Difference between revisions of "NGiNX"
|  (→NGiNX Security) | |||
| Line 88: | Line 88: | ||
| In order to better secure your server, use the following within each virtual host but be aware these may break compatibility with certain websites: | In order to better secure your server, use the following within each virtual host but be aware these may break compatibility with certain websites: | ||
| − | + | 		ssl_ecdh_curve secp384r1; | |
| − | + | 	        ssl_session_tickets off; | |
| − | + | 	        add_header X-XSS-Protection "1; mode=block"; | |
| − | + | 	        add_header Expect-CT "max-age=0"; | |
| − | + | 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; | |
| − | + | 		add_header X-Frame-Options SAMEORIGIN; | |
| − | + | 		add_header X-Content-Type-Options nosniff; | |
| − | + | 		add_header X-XSS-Protection "1; mode=block"; | |
| These can be added to the nginx.conf file to help secure even more:   | These can be added to the nginx.conf file to help secure even more:   | ||
Revision as of 15:57, 2 January 2019
NGiNX Nginx ( /ˌɛndʒɪnˈɛks/ EN-jin-EKS[8]) (stylized as NGiNX or nginx) is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and first publicly released in 2004. A company of the same name was founded in 2011 to provide support and Nginx plus paid software.
Nginx is free and open-source software, released under the terms of a BSD-like license. A large fraction of web servers use NGINX, often as a load balancer.
Contents
Basic NGiNX setup
This will serve basic HTML pages to browsers.
       server {
               listen 80;
               listen [::]:80;
               server_name tbpchan.cz www.tbpchan.cz;
               root /www/location/;
               index index.html index.htm index.nginx-debian.html index.php;
               location / {
                       try_files $uri $uri/ =404;
               }
       }
Proxy Forwarding
This is a basic reverse proxy setting for a subdomain within a network that doesn't have outside access due to reasons. This can be set for anything else as well. Be aware of how you access this within the local network and if https is needed as it has to be set exact within "proxy_pass" and the first part of "proxy_redirect":
        server {
                 listen 443 ssl;
                 listen [::]:443 ssl;
                 server_name test.tbpchan.cz;
        ssl on;
                ssl_certificate /usr/local/etc/fullchain.pem;
            ssl_certificate_key /usr/local/etc/privkey.pem;
        location / {
                        proxy_pass http://192.168.1.255:8080;
                        proxy_set_header Host $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_redirect      http://192.168.1.255:8080 http://192.168.1.255;
                }
        }
Pass PHP rendering to PHP-FPM
This is required in order to get PHP working with hosting websites.
           location ~ \.php$ {
       try_files $uri =404;
       fastcgi_split_path_info ^(.+?\.php)(.*)$;
       fastcgi_pass 127.0.0.1:9000;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME $request_filename;
       include /usr/local/etc/nginx/fastcgi_params;
       include fastcgi_params;
           }
You can also pass it to a Unix socket instead of a port using the following:
fastcgi_pass unix:/usr/local/var/run/php5-fpm.sock;
NGiNX Caching
In order to set up NGiNX caching, you have to set the following above the "server" heading.
proxy_cache_path /DIR levels=1:2 keys_zone=tbpchan.cz_cache:10m max_size=2g inactive=120m use_temp_path=off;
To assign a virtual server to caching, use the following:
       location / {
               try_files $uri $uri/ =404;
      proxy_buffers 256 16k;
      proxy_buffer_size 16k;
      proxy_read_timeout 600s;
      proxy_cache tbpchan.cz_cache;
      proxy_cache_revalidate on;
      proxy_cache_min_uses 2;
      proxy_cache_use_stale timeout;
      proxy_cache_lock on;
       }
NGiNX authentication browser popup
This provides blocking based on logins. You have to run the first command and create a new .htpasswd file before using it however.
- Generate .htpasswd file
htpasswd -c /home/username/.htpasswd username
- Change or update .htpasswd file
htpasswd /home/username/.htpasswd-users username
- NGiNX configuration for .htpasswd authentication
        auth_basic "Restricted Content";
        auth_basic_user_file /home/username/.htpasswd;
NGiNX Security
In order to better secure your server, use the following within each virtual host but be aware these may break compatibility with certain websites:
ssl_ecdh_curve secp384r1; ssl_session_tickets off; add_header X-XSS-Protection "1; mode=block"; add_header Expect-CT "max-age=0"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block";
These can be added to the nginx.conf file to help secure even more:
               ssl_protocols TLSv1.2; #TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
       	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
       	ssl_dhparam /home/USER/dhparams.pem;
               ssl_prefer_server_ciphers on;
       	ssl_session_cache shared:SSL:50m;
       	ssl_session_timeout 5m;
       	add_header Strict-Transport-Security max-age=15768000;
       	add_header X-Frame-Options SAMEORIGIN;
       	add_header X-Content-Type-Options nosniff;
       	add_header X-XSS-Protection "1; mode=block";
               ssl_ecdh_curve secp384r1;
               ssl_session_tickets off;
               add_header X-XSS-Protection "1; mode=block";
               add_header Expect-CT "max-age=0";
NGiNX & gzip
Throw this into the nginx.conf to enable gzip:
                   gzip  on;
                       gzip_disable "msie6";
                        gzip_vary on;
                        gzip_proxied any;
                        gzip_comp_level 5;
                        gzip_buffers 16 8k;
                        gzip_min_length 256;
                        gzip_http_version 1.1;
               gzip_types
                   application/atom+xml
                   application/javascript
                   application/json
                   application/ld+json
                   application/manifest+json
                   application/rss+xml
                   application/vnd.geo+json
                   application/vnd.ms-fontobject
                   application/x-font-ttf
                   application/x-web-app-manifest+json
                   application/xhtml+xml
                   application/xml
                   font/opentype
                   image/bmp
                   image/png
                   image/jpg
                   image/jpeg
                   image/svg+xml
                   image/x-icon
                   text/cache-manifest
                   text/css
                   text/plain
                   text/vcard
                   text/vnd.rim.location.xloc
                   text/vtt
                   text/x-component
                   text/x-cross-domain-policy
                   text/js
                   text/xml
                   text/javascript
                   application/x-javascript;
