Differences

This shows you the differences between two versions of the page.


tech:others:nginx [2022/11/02 11:29] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== NGINX ======
 +Setup NGINX as reverse proxy server
 +
 +===== Install =====
 +Only nginx (or nginx-full) is required. But other tools are likely needed with running NGINX as reverse proxy
 +<code bash>
 +aptitude install nginx-full apache2-utils certbot python3-certbot-nginx curl ethtool fail2ban git gzip iputils-tracepath nmap openbsd-inetd tcpdump ufw
 +</code>
 +
 +===== System Config =====
 +==== Setting number of open files allowed ====
 +Setting NGINX user www-data to have 8192 files open. This should be same (or higher than) ''worker_rlimit_nofile'' setting in NGINX config.\\
 +Create and append to file ''/etc/security/limits.d/10-nofile.conf''
 +<code>
 +www-data soft nofile 8192
 +</code>
 +
 +=== Related commands ===
 +Soft Limit
 +<code bash>
 +ulimit -S -a
 +</code>
 +Hard Limit
 +<code bash>
 +ulimit -H -a
 +</code>
 +
 +===== NGINX Config =====
 +==== SSL ====
 +=== Resources ===
 +  * [[https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6|SSL Configuration Generator]]
 +  * [[https://medium.com/@mvuksano/how-to-properly-configure-your-nginx-for-tls-564651438fe0|How to properly configure your nginx for TLS]]
 +  * [[https://gist.github.com/gavinhungry/7a67174c18085f4a23eb|Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating]]
 +  * Run online test with [[https://www.ssllabs.com/ssltest/|Quarlys SSL Server Test]]
 +  * [[https://scaron.info/blog/improve-your-nginx-ssl-configuration.html|Improve your Nginx SSL configuration]]
 +  * [[https://blog.qualys.com/product-tech/2017/03/13/caa-mandated-by-cabrowser-forum|CAA Mandated by CA/Browser Forum]]
 +
 +Create file ''conf.d/ssl.conf'' with
 +<code nginx>
 +ssl_prefer_server_ciphers on;
 +#ssl_prefer_server_ciphers off;
 +ssl_protocols           TLSv1.2 TLSv1.3;
 +ssl_ciphers             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 +# Configure a shared memory cache of 4 MB
 +ssl_session_cache       shared:SSL:4m;
 +# Expire individual sessions after 2 hours.
 +ssl_session_timeout     2h;
 +#
 +#ssl_certificate         /etc/nginx/ssl/nginx.crt;
 +#ssl_certificate_key     /etc/nginx/ssl/nginx.key;
 +ssl_dhparam             /etc/nginx/ssl/dhparam.pem;
 +#
 +# Enable OCSP stapling
 +ssl_stapling on;
 +ssl_stapling_verify on;
 +</code>
 +
 +THIS IS NOT REQUIRED! Generate Certificates - Here we are just doing a self-signed cert to get started
 +<code bash>
 +mkdir /etc/nginx/ssl
 +cd /etc/nginx/ssl
 +openssl req -x509 -nodes -days 36524 -newkey rsa:2048 -keyout nginx.key -out nginx.crt
 +cat nginx.crt nginx.key > nginx.pem
 +</code>
 +
 +Improve Diffie-Hellman keys
 +<code bash>
 +openssl dhparam 4096 -out /etc/nginx/ssl/dhparam.pem
 +</code>
 +
 +===== Harden =====
 +Use ufw to restrict connections going out of NGINX server to minimum required.
 +<code bash>
 +# Reset if needed
 +ufw reset
 +# Turn on logging
 +ufw logging on
 +# Allow ALL incoming - Depend on the network to only allow 80, 443.  If network itself is hacked you have bigger problems!
 +ufw default allow incoming 
 +# Deny ALL outgoing - You want to limit outgoing to just what is required
 +ufw default deny outgoing
 +# Allow server to access DNS servers
 +ufw allow out 53
