Difference between revisions of "NGiNX"

From TBP Wiki
Jump to: navigation, search
(NGiNX Security)
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[File:NGINX logo.png|thumb]]
 
<strong>NGiNX</strong>
 
<strong>NGiNX</strong>
Nginx ( /ˌɛndʒɪnˈɛks/ EN-jin-EKS[8]) (stylized as NGiNX or nginx) is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and first publicly released in 2004. A company of the same name was founded in 2011 to provide support and Nginx plus paid software.
+
Nginx ( /ˌɛndʒɪnˈɛks/ EN-jin-EKS) (stylized as NGiNX or nginx) is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and first publicly released in 2004. A company of the same name was founded in 2011 to provide support and Nginx plus paid software.
  
 
Nginx is free and open-source software, released under the terms of a BSD-like license. A large fraction of web servers use NGINX, often as a load balancer.
 
Nginx is free and open-source software, released under the terms of a BSD-like license. A large fraction of web servers use NGINX, often as a load balancer.
Line 88: Line 89:
 
In order to better secure your server, use the following within each virtual host but be aware these may break compatibility with certain websites:
 
In order to better secure your server, use the following within each virtual host but be aware these may break compatibility with certain websites:
  
ssl_ecdh_curve secp384r1;
+
<code>
        ssl_session_tickets off;
+
ssl_ecdh_curve secp384r1;
        add_header X-XSS-Protection "1; mode=block";
+
 
        add_header Expect-CT "max-age=0";
+
        ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+
 
add_header X-Frame-Options SAMEORIGIN;
+
        add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
+
 
add_header X-XSS-Protection "1; mode=block";
+
        add_header Expect-CT "max-age=0";
 +
 
 +
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
 +
 
 +
add_header X-Frame-Options SAMEORIGIN;
 +
 
 +
add_header X-Content-Type-Options nosniff;
 +
 
 +
add_header X-XSS-Protection "1; mode=block";
 +
</code>
  
 
These can be added to the nginx.conf file to help secure even more:  
 
These can be added to the nginx.conf file to help secure even more:  
  
 
                 ssl_protocols TLSv1.2; #TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
 
                 ssl_protocols TLSv1.2; #TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
         ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
         #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
 +
        ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256';
 
         ssl_dhparam /home/USER/dhparams.pem;
 
         ssl_dhparam /home/USER/dhparams.pem;
 
                 ssl_prefer_server_ciphers on;
 
                 ssl_prefer_server_ciphers on;
Line 113: Line 124:
 
                 add_header X-XSS-Protection "1; mode=block";
 
                 add_header X-XSS-Protection "1; mode=block";
 
                 add_header Expect-CT "max-age=0";
 
                 add_header Expect-CT "max-age=0";
 +
 +
=NGiNX & gzip=
 +
Throw this into the nginx.conf to enable gzip:
 +
 +
                    gzip  on;
 +
                        gzip_disable "msie6";
 +
                        gzip_vary on;
 +
                        gzip_proxied any;
 +
                        gzip_comp_level 5;
 +
                        gzip_buffers 16 8k;
 +
                        gzip_min_length 256;
 +
                        gzip_http_version 1.1;
 +
                gzip_types
 +
                    application/atom+xml
 +
                    application/javascript
 +
                    application/json
 +
                    application/ld+json
 +
                    application/manifest+json
 +
                    application/rss+xml
 +
                    application/vnd.geo+json
 +
                    application/vnd.ms-fontobject
 +
                    application/x-font-ttf
 +
                    application/x-web-app-manifest+json
 +
                    application/xhtml+xml
 +
                    application/xml
 +
                    font/opentype
 +
                    image/bmp
 +
                    image/png
 +
                    image/jpg
 +
                    image/jpeg
 +
                    image/svg+xml
 +
                    image/x-icon
 +
                    text/cache-manifest
 +
                    text/css
 +
                    text/plain
 +
                    text/vcard
 +
                    text/vnd.rim.location.xloc
 +
                    text/vtt
 +
                    text/x-component
 +
                    text/x-cross-domain-policy
 +
                    text/js
 +
                    text/xml
 +
                    text/javascript
 +
                    application/x-javascript;
 +
 +
=Header=
 +
This setting reports what the server OS or software is being used. This can be set to anything to throw others off the trail for additional security.
 +
 +
                add_header Server "FreeBSD";

Latest revision as of 14:31, 12 March 2020

NGINX logo.png

NGiNX Nginx ( /ˌɛndʒɪnˈɛks/ EN-jin-EKS) (stylized as NGiNX or nginx) is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and first publicly released in 2004. A company of the same name was founded in 2011 to provide support and Nginx plus paid software.

Nginx is free and open-source software, released under the terms of a BSD-like license. A large fraction of web servers use NGINX, often as a load balancer.

