Differences
This shows you the differences between two versions of the page.
— | tech:others:nginx [2022/11/02 11:29] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== NGINX ====== | ||
+ | Setup NGINX as reverse proxy server | ||
+ | |||
+ | ===== Install ===== | ||
+ | Only nginx (or nginx-full) is required. But other tools are likely needed with running NGINX as reverse proxy | ||
+ | <code bash> | ||
+ | aptitude install nginx-full apache2-utils certbot python3-certbot-nginx curl ethtool fail2ban git gzip iputils-tracepath nmap openbsd-inetd tcpdump ufw | ||
+ | </ | ||
+ | |||
+ | ===== System Config ===== | ||
+ | ==== Setting number of open files allowed ==== | ||
+ | Setting NGINX user www-data to have 8192 files open. This should be same (or higher than) '' | ||
+ | Create and append to file ''/ | ||
+ | < | ||
+ | www-data soft nofile 8192 | ||
+ | </ | ||
+ | |||
+ | === Related commands === | ||
+ | Soft Limit | ||
+ | <code bash> | ||
+ | ulimit -S -a | ||
+ | </ | ||
+ | Hard Limit | ||
+ | <code bash> | ||
+ | ulimit -H -a | ||
+ | </ | ||
+ | |||
+ | ===== NGINX Config ===== | ||
+ | ==== SSL ==== | ||
+ | === Resources === | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * Run online test with [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | Create file '' | ||
+ | <code nginx> | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | # | ||
+ | ssl_protocols | ||
+ | ssl_ciphers | ||
+ | # Configure a shared memory cache of 4 MB | ||
+ | ssl_session_cache | ||
+ | # Expire individual sessions after 2 hours. | ||
+ | ssl_session_timeout | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | ssl_dhparam | ||
+ | # | ||
+ | # Enable OCSP stapling | ||
+ | ssl_stapling on; | ||
+ | ssl_stapling_verify on; | ||
+ | </ | ||
+ | |||
+ | THIS IS NOT REQUIRED! Generate Certificates - Here we are just doing a self-signed cert to get started | ||
+ | <code bash> | ||
+ | mkdir / | ||
+ | cd / | ||
+ | openssl req -x509 -nodes -days 36524 -newkey rsa:2048 -keyout nginx.key -out nginx.crt | ||
+ | cat nginx.crt nginx.key > nginx.pem | ||
+ | </ | ||
+ | |||
+ | Improve Diffie-Hellman keys | ||
+ | <code bash> | ||
+ | openssl dhparam 4096 -out / | ||
+ | </ | ||
+ | |||
+ | ===== Harden ===== | ||
+ | Use ufw to restrict connections going out of NGINX server to minimum required. | ||
+ | <code bash> | ||
+ | # Reset if needed | ||
+ | ufw reset | ||
+ | # Turn on logging | ||
+ | ufw logging on | ||
+ | # Allow ALL incoming - Depend on the network to only allow 80, 443. If network itself is hacked you have bigger problems! | ||
+ | ufw default allow incoming | ||
+ | # Deny ALL outgoing - You want to limit outgoing to just what is required | ||
+ | ufw default deny outgoing | ||
+ | # Allow server to access DNS servers | ||
+ | ufw allow out 53 | ||
+ | # Allow server to access Web/ | ||
+ | ufw allow out to 192.168.1.123 port 8080 | ||
+ | ufw allow out to 192.168.1.234 port 4200 | ||
+ | ufw allow out 80 | ||
+ | ufw allow out 443 | ||
+ | # Allow server to access Mail server | ||
+ | ufw allow out to 192.168.1.111 port 25 | ||
+ | # Allow Time Sync | ||
+ | ufw allow out 123 | ||
+ | # Enable and check status | ||
+ | ufw enable | ||
+ | ufw status verbose | ||
+ | # Disable command - in case you need to disable | ||
+ | # ufw disable | ||
+ | </ | ||
+ | |||
+ | ===== Other configuration ===== | ||
+ | ==== Syntax highlighting ==== | ||
+ | In order to do syntax highlighting when using '' | ||
+ | |||
+ | Follow the steps found in: https:// | ||
+ | |||
+ | ==== Logrotate ==== | ||
+ | Update nginx logrotate ''/ | ||
+ | < | ||
+ | / | ||
+ | / | ||
+ | { | ||
+ | daily | ||
+ | ... | ||
+ | ... | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==== Default ==== | ||
+ | <code nginx> | ||
+ | server { | ||
+ | listen 80 default_server; | ||
+ | listen [::]:80 default_server; | ||
+ | |||
+ | root / | ||
+ | |||
+ | index index.html index.htm index.nginx-debian.html; | ||
+ | |||
+ | server_name _; | ||
+ | |||
+ | location / { | ||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | # SSL configuration | ||
+ | # | ||
+ | listen 443 ssl default_server; | ||
+ | listen [::]:443 ssl default_server; | ||
+ | # | ||
+ | ssl_certificate | ||
+ | ssl_certificate_key / | ||
+ | |||
+ | root / | ||
+ | |||
+ | # Add index.php to the list if you are using PHP | ||
+ | index index.html index.htm index.nginx-debian.html; | ||
+ | |||
+ | server_name _; | ||
+ | |||
+ | location / { | ||
+ | # First attempt to serve request as file, then | ||
+ | # as directory, then fall back to displaying a 404. | ||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | } | ||
+ | |||
+ | server { | ||
+ | # SSL configuration | ||
+ | # | ||
+ | listen 8443 ssl default_server; | ||
+ | listen [::]:8443 ssl default_server; | ||
+ | # | ||
+ | ssl_certificate | ||
+ | ssl_certificate_key / | ||
+ | |||
+ | root / | ||
+ | |||
+ | # Add index.php to the list if you are using PHP | ||
+ | index index.html index.htm index.nginx-debian.html; | ||
+ | |||
+ | server_name _; | ||
+ | |||
+ | location / { | ||
+ | # First attempt to serve request as file, then | ||
+ | # as directory, then fall back to displaying a 404. | ||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | access_log / | ||
+ | |||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen 8080 default_server; | ||
+ | listen [::]:8080 default_server; | ||
+ | |||
+ | root / | ||
+ | |||
+ | # Add index.php to the list if you are using PHP | ||
+ | index index.html index.htm index.nginx-debian.html; | ||
+ | |||
+ | server_name _; | ||
+ | |||
+ | location / { | ||
+ | # First attempt to serve request as file, then | ||
+ | # as directory, then fall back to displaying a 404. | ||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | access_log / | ||
+ | |||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==== fail2ban ==== | ||
+ | Setup for WordPress filter. | ||
+ | ===== Testing configuration changes ===== | ||
+ | <code bash> | ||
+ | nginx -t | ||
+ | </ | ||
+ | |||
+ | ===== Reload without restarting ===== | ||
+ | <code bash> | ||
+ | nginx -s reload | ||
+ | </ | ||