 +# Allow server to access Web/Application servers
 +ufw allow out to 192.168.1.123 port 8080
 +ufw allow out to 192.168.1.234 port 4200
 +ufw allow out 80
 +ufw allow out 443
 +# Allow server to access Mail server
 +ufw allow out to 192.168.1.111 port 25
 +# Allow Time Sync
 +ufw allow out 123
 +# Enable and check status
 +ufw enable
 +ufw status verbose
 +# Disable command - in case you need to disable
 +# ufw disable
 +</code>
 +
 +===== Other configuration =====
 +==== Syntax highlighting ====
 +In order to do syntax highlighting when using ''vim'' while editing NGINX config files, install ''Vim plugin for Nginx''.
 +
 +Follow the steps found in: https://github.com/chr4/nginx.vim
 +
 +==== Logrotate ====
 +Update nginx logrotate ''/etc/logrotate.d/nginx'' to include ''/var/log/nginx/*/*.log'' to existing ''/var/log/nginx/*.log''
 +<code>
 +/var/log/nginx/*.log
 +/var/log/nginx/*/*.log
 +{
 +    daily
 +    ...
 +    ...
 +}
 +</code>
 +
 +==== Default ====
 +<code nginx>
 +server {
 +    listen 80 default_server;
 +    listen [::]:80 default_server;
 +
 +    root /var/www/html;
 +
 +    index index.html index.htm index.nginx-debian.html;
 +
 +    server_name _;
 +
 +    location / {
 +        try_files $uri $uri/ =404;
 +    }
 +
 +server {
 +    # SSL configuration
 +    #
 +    listen 443 ssl default_server;
 +    listen [::]:443 ssl default_server;
 +    #
 +    ssl_certificate     /etc/nginx/ssl/nginx.pem;
 +    ssl_certificate_key /etc/nginx/ssl/nginx.key;
 +
 +    root /var/www/html;
 +
 +    # Add index.php to the list if you are using PHP
 +    index index.html index.htm index.nginx-debian.html;
 +
 +    server_name _;
 +
 +    location / {
 +        # First attempt to serve request as file, then
 +        # as directory, then fall back to displaying a 404.
 +        try_files $uri $uri/ =404;
 +    }
 +
 +}
 +
 +server {
 +    # SSL configuration
 +    #
 +    listen 8443 ssl default_server;
 +    listen [::]:8443 ssl default_server;
 +    #
 +    ssl_certificate     /etc/nginx/ssl/nginx.pem;
 +    ssl_certificate_key /etc/nginx/ssl/nginx.key;
 +
 +    root /var/www/html;
 +
 +    # Add index.php to the list if you are using PHP
 +    index index.html index.htm index.nginx-debian.html;
 +
 +    server_name _;
 +
 +    location / {
 +        # First attempt to serve request as file, then
 +        # as directory, then fall back to displaying a 404.
 +        try_files $uri $uri/ =404;
 +    }
 +
 +    access_log /var/log/nginx/access_8443.log      apache;
 +
 +}
 +
 +server {
 +    listen 8080 default_server;
 +    listen [::]:8080 default_server;
 +
 +    root /var/www/html;
 +
 +    # Add index.php to the list if you are using PHP
 +    index index.html index.htm index.nginx-debian.html;
 +
 +    server_name _;
 +
 +    location / {
 +        # First attempt to serve request as file, then
 +        # as directory, then fall back to displaying a 404.
 +        try_files $uri $uri/ =404;
 +    }
 +
 +    access_log /var/log/nginx/access_8080.log      apache;
 +
 +}
 +</code>
 +
 +==== fail2ban ====
 +Setup for WordPress filter.
 +===== Testing configuration changes =====
 +<code bash>
 +nginx -t
 +</code>
 +
 +===== Reload without restarting =====
 +<code bash>
 +nginx -s reload
 +</code>
  

QR Code
QR Code tech:others:nginx (generated for current page)