Difference between revisions of "NGiNX"
(→NGiNX Security) |
|||
(One intermediate revision by the same user not shown) | |||
Line 110: | Line 110: | ||
ssl_protocols TLSv1.2; #TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE | ssl_protocols TLSv1.2; #TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE | ||
− | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | + | #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; |
+ | ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'; | ||
ssl_dhparam /home/USER/dhparams.pem; | ssl_dhparam /home/USER/dhparams.pem; | ||
ssl_prefer_server_ciphers on; | ssl_prefer_server_ciphers on; |
Latest revision as of 14:31, 12 March 2020
NGiNX Nginx ( /ˌɛndʒɪnˈɛks/ EN-jin-EKS) (stylized as NGiNX or nginx) is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and first publicly released in 2004. A company of the same name was founded in 2011 to provide support and Nginx plus paid software.
Nginx is free and open-source software, released under the terms of a BSD-like license. A large fraction of web servers use NGINX, often as a load balancer.
Contents
Basic NGiNX setup
This will serve basic HTML pages to browsers.
server { listen 80; listen [::]:80; server_name tbpchan.cz www.tbpchan.cz; root /www/location/; index index.html index.htm index.nginx-debian.html index.php; location / { try_files $uri $uri/ =404; } }
Proxy Forwarding
This is a basic reverse proxy setting for a subdomain within a network that doesn't have outside access due to reasons. This can be set for anything else as well. Be aware of how you access this within the local network and if https is needed as it has to be set exact within "proxy_pass" and the first part of "proxy_redirect":
server { listen 443 ssl; listen [::]:443 ssl; server_name test.tbpchan.cz; ssl on; ssl_certificate /usr/local/etc/fullchain.pem; ssl_certificate_key /usr/local/etc/privkey.pem; location / { proxy_pass http://192.168.1.255:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect http://192.168.1.255:8080 http://192.168.1.255; } }
Pass PHP rendering to PHP-FPM
This is required in order to get PHP working with hosting websites.
location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+?\.php)(.*)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; include /usr/local/etc/nginx/fastcgi_params; include fastcgi_params; }
You can also pass it to a Unix socket instead of a port using the following:
fastcgi_pass unix:/usr/local/var/run/php5-fpm.sock;
NGiNX Caching
In order to set up NGiNX caching, you have to set the following above the "server" heading.
proxy_cache_path /DIR levels=1:2 keys_zone=tbpchan.cz_cache:10m max_size=2g inactive=120m use_temp_path=off;
To assign a virtual server to caching, use the following:
location / { try_files $uri $uri/ =404; proxy_buffers 256 16k; proxy_buffer_size 16k; proxy_read_timeout 600s; proxy_cache tbpchan.cz_cache; proxy_cache_revalidate on; proxy_cache_min_uses 2; proxy_cache_use_stale timeout; proxy_cache_lock on; }
NGiNX authentication browser popup
This provides blocking based on logins. You have to run the first command and create a new .htpasswd file before using it however.
- Generate .htpasswd file
htpasswd -c /home/username/.htpasswd username
- Change or update .htpasswd file
htpasswd /home/username/.htpasswd-users username
- NGiNX configuration for .htpasswd authentication
auth_basic "Restricted Content"; auth_basic_user_file /home/username/.htpasswd;
NGiNX Security
In order to better secure your server, use the following within each virtual host but be aware these may break compatibility with certain websites:
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
add_header X-XSS-Protection "1; mode=block";
add_header Expect-CT "max-age=0";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
These can be added to the nginx.conf file to help secure even more:
ssl_protocols TLSv1.2; #TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'; ssl_dhparam /home/USER/dhparams.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; add_header Strict-Transport-Security max-age=15768000; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; ssl_ecdh_curve secp384r1; ssl_session_tickets off; add_header X-XSS-Protection "1; mode=block"; add_header Expect-CT "max-age=0";
NGiNX & gzip
Throw this into the nginx.conf to enable gzip:
gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 5; gzip_buffers 16 8k; gzip_min_length 256; gzip_http_version 1.1; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/png image/jpg image/jpeg image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/js text/xml text/javascript application/x-javascript;
Header
This setting reports what the server OS or software is being used. This can be set to anything to throw others off the trail for additional security.
add_header Server "FreeBSD";