Difference between revisions of "Nginx"
From wiki
(Add HSTS snippet) |
(redirect https) |
||
| Line 12: | Line 12: | ||
Create the following files: | Create the following files: | ||
| − | * /etc/nginx/conf.d/dns.conf<syntaxhighlight lang="nginx"> | + | * <code>/etc/nginx/conf.d/dns.conf</code><syntaxhighlight lang="nginx"> |
# DNS resolver | # DNS resolver | ||
# It is required for OCSP Stapling. It might also be used if you use a hostname for upstream servers | # It is required for OCSP Stapling. It might also be used if you use a hostname for upstream servers | ||
| Line 19: | Line 19: | ||
#resolver 8.8.8.8 8.8.4.4; | #resolver 8.8.8.8 8.8.4.4; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | */etc/nginx/conf.d/gzip.conf<syntaxhighlight lang="nginx"> | + | *<code>/etc/nginx/conf.d/gzip.conf</code><syntaxhighlight lang="nginx"> |
# Insert header "Vary: Accept-Encoding" in responses | # Insert header "Vary: Accept-Encoding" in responses | ||
# https://www.maxcdn.com/blog/accept-encoding-its-vary-important/ | # https://www.maxcdn.com/blog/accept-encoding-its-vary-important/ | ||
| Line 30: | Line 30: | ||
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml; | gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | */etc/nginx/conf.d/server_tokens.conf<syntaxhighlight lang="nginx"> | + | *<code>/etc/nginx/conf.d/server_tokens.conf</code><syntaxhighlight lang="nginx"> |
# Hide nginx version | # Hide nginx version | ||
# This doesn't provides any real security but makes hackers life a bit more difficult | # This doesn't provides any real security but makes hackers life a bit more difficult | ||
server_tokens off; | server_tokens off; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | * /etc/nginx/conf.d/ssl.conf<syntaxhighlight lang="nginx"> | + | * <code>/etc/nginx/conf.d/ssl.conf</code><syntaxhighlight lang="nginx"> |
# These two settings are now included by default in nginx.conf | # These two settings are now included by default in nginx.conf | ||
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
| Line 59: | Line 59: | ||
=== snippets === | === snippets === | ||
The snippets folder allows you to store bits of configuration that you can later include in virtual hosts configuration.This saves a lot of typing and errors when creating a new site. | The snippets folder allows you to store bits of configuration that you can later include in virtual hosts configuration.This saves a lot of typing and errors when creating a new site. | ||
| − | * /etc/nging/conf.d/acme-challenge.conf See [[SSL]] | + | * <code>/etc/nging/conf.d/acme-challenge.conf</code> See [[SSL]] |
| − | * /etc/nging/conf.d/hsts.conf<syntaxhighlight lang="nginx"> | + | * <code>/etc/nging/conf.d/hsts.conf</code><syntaxhighlight lang="nginx"> |
# Activate HTTP Strict Transport Security | # Activate HTTP Strict Transport Security | ||
# max-age value is in seconds. 31536000 is 6 months | # max-age value is in seconds. 31536000 is 6 months | ||
| Line 69: | Line 69: | ||
more_set_headers "Strict-Transport-Security: max-age=31536000"; | more_set_headers "Strict-Transport-Security: max-age=31536000"; | ||
#add_header Strict-Transport-Security max-age=31536000; | #add_header Strict-Transport-Security max-age=31536000; | ||
| + | </syntaxhighlight> | ||
| + | *<code>/etc/nginx/snippets/https-permanent-redirect.conf</code><syntaxhighlight lang="nginx"> | ||
| + | # Reply to the browser with a permanent redirect to the secure version of the page | ||
| + | return 301 https://$host$request_uri; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 02:29, 31 December 2015
 Warning: | These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions. |
Nginx is a fast and powerful web server.
Install
apt install nginx-extras
Configure
conf.d
The conf.d folder stores shared configuration shared between all the sites hosted on your server.
Create the following files:
/etc/nginx/conf.d/dns.conf# DNS resolver # It is required for OCSP Stapling. It might also be used if you use a hostname for upstream servers resolver 127.0.0.1; # If you don't have a DNS resolver on your machine you can use google public ones instead #resolver 8.8.8.8 8.8.4.4;
/etc/nginx/conf.d/gzip.conf# Insert header "Vary: Accept-Encoding" in responses # https://www.maxcdn.com/blog/accept-encoding-its-vary-important/ gzip_vary on; gzip_comp_level 6; gzip_proxied any; gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
/etc/nginx/conf.d/server_tokens.conf# Hide nginx version # This doesn't provides any real security but makes hackers life a bit more difficult server_tokens off;
/etc/nginx/conf.d/ssl.conf# These two settings are now included by default in nginx.conf #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!CAMELLIA:!SEED"; # Parameters for Diffie-Hellman handshake # Generate the file with the command: # openssl dhparam 2048 -out /etc/nginx/dh2048.pem ssl_dhparam /etc/nginx/dh2048.pem; # Support OSCP Stapling. Check that resolver from in dns.conf is working ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Support SSL session cache ssl_session_cache shared:NginxCache:50m; ssl_session_tickets off; # https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
snippets
The snippets folder allows you to store bits of configuration that you can later include in virtual hosts configuration.This saves a lot of typing and errors when creating a new site.
/etc/nging/conf.d/acme-challenge.confSee SSL/etc/nging/conf.d/hsts.conf# Activate HTTP Strict Transport Security # max-age value is in seconds. 31536000 is 6 months # add_header only works for 2xx and 3xx response code # Use module ngx_headers_more to add header for any response. # If you don't have this module, remove the first line and uncomment the second one more_set_headers "Strict-Transport-Security: max-age=31536000"; #add_header Strict-Transport-Security max-age=31536000;
/etc/nginx/snippets/https-permanent-redirect.conf# Reply to the browser with a permanent redirect to the secure version of the page return 301 https://$host$request_uri;
Adding PHP
apt install php5-cli php5-fpm php5-apcu
