Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

tech:others:nginx [2015/06/06 06:29]
 tech:others:nginx [2022/11/02 06:29] (current)
Line 1: Line 1:
 +====== NGINX ======
 +Setup NGINX as reverse proxy server
 +
 +===== Install =====
 +Only nginx (or nginx-full) is required. But other tools are likely needed with running NGINX as reverse proxy
 +<code bash>
 +aptitude install nginx-full apache2-utils certbot python3-certbot-nginx curl ethtool fail2ban git gzip iputils-tracepath nmap openbsd-inetd tcpdump ufw
 +</​code>​
 +
 +===== System Config =====
 +==== Setting number of open files allowed ====
 +Setting NGINX user www-data to have 8192 files open. This should be same (or higher than) ''​worker_rlimit_nofile''​ setting in NGINX config.\\
 +Create and append to file ''/​etc/​security/​limits.d/​10-nofile.conf''​
 +<​code>​
 +www-data soft nofile 8192
 +</​code>​
 +
 +=== Related commands ===
 +Soft Limit
 +<code bash>
 +ulimit -S -a
 +</​code>​
 +Hard Limit
 +<code bash>
 +ulimit -H -a
 +</​code>​
 +
 +===== NGINX Config =====
 +==== SSL ====
 +=== Resources ===
 +  * [[https://​ssl-config.mozilla.org/#​server=nginx&​version=1.17.7&​config=intermediate&​openssl=1.1.1k&​guideline=5.6|SSL Configuration Generator]]
 +  * [[https://​medium.com/​@mvuksano/​how-to-properly-configure-your-nginx-for-tls-564651438fe0|How to properly configure your nginx for TLS]]
 +  * [[https://​gist.github.com/​gavinhungry/​7a67174c18085f4a23eb|Nginx SSL/TLS configuration for "​A+"​ Qualys SSL Labs rating]]
 +  * Run online test with [[https://​www.ssllabs.com/​ssltest/​|Quarlys SSL Server Test]]
 +  * [[https://​scaron.info/​blog/​improve-your-nginx-ssl-configuration.html|Improve your Nginx SSL configuration]]
 +  * [[https://​blog.qualys.com/​product-tech/​2017/​03/​13/​caa-mandated-by-cabrowser-forum|CAA Mandated by CA/Browser Forum]]
 +
 +Create file ''​conf.d/​ssl.conf''​ with
 +<code nginx>
 +ssl_prefer_server_ciphers on;
 +#​ssl_prefer_server_ciphers off;
 +ssl_protocols ​          ​TLSv1.2 TLSv1.3;
 +ssl_ciphers ​            ​ECDHE-ECDSA-AES128-GCM-SHA256:​ECDHE-RSA-AES128-GCM-SHA256:​ECDHE-ECDSA-AES256-GCM-SHA384:​ECDHE-RSA-AES256-GCM-SHA384:​ECDHE-ECDSA-CHACHA20-POLY1305:​ECDHE-RSA-CHACHA20-POLY1305:​DHE-RSA-AES128-GCM-SHA256:​DHE-RSA-AES256-GCM-SHA384;​
 +# Configure a shared memory cache of 4 MB
 +ssl_session_cache ​      ​shared:​SSL:​4m;​
 +# Expire individual sessions after 2 hours.
 +ssl_session_timeout ​    2h;
 +#
 +#​ssl_certificate ​        /​etc/​nginx/​ssl/​nginx.crt;​
 +#​ssl_certificate_key ​    /​etc/​nginx/​ssl/​nginx.key;​
 +ssl_dhparam ​            /​etc/​nginx/​ssl/​dhparam.pem;​
 +#
 +# Enable OCSP stapling
 +ssl_stapling on;
 +ssl_stapling_verify on;
 +</​code>​
 +
 +THIS IS NOT REQUIRED! Generate Certificates - Here we are just doing a self-signed cert to get started
 +<code bash>
 +mkdir /​etc/​nginx/​ssl
 +cd /​etc/​nginx/​ssl
 +openssl req -x509 -nodes -days 36524 -newkey rsa:2048 -keyout nginx.key -out nginx.crt
 +cat nginx.crt nginx.key > nginx.pem
 +</​code>​
 +
 +Improve Diffie-Hellman keys
 +<code bash>
 +openssl dhparam 4096 -out /​etc/​nginx/​ssl/​dhparam.pem
 +</​code>​
 +
 +===== Harden =====
 +Use ufw to restrict connections going out of NGINX server to minimum required.
