Difference between revisions of "Nginx"
m (Remove empty line) |
|||
Line 100: | Line 100: | ||
First rule is pretty simple simple. It protect against http authentication (the ugly popups asking your password before you enter the site). | First rule is pretty simple simple. It protect against http authentication (the ugly popups asking your password before you enter the site). | ||
− | Create file <code>/etc/fail2ban/jail.d/nginx-http-auth.conf</code><syntaxhighlight lang="ini"> | + | Create file <code>/etc/fail2ban/jail.d/nginx-http-auth.conf</code> |
+ | <syntaxhighlight lang="ini"> | ||
[nginx-http-auth] | [nginx-http-auth] | ||
enabled = true | enabled = true | ||
Line 110: | Line 111: | ||
This rule match 404 errors when bots try to find unsecure software on your server. While it should generally work fine, you should check ban report to make sure you don't lock out legitimate users. | This rule match 404 errors when bots try to find unsecure software on your server. While it should generally work fine, you should check ban report to make sure you don't lock out legitimate users. | ||
− | Create file <code>/etc/fail2ban/jail.d/nginx-botsearch.conf</code><syntaxhighlight lang="ini"> | + | Create file <code>/etc/fail2ban/jail.d/nginx-botsearch.conf</code> |
+ | <syntaxhighlight lang="ini"> | ||
[nginx-botsearch] | [nginx-botsearch] | ||
enabled = true | enabled = true | ||
Line 116: | Line 118: | ||
logpath = /var/log/nginx/*error.log | logpath = /var/log/nginx/*error.log | ||
maxretry = 2 | maxretry = 2 | ||
− | </syntaxhighlight>[[Category: | + | </syntaxhighlight> |
+ | [[Category:Linux Server]] | ||
[[Category:Fail2Ban]] | [[Category:Fail2Ban]] |
Revision as of 06:45, 11 March 2016
Warning: | These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions. |
Nginx is a fast and powerful web server.
Install
apt install nginx-extras
Configure
conf.d
The conf.d folder stores shared configuration shared between all the sites hosted on your server.
Create the following files:
/etc/nginx/conf.d/dns.conf
# DNS resolver # It is required for OCSP Stapling. It might also be used if you use a hostname for upstream servers resolver 127.0.0.1; # If you don't have a DNS resolver on your machine you can use google public ones instead #resolver 8.8.8.8 8.8.4.4;
/etc/nginx/conf.d/gzip.conf
# Insert header "Vary: Accept-Encoding" in responses # https://www.maxcdn.com/blog/accept-encoding-its-vary-important/ gzip_vary on; gzip_comp_level 6; gzip_proxied any; gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
/etc/nginx/conf.d/php.conf
Configuration file if you need php. Don't forget to install PHP.upstream php { server unix:/var/run/php5-fpm.sock; }
/etc/nginx/conf.d/server_tokens.conf
# Hide nginx version # This doesn't provides any real security but makes hackers life a bit more difficult server_tokens off;
/etc/nginx/conf.d/ssl.conf
# These two settings are now included by default in nginx.conf #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!CAMELLIA:!SEED"; # Parameters for Diffie-Hellman handshake # Generate the file with the command: # openssl dhparam 2048 -out /etc/nginx/dh2048.pem ssl_dhparam /etc/nginx/dh2048.pem; # Support OSCP Stapling. Check that resolver from in dns.conf is working ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Support SSL session cache ssl_session_cache shared:NginxCache:50m; ssl_session_tickets off; # https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
snippets
The snippets folder allows you to store bits of configuration that you can later include in virtual hosts configuration.This saves a lot of typing and errors when creating a new site.
/etc/nging/conf.d/acme-challenge.conf
See TLS/etc/nging/conf.d/hsts.conf
# Activate HTTP Strict Transport Security # max-age value is in seconds. 31536000 is 6 months # add_header only works for 2xx and 3xx response code # Use module ngx_headers_more to add header for any response. # If you don't have this module, remove the first line and uncomment the second one more_set_headers "Strict-Transport-Security: max-age=31536000"; #add_header Strict-Transport-Security max-age=31536000;
/etc/nginx/snippets/https-permanent-redirect.conf
# Reply to the browser with a permanent redirect to the secure version of the page return 301 https://$host$request_uri;
/etc/nginx/snippets/listen-http.conf
/etc/nginx/snippets/listen-https.conf
Obviously, you need to replace the example IP addresses by the one of your server. You can get the IP of your server with the commandscurl https://ipv6.meurisse.org
andcurl https://ipv4.meurisse.org
.listen [2001:db8:3:47d0::2e:7]:80; listen 203.0.113.23:80;
listen [2001:db8:3:47d0::2e:7]:443 ssl spdy; listen 203.0.113.23:443 ssl spdy;
/etc/nginx/snippets/ssl.conf
ssl on; ssl_stapling on;
Fail2Ban
Webservers are usually a good target for hackers. A lot of them contain outdated, insecure and misconfigured software and if your server run languages like PHP, the attacker would be able to execute pretty much any action once he cracked your server.
Warning: The rules described here protect against generic attacks on your webserver. If you install some specific software that has it's own authentication (owncoud, roundcube...) you need to create rules for it.
nginx-http-auth
First rule is pretty simple simple. It protect against http authentication (the ugly popups asking your password before you enter the site).
Create file /etc/fail2ban/jail.d/nginx-http-auth.conf
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/*error.log
nginx-botsearch
This rule match 404 errors when bots try to find unsecure software on your server. While it should generally work fine, you should check ban report to make sure you don't lock out legitimate users.
Create file /etc/fail2ban/jail.d/nginx-botsearch.conf
[nginx-botsearch]
enabled = true
port = http,https
logpath = /var/log/nginx/*error.log
maxretry = 2