Difference between revisions of "Nginx"

From wiki
(listen snippets)
(Fix issues with visualeditor)
Line 19: Line 19:
 
#resolver 8.8.8.8 8.8.4.4;
 
#resolver 8.8.8.8 8.8.4.4;
 
</syntaxhighlight>
 
</syntaxhighlight>
*<code>/etc/nginx/conf.d/gzip.conf</code><syntaxhighlight lang="nginx">
+
* <code>/etc/nginx/conf.d/gzip.conf</code><syntaxhighlight lang="nginx">
 
# Insert header "Vary: Accept-Encoding" in responses
 
# Insert header "Vary: Accept-Encoding" in responses
 
# https://www.maxcdn.com/blog/accept-encoding-its-vary-important/
 
# https://www.maxcdn.com/blog/accept-encoding-its-vary-important/
Line 30: Line 30:
 
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
 
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
 
</syntaxhighlight>
 
</syntaxhighlight>
*<code>/etc/nginx/conf.d/server_tokens.conf</code><syntaxhighlight lang="nginx">
+
* <code>/etc/nginx/conf.d/server_tokens.conf</code><syntaxhighlight lang="nginx">
 
# Hide nginx version
 
# Hide nginx version
 
# This doesn't provides any real security but makes hackers life a bit more difficult
 
# This doesn't provides any real security but makes hackers life a bit more difficult
Line 36: Line 36:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
*<code>/etc/nginx/conf.d/ssl.conf</code><syntaxhighlight lang="nginx">
+
* <code>/etc/nginx/conf.d/ssl.conf</code><syntaxhighlight lang="nginx">
 
# These two settings are now included by default in nginx.conf
 
# These two settings are now included by default in nginx.conf
 
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Line 60: Line 60:
 
=== snippets ===
 
=== snippets ===
 
The snippets folder allows you to store bits of configuration that you can later include in virtual hosts configuration.This saves a lot of typing and errors when creating a new site.
 
The snippets folder allows you to store bits of configuration that you can later include in virtual hosts configuration.This saves a lot of typing and errors when creating a new site.
* <code>/etc/nging/conf.d/acme-challenge.conf</code> See [[SSL]]
+
* <code>/etc/nging/conf.d/acme-challenge.conf</code><br />See [[SSL]]
 
* <code>/etc/nging/conf.d/hsts.conf</code><syntaxhighlight lang="nginx">
 
* <code>/etc/nging/conf.d/hsts.conf</code><syntaxhighlight lang="nginx">
 
# Activate HTTP Strict Transport Security
 
# Activate HTTP Strict Transport Security
Line 71: Line 71:
 
#add_header Strict-Transport-Security max-age=31536000;
 
#add_header Strict-Transport-Security max-age=31536000;
 
</syntaxhighlight>
 
</syntaxhighlight>
*<code>/etc/nginx/snippets/https-permanent-redirect.conf</code><syntaxhighlight lang="nginx">
+
* <code>/etc/nginx/snippets/https-permanent-redirect.conf</code><syntaxhighlight lang="nginx">
 
# Reply to the browser with a permanent redirect to the secure version of the page
 
# Reply to the browser with a permanent redirect to the secure version of the page
 
return 301 https://$host$request_uri;
 
return 301 https://$host$request_uri;
 
</syntaxhighlight>
 
</syntaxhighlight>
*<code>/etc/nginx/snippets/listen-http.conf</code> <code>/etc/nginx/snippets/listen-https.conf</code> Obviously, you need to replace the example IP addresses by the one of your server. You can get the IP of your server with the commands <code>curl http://ipv6.meurisse.org</code> and <code>curl http://ipv4.meurisse.org</code>.<syntaxhighlight lang="nginx">
+
* <code>/etc/nginx/snippets/listen-http.conf</code><br /><code>/etc/nginx/snippets/listen-https.conf</code><br /><br />Obviously, you need to replace the example IP addresses by the one of your server. You can get the IP of your server with the commands <code>curl http://ipv6.meurisse.org</code> and <code>curl http://ipv4.meurisse.org</code>.<syntaxhighlight lang="nginx">
 
listen [2001:db8:3:47d0::2e:7]:80;
 
listen [2001:db8:3:47d0::2e:7]:80;
 
listen 203.0.113.23:80;
 
listen 203.0.113.23:80;
 +
</syntaxhighlight><syntaxhighlight lang="nginx">
 +
listen [2001:db8:3:47d0::2e:7]:443 ssl spdy;
 +
listen 203.0.113.23:443 ssl spdy;
 
