PhoenixWiki

Sun will shine on the horizon.
Server Configuration

NGINX

# Simple Directory Index configuration

server {
    listen 80;
    server_name www.example.com;
    root /var/www/html;

    location / {
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
        charset utf-8;
    }
}

# HTTP Proxy

resolver 8.8.4.4;
server {
    listen 3128;
    location / {
        proxy_pass http://$http_host$request_uri;
    }
}

# Reverse Proxy

server {
    listen 80;
    server_name new-site.com;

    location / {
        proxy_pass http://origin-site.com/;
        proxy_redirect default;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-IP $remote_addr;
        port_in_redirect    on;
        server_name_in_redirect off;
        proxy_connect_timeout 300;
    }
}

# Cached Reverse Proxy

Make directories for cache:

mkdir -p /var/cache/nginx/cache
mkdir -p /var/cache/nginx/temp

Paste below log_format directive in nginx.conf:

client_body_buffer_size  512k;
proxy_connect_timeout    5;
proxy_read_timeout       60;
proxy_send_timeout       5;
proxy_buffer_size        16k;
proxy_buffers            4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_temp_path   /var/cache/nginx/temp;
proxy_cache_path  /var/cache/nginx/cache levels=1:2 keys_zone=cache_one:500m inactive=7d max_size=30g;

Add to vhost configuration:

proxy_cache cache_one;
proxy_cache_valid  200 304 3d;
proxy_cache_key $host$uri$is_args$args;
expires 10d;

# Reverse proxy pass to a subdirectory (Map domain root to sub-path)

server {
    listen 80;
    server_name www.example.com;
    location / {
        proxy_pass http://sub.example.com/path;
        sub_filter /path/ /; # You may need this, otherwise comment it out.
        proxy_redirect off;
    }
}

# Set Expires Headers For Static Content

location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    expires 1y;
    log_not_found off;
}

# Increase HTTP Post Size Limit

http {
    #...
    client_max_body_size 100m;
    #...
}

# Set Correct Files/Folders Permissions

chown -R www-data:www-data .
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

# Setup Basic-Auth on NGINX

Install apache2-utils

apt-get install apache2-utils

Create User and Password

htpasswd -c /etc/nginx/.htpasswd exampleuser

Add to NGINX site config

server {
    ...
    location / {
        ...
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;  #For Basic Auth
    }
}

# NGINX with SSL

listen 443 ssl;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
keepalive_timeout    70;
ssl_session_cache    shared:SSL:10m;
ssl_session_timeout  10m;

Concatenate certificates via cat

cat domain.crt intermediate.pem rootCA.pem > domain.signed.crt

Avoid using SHA-1 as key exchange method, use Diffie Hellman Ephemeral parameters.

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096 # use 2048 if you are on a low-end-box.

Then tell nginx to use it for DHE key-exchange:

ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Redirect to HTTPS
location / {
    return 301 https://example.com$request_uri;
}
# HSTS
    add_header Strict-Transport-Security max-age=63072000;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

# CORS Config

Add the following to location block with proper options.

    add_header 'Access-Control-Allow-Origin' "*";
    add_header 'Access-Control-Allow-Credentials' 'true';
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';

If you get errors like ... from origin 'https://...' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource., try to change value of Access-Control-Allow-Origin to specific domains.

    add_header 'Access-Control-Allow-Origin' "example.com static.example.com";

# Enable Certificate Transparency for DV certificates

nginx-ct

Reference:

  1. Nginx - FelixWiki
  2. DigitalOcean Tutorials
  3. enable-cors
  4. Gist - michiel
  5. Strong SSL Security on nginx

Last Update 2016/10/14 17:32:01 +0900

Phoenix Nemo
me@v9.org
DevOps | ACG | Open Source
Homepage
Changelog
Gaming
Counter Strike Minecraft
Database
Database backup
Security
DNSCrypt iptables Let's Encrypt System Security Configuration
Server Configuration
DNSMasq InfluxDB MySQL NGINX PHP Postfix SSH Ubuntu APT ethtool Strongswan PHP / uWSGI
Networking
IP Rules NAT TCPPing
Tools
ImageMagick
OS X
NTFS sips
Cloud Computing
OpenNebula
System Administration
Handy Commands & Scripts System Backup
Hardware
iLO-SSH
HPE
ssacli
PhoenixWiki using MinoriWiki