ufw allow out 123 | ||
+ | # Enable and check status | ||
+ | ufw enable | ||
+ | ufw status verbose | ||
+ | # Disable command - in case you need to disable | ||
+ | # ufw disable | ||
+ | </code> | ||
+ | |||
+ | ===== Other configuration ===== | ||
+ | ==== Syntax highlighting ==== | ||
+ | In order to do syntax highlighting when using ''vim'' while editing NGINX config files, install ''Vim plugin for Nginx''. | ||
+ | |||
+ | Follow the steps found in: https://github.com/chr4/nginx.vim | ||
+ | |||
+ | ==== Logrotate ==== | ||
+ | Update nginx logrotate ''/etc/logrotate.d/nginx'' to include ''/var/log/nginx/*/*.log'' to existing ''/var/log/nginx/*.log'' | ||
+ | <code> | ||
+ | /var/log/nginx/*.log | ||
+ | /var/log/nginx/*/*.log | ||
+ | { | ||
+ | daily | ||
+ | ... | ||
+ | ... | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | ==== Default ==== | ||
+ | <code nginx> | ||
+ | server { | ||
+ | listen 80 default_server; | ||
+ | listen [::]:80 default_server; | ||
+ | |||
+ | root /var/www/html; | ||
+ | |||
+ | index index.html index.htm index.nginx-debian.html; | ||
+ | |||
+ | server_name _; | ||
+ | |||
+ | location / { | ||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | # SSL configuration | ||
+ | # | ||
+ | listen 443 ssl default_server; | ||
+ | listen [::]:443 ssl default_server; | ||
+ | # | ||
+ | ssl_certificate /etc/nginx/ssl/nginx.pem; | ||
+ | ssl_certificate_key /etc/nginx/ssl/nginx.key; | ||
+ | |||
+ | root /var/www/html; | ||
+ | |||
+ | # Add index.php to the list if you are using PHP | ||
+ | index index.html index.htm index.nginx-debian.html; | ||
+ | |||
+ | server_name _; | ||
+ | |||
+ | location / { | ||
+ | # First attempt to serve request as file, then | ||
+ | # as directory, then fall back to displaying a 404. | ||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | } | ||
+ | |||
+ | server { | ||
+ | # SSL configuration | ||
+ | # | ||
+ | listen 8443 ssl default_server; | ||
+ | listen [::]:8443 ssl default_server; | ||
+ | # | ||
+ | ssl_certificate /etc/nginx/ssl/nginx.pem; | ||
+ | ssl_certificate_key /etc/nginx/ssl/nginx.key; | ||
+ | |||
+ | root /var/www/html; | ||
+ | |||
+ | # Add index.php to the list if you are using PHP | ||
+ | index index.html index.htm index.nginx-debian.html; | ||
+ | |||
+ | server_name _; | ||
+ | |||
+ | location / { | ||
+ | # First attempt to serve request as file, then | ||
+ | # as directory, then fall back to displaying a 404. | ||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | access_log /var/log/nginx/access_8443.log apache; | ||
+ | |||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen 8080 default_server; | ||
+ | listen [::]:8080 default_server; | ||
+ | |||
+ | root /var/www/html; | ||
+ | |||
+ | # Add index.php to the list if you are using PHP | ||
+ | index index.html index.htm index.nginx-debian.html; | ||
+ | |||
+ | server_name _; | ||
+ | |||
+ | location / { | ||
+ | # First attempt to serve request as file, then | ||
+ | # as directory, then fall back to displaying a 404. | ||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | access_log /var/log/nginx/access_8080.log apache; | ||
+ | |||
+ | } | ||
+ | </code> | ||
+ | |||
+ | ==== fail2ban ==== | ||
+ | Setup for WordPress filter. | ||
+ | ===== Testing configuration changes ===== | ||
+ | <code bash> | ||
+ | nginx -t | ||
+ | </code> | ||
+ | |||
+ | ===== Reload without restarting ===== | ||
+ | <code bash> | ||
+ | nginx -s reload | ||
+ | </code> | ||