Basic NGiNX setup

This will serve basic HTML pages to browsers.

       server {
               listen 80;
               listen [::]:80;
               server_name tbpchan.cz www.tbpchan.cz;
               root /www/location/;
               index index.html index.htm index.nginx-debian.html index.php;
               location / {
                       try_files $uri $uri/ =404;
               }
       }


Proxy Forwarding

This is a basic reverse proxy setting for a subdomain within a network that doesn't have outside access due to reasons. This can be set for anything else as well. Be aware of how you access this within the local network and if https is needed as it has to be set exact within "proxy_pass" and the first part of "proxy_redirect":

        server {
                 listen 443 ssl;
                 listen [::]:443 ssl;
                 server_name test.tbpchan.cz;
        ssl on;
                ssl_certificate /usr/local/etc/fullchain.pem;
            ssl_certificate_key /usr/local/etc/privkey.pem;
        location / {
                        proxy_pass http://192.168.1.255:8080;
                        proxy_set_header Host $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_redirect      http://192.168.1.255:8080 http://192.168.1.255;
                }
        }

Pass PHP rendering to PHP-FPM

This is required in order to get PHP working with hosting websites.

           location ~ \.php$ {
       try_files $uri =404;
       fastcgi_split_path_info ^(.+?\.php)(.*)$;
       fastcgi_pass 127.0.0.1:9000;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME $request_filename;
       include /usr/local/etc/nginx/fastcgi_params;
       include fastcgi_params;
           }

You can also pass it to a Unix socket instead of a port using the following:

       fastcgi_pass unix:/usr/local/var/run/php5-fpm.sock;

NGiNX Caching

In order to set up NGiNX caching, you have to set the following above the "server" heading.

        proxy_cache_path /DIR levels=1:2 keys_zone=tbpchan.cz_cache:10m max_size=2g inactive=120m use_temp_path=off;

To assign a virtual server to caching, use the following:

       location / {
               try_files $uri $uri/ =404;
      proxy_buffers 256 16k;
      proxy_buffer_size 16k;
      proxy_read_timeout 600s;
      proxy_cache tbpchan.cz_cache;
      proxy_cache_revalidate on;
      proxy_cache_min_uses 2;
      proxy_cache_use_stale timeout;
      proxy_cache_lock on;
       }


NGiNX authentication browser popup

This provides blocking based on logins. You have to run the first command and create a new .htpasswd file before using it however.

  • Generate .htpasswd file
        htpasswd -c /home/username/.htpasswd username
  • Change or update .htpasswd file
        htpasswd /home/username/.htpasswd-users username
  • NGiNX configuration for .htpasswd authentication
        auth_basic "Restricted Content";
        auth_basic_user_file /home/username/.htpasswd;

NGiNX Security

In order to better secure your server, use the following within each virtual host but be aware these may break compatibility with certain websites:

ssl_ecdh_curve secp384r1;

ssl_session_tickets off;

add_header X-XSS-Protection "1; mode=block";

add_header Expect-CT "max-age=0";

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

These can be added to the nginx.conf file to help secure even more:

               ssl_protocols TLSv1.2; #TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
       	#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
       	ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256';
       	ssl_dhparam /home/USER/dhparams.pem;
               ssl_prefer_server_ciphers on;
       	ssl_session_cache shared:SSL:50m;
       	ssl_session_timeout 5m;
       	add_header Strict-Transport-Security max-age=15768000;
       	add_header X-Frame-Options SAMEORIGIN;
       	add_header X-Content-Type-Options nosniff;
       	add_header X-XSS-Protection "1; mode=block";
               ssl_ecdh_curve secp384r1;
               ssl_session_tickets off;
               add_header X-XSS-Protection "1; mode=block";
               add_header Expect-CT "max-age=0";

NGiNX & gzip

Throw this into the nginx.conf to enable gzip:

                   gzip  on;
                       gzip_disable "msie6";
                        gzip_vary on;
                        gzip_proxied any;
                        gzip_comp_level 5;
                        gzip_buffers 16 8k;
                        gzip_min_length 256;
                        gzip_http_version 1.1;
               gzip_types
                   application/atom+xml
                   application/javascript
                   application/json
                   application/ld+json
                   application/manifest+json
                   application/rss+xml
                   application/vnd.geo+json
                   application/vnd.ms-fontobject
                   application/x-font-ttf
                   application/x-web-app-manifest+json
                   application/xhtml+xml
                   application/xml
                   font/opentype
                   image/bmp
                   image/png
                   image/jpg
                   image/jpeg
                   image/svg+xml
                   image/x-icon
                   text/cache-manifest
                   text/css
                   text/plain
                   text/vcard
                   text/vnd.rim.location.xloc
                   text/vtt
                   text/x-component
                   text/x-cross-domain-policy
                   text/js
                   text/xml
                   text/javascript
                   application/x-javascript;

Header

This setting reports what the server OS or software is being used. This can be set to anything to throw others off the trail for additional security.

               add_header Server "FreeBSD";