 +<code bash>
 +# Reset if needed
 +ufw reset
 +# Turn on logging
 +ufw logging on
 +# Allow ALL incoming - Depend on the network to only allow 80, 443.  If network itself is hacked you have bigger problems!
 +ufw default allow incoming ​
 +# Deny ALL outgoing - You want to limit outgoing to just what is required
 +ufw default deny outgoing
 +# Allow server to access DNS servers
 +ufw allow out 53
 +# Allow server to access Web/​Application servers
 +ufw allow out to 192.168.1.123 port 8080
 +ufw allow out to 192.168.1.234 port 4200
 +ufw allow out 80
 +ufw allow out 443
 +# Allow server to access Mail server
 +ufw allow out to 192.168.1.111 port 25
 +# Allow Time Sync
 +ufw allow out 123
 +# Enable and check status
 +ufw enable
 +ufw status verbose
 +# Disable command - in case you need to disable
 +# ufw disable
 +</​code>​
 +
 +===== Other configuration =====
 +==== Syntax highlighting ====
 +In order to do syntax highlighting when using ''​vim''​ while editing NGINX config files, install ''​Vim plugin for Nginx''​.
 +
 +Follow the steps found in: https://​github.com/​chr4/​nginx.vim
 +
 +==== Logrotate ====
 +Update nginx logrotate ''/​etc/​logrotate.d/​nginx''​ to include ''/​var/​log/​nginx/​*/​*.log''​ to existing ''/​var/​log/​nginx/​*.log''​
 +<​code>​
 +/​var/​log/​nginx/​*.log
 +/​var/​log/​nginx/​*/​*.log
 +{
 +    daily
 +    ...
 +    ...
 +}
 +</​code>​
 +
 +==== Default ====
 +<code nginx>
 +server {
 +    listen 80 default_server;​
 +    listen [::]:80 default_server;​
 +
 +    root /​var/​www/​html;​
 +
 +    index index.html index.htm index.nginx-debian.html;​
 +
 +    server_name _;
 +
 +    location / {
 +        try_files $uri $uri/ =404;
 +    }
 +
 +server {
 +    # SSL configuration
 +    #
 +    listen 443 ssl default_server;​
 +    listen [::]:443 ssl default_server;​
 +    #
 +    ssl_certificate ​    /​etc/​nginx/​ssl/​nginx.pem;​
 +    ssl_certificate_key /​etc/​nginx/​ssl/​nginx.key;​
 +
 +    root /​var/​www/​html;​
 +
 +    # Add index.php to the list if you are using PHP
 +    index index.html index.htm index.nginx-debian.html;​
 +
 +    server_name _;
 +
 +    location / {
 +        # First attempt to serve request as file, then
 +        # as directory, then fall back to displaying a 404.
 +        try_files $uri $uri/ =404;
 +    }
 +
 +}
 +
 +server {
 +    # SSL configuration
 +    #
 +    listen 8443 ssl default_server;​
 +    listen [::]:8443 ssl default_server;​
 +    #
 +    ssl_certificate ​    /​etc/​nginx/​ssl/​nginx.pem;​
 +    ssl_certificate_key /​etc/​nginx/​ssl/​nginx.key;​
 +
 +    root /​var/​www/​html;​
 +
 +    # Add index.php to the list if you are using PHP
 +    index index.html index.htm index.nginx-debian.html;​
 +
 +    server_name _;
 +
 +    location / {
 +        # First attempt to serve request as file, then
 +        # as directory, then fall back to displaying a 404.
 +        try_files $uri $uri/ =404;
 +    }
 +
 +    access_log /​var/​log/​nginx/​access_8443.log ​     apache;
 +
 +}
 +
 +server {
 +    listen 8080 default_server;​
 +    listen [::]:8080 default_server;​
 +
 +    root /​var/​www/​html;​
 +
 +    # Add index.php to the list if you are using PHP
 +    index index.html index.htm index.nginx-debian.html;​
 +
 +    server_name _;
 +
 +    location / {
 +        # First attempt to serve request as file, then
 +        # as directory, then fall back to displaying a 404.
 +        try_files $uri $uri/ =404;
 +    }
 +
 +    access_log /​var/​log/​nginx/​access_8080.log ​     apache;
 +
 +}
 +</​code>​
 +
 +==== fail2ban ====
 +Setup for WordPress filter.
 +===== Testing configuration changes =====
 +<code bash>
 +nginx -t
 +</​code>​
 +
 +===== Reload without restarting =====
 +<code bash>
 +nginx -s reload
 +</​code>​
  

QR Code
QR Code tech:others:nginx (generated for current page)