</syntaxhighlight>
 
</syntaxhighlight>
 
* <code>/etc/nginx/snippets/ssl.conf</code><syntaxhighlight lang="nginx">
 
* <code>/etc/nginx/snippets/ssl.conf</code><syntaxhighlight lang="nginx">

Revision as of 11:16, 31 December 2015

Warning Warning: These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions.

Nginx is a fast and powerful web server.

Install

apt install nginx-extras

Configure

conf.d

The conf.d folder stores shared configuration shared between all the sites hosted on your server.

Create the following files:

  • /etc/nginx/conf.d/dns.conf
    # DNS resolver
    # It is required for OCSP Stapling. It might also be used if you use a hostname for upstream servers
    resolver 127.0.0.1;
    # If you don't have a DNS resolver on your machine you can use google public ones instead
    #resolver 8.8.8.8 8.8.4.4;
    
  • /etc/nginx/conf.d/gzip.conf
    # Insert header "Vary: Accept-Encoding" in responses
    # https://www.maxcdn.com/blog/accept-encoding-its-vary-important/
    gzip_vary on; 
    
    gzip_comp_level 6;
    
    gzip_proxied any;
    
    gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
    
  • /etc/nginx/conf.d/server_tokens.conf
    # Hide nginx version
    # This doesn't provides any real security but makes hackers life a bit more difficult
    server_tokens off;
    
  • /etc/nginx/conf.d/ssl.conf
    # These two settings are now included by default in nginx.conf
    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #ssl_prefer_server_ciphers on;
    
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!CAMELLIA:!SEED";
    
    # Parameters for Diffie-Hellman handshake
    # Generate the file with the command:
    #    openssl dhparam 2048 -out /etc/nginx/dh2048.pem
    ssl_dhparam /etc/nginx/dh2048.pem;
    
    # Support OSCP Stapling. Check that resolver from in dns.conf is working
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    
    # Support SSL session cache
    ssl_session_cache shared:NginxCache:50m;
    ssl_session_tickets off; # https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
    

snippets

The snippets folder allows you to store bits of configuration that you can later include in virtual hosts configuration.This saves a lot of typing and errors when creating a new site.

  • /etc/nging/conf.d/acme-challenge.conf
    See SSL
  • /etc/nging/conf.d/hsts.conf
    # Activate HTTP Strict Transport Security
    # max-age value is in seconds. 31536000 is 6 months
    
    # add_header only works for 2xx and 3xx response code
    # Use module ngx_headers_more to add header for any response. 
    # If you don't have this module, remove the first line and uncomment the second one
    more_set_headers "Strict-Transport-Security: max-age=31536000";
    #add_header Strict-Transport-Security max-age=31536000;
    
  • /etc/nginx/snippets/https-permanent-redirect.conf
    # Reply to the browser with a permanent redirect to the secure version of the page
    return 301 https://$host$request_uri;
    
  • /etc/nginx/snippets/listen-http.conf
    /etc/nginx/snippets/listen-https.conf

    Obviously, you need to replace the example IP addresses by the one of your server. You can get the IP of your server with the commands curl http://ipv6.meurisse.org and curl http://ipv4.meurisse.org.
    listen [2001:db8:3:47d0::2e:7]:80;
    listen 203.0.113.23:80;
    
    listen [2001:db8:3:47d0::2e:7]:443 ssl spdy;
    listen 203.0.113.23:443 ssl spdy;
    
  • /etc/nginx/snippets/ssl.conf
    ssl on;
    ssl_stapling on;
    

Adding PHP

apt install php5-cli php5-fpm php5-apcu