Nginx

From wiki
Revision as of 20:57, 11 May 2016 by Vincent (talk | contribs) (Fix visual editor issues)
Warning Warning: These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions.

Nginx is a fast and powerful web server.

Install

The version of nginx in Debian Jessie support the deprecated SPDY protocol. Using the version from jessie-backports allows to get support for HTTP/2.

# apt install nginx-extras/jessie-backports

Configure

conf.d

The conf.d folder stores shared configuration shared between all the sites hosted on your server.

Create the following files:

  • /etc/nginx/conf.d/dns.conf
    # DNS resolver
    # It is required for OCSP Stapling. It might also be used if you use a hostname for upstream servers
    resolver 127.0.0.1;
    # If you don't have a DNS resolver on your machine you can use google public ones instead
    #resolver 8.8.8.8 8.8.4.4;
    
  • /etc/nginx/conf.d/gzip.conf
    # Insert header "Vary: Accept-Encoding" in responses
    # https://www.maxcdn.com/blog/accept-encoding-its-vary-important/
    gzip_vary on;
    
    gzip_comp_level 6;
    
    gzip_proxied any;
    
    gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
    
  • /etc/nginx/conf.d/php*.conf
    See documentation to install PHP.
  • /etc/nginx/conf.d/server_tokens.conf
    # Hide nginx version
    # This doesn't provides any real security but makes hackers life a bit more difficult
    server_tokens off;
    
  • /etc/nginx/conf.d/ssl.conf
    # These two settings are now included by default in nginx.conf
    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #ssl_prefer_server_ciphers on;
    
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!CAMELLIA:!SEED";
    
    # Parameters for Diffie-Hellman handshake
    # Generate the file with the command:
    #    openssl dhparam 2048 -out /etc/nginx/dh2048.pem
    ssl_dhparam /etc/nginx/dh2048.pem;
    
    # Support OSCP Stapling. Check that resolver from in dns.conf is working
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    
    # Support SSL session cache
    ssl_session_cache shared:NginxCache:50m;
    ssl_session_tickets off; # https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
    
    Generate file /etc/nginx/dh2048.pem with
    # openssl dhparam 2048 -out /etc/nginx/dh2048.pem
    

snippets

The snippets folder allows you to store bits of configuration that you can later include in virtual hosts configuration.This saves a lot of typing and errors when creating a new site.

  • /etc/nging/conf.d/acme-challenge.conf
    See Let’s Encrypt
  • /etc/nging/conf.d/hsts.conf
    # Activate HTTP Strict Transport Security
    # max-age value is in seconds. 31536000 is 6 months
    
    # add_header only works for 2xx and 3xx response code
    # Use module ngx_headers_more to add header for any response. 
    # If you don't have this module, remove the first line and uncomment the second one
    more_set_headers "Strict-Transport-Security: max-age=31536000";
    #add_header Strict-Transport-Security max-age=31536000;
    
  • /etc/nginx/snippets/https-permanent-redirect.conf
    # Reply to the browser with a permanent redirect to the secure version of the page
    # Wrapped in a location block so that other snippets (acme-challenge.conf) can override that.
    location / {
        return 301 https://$host$request_uri;
    }
    
  • /etc/nginx/snippets/listen-http.conf
    /etc/nginx/snippets/listen-https.conf
    Obviously, you need to replace the example IP addresses by the one of your server. You can get the IP of your server with the commands curl https://ipv6.meurisse.org and curl https://ipv4.meurisse.org.
    listen [2001:db8:3:47d0::2e:7]:80;
    listen 203.0.113.23:80;
    
    listen [2001:db8:3:47d0::2e:7]:443 ssl http2;
    listen 203.0.113.23:443 ssl http2;
    
  • /etc/nginx/snippets/ssl.conf
    ssl on;
    ssl_stapling on;
    

HTTP Auth

Install

# apt install apache2-utils

Create Password File

# touch /etc/nginx/generic.htpasswd

If you want different website to have different users, you can create as many password files as you want.

Add User

# htpasswd /etc/nginx/generic.htpasswd jdoe
New password: 
Re-type new password: 
Adding password for user jdoe

To update a password user, just run the same command.

Nginx will pick the modified file automatically. There is nothing to restart.

Use

To restrict access to a site or part of it, add the following lines to a server or location config

auth_basic "You shall not pass!";
auth_basic_user_file /etc/nginx/generic.htpasswd;

New Site

This section shows how to create a new website in your Nginx server. Instructions here a very generic and will need to be adapted for your specific case.

In the following sections, we are showing the conf for a site called mysite. You need to replace all occurrences of mysite by the name of the site you want to create.

Config File

First create the config file /etc/nginx/sites-available/mysite

server {
    include snippets/listen-http.conf;
    server_name mysite.example.org;

    access_log /var/log/nginx/mysite.access.log;
    error_log /var/log/nginx/mysite.error.log info;

    include snippets/acme-challenge.conf;
    include snippets/https-permanent-redirect.conf;
}

server {
    include snippets/listen-https.conf;
    server_name mysite.example.org;

    access_log /var/log/nginx/mysite.access.log;
    error_log /var/log/nginx/mysite.error.log info;

    include snippets/acme-challenge.conf;
    #include snippets/ssl.conf;
    #ssl_certificate      /etc/letsencrypt/live/mysite.example.org/fullchain.pem;
    #ssl_certificate_key  /etc/letsencrypt/live/mysite.example.org/privkey.pem;
    #more_set_headers "Strict-Transport-Security: max-age=31536000";

    root /var/www/mysite;
}

Activate the configuration with

# ln -s /etc/nginx/sites-available/mysite /etc/nginx/sites-enabled/
# service nginx reload

TLS Certificate

Edit file /usr/local/sbin/renew_certificates and add the following to the config list

{
    'domains': ['mysite.example.org'],
    'reload': [['service', 'nginx', 'reload']]
}

and get your certificate

$ sudo /usr/local/sbin/certmanage
Renewing certificate for mysite.example.org that will expire on 0001-01-01

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mysite.example.org
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mysite.example.org/fullchain.pem. Your cert
   will expire on 2025-03-05. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Restarting services:
service nginx restart

Now uncomment the ssl related lines in /etc/nginx/sites-available/mysite and run

# service nginx reload

Fail2Ban

Webservers are usually a good target for hackers. A lot of them contain outdated, insecure and misconfigured software and if your server run languages like PHP, the attacker would be able to execute pretty much any action once he cracked your server.

Warning: The rules described here protect against generic attacks on your webserver. If you install some specific software that has it's own authentication (owncoud, roundcube...) you need to create rules for it.

nginx-http-auth

First rule is pretty simple simple. It protect against http authentication (the ugly popups asking your password before you enter the site).

Create file /etc/fail2ban/jail.d/nginx-http-auth.conf

[nginx-http-auth]
enabled = true
port    = http,https
logpath = /var/log/nginx/*error.log

nginx-botsearch

This rule match 404 errors when bots try to find unsecure software on your server. While it should generally work fine, you should check ban report to make sure you don't lock out legitimate users.

Create file /etc/fail2ban/jail.d/nginx-botsearch.conf

[nginx-botsearch]
enabled  = true
port     = http,https
logpath  = /var/log/nginx/*error.log
maxretry = 2