Difference between revisions of "Nginx"

From RHS Wiki
Jump to navigation Jump to search
Line 1: Line 1:
 +
== Django site-available ==
 +
<nowiki>upstream leaks {
 +
    server unix:/home/bbvaleaks/BBVALeaks/bbvaleaks.sock;
 +
}
 +
 +
server {
 +
        listen 443 ssl;
 +
        server_name leaks.rra.lan;
 +
        charset utf-8;
 +
        client_max_body_size 4G;
 +
        ssl on;
 +
        ssl_certificate /etc/ssl/certs/redteamweb.crt;
 +
        ssl_certificate_key /etc/ssl/private/redteamweb.key;
 +
        ssl_protocols TLSv1.2;
 +
        ssl_prefer_server_ciphers on;
 +
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DDS";
 +
 +
        # Note: You should disable gzip for SSL traffic.
 +
        # See: https://bugs.debian.org/773332
 +
        #
 +
        # Read up on ssl_ciphers to ensure a secure configuration.
 +
        # See: https://bugs.debian.org/765782
 +
 +
        # root /var/www/html;
 +
 +
        # Add index.php to the list if you are using PHP
 +
        index index.html index.htm index.nginx-debian.html;
 +
        location /media  {
 +
            alias /var/www/leaks/media;      # your Django project's media files
 +
        }
 +
 +
        location /static {
 +
            alias /var/www/leaks/static;    # your Django project's static files
 +
        }
 +
 +
        location / {
 +
                # proxy_pass unix:///home/bbvaleaks/BBVALeaks/bbvaleaks.sock;
 +
                proxy_pass http://leaks;
 +
                include /etc/nginx/uwsgi_params;
 +
                proxy_set_header Host $host;
 +
                proxy_set_header X-Real-IP $remote_addr;
 +
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +
                proxy_set_header X-Forwarded-Proto https;
 +
        }
 +
 +
        # deny access to .htaccess files, if Apache's document root
 +
        # concurs with nginx's one
 +
        #
 +
        #location ~ /\.ht {
 +
        #      deny all;
 +
        #}
 +
}
 +
</nowiki>
 
== Redirect HTTP to HTTPS ==
 
== Redirect HTTP to HTTPS ==
 
Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf
 
Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf

Revision as of 08:33, 16 March 2018

Django site-available

upstream leaks {
    server unix:/home/bbvaleaks/BBVALeaks/bbvaleaks.sock;
}

server {
        listen 443 ssl;
        server_name leaks.rra.lan;
        charset utf-8;
        client_max_body_size 4G;
        ssl on;
        ssl_certificate /etc/ssl/certs/redteamweb.crt;
        ssl_certificate_key /etc/ssl/private/redteamweb.key;
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DDS";

        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782

        # root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;
        location /media  {
            alias /var/www/leaks/media;      # your Django project's media files
        }

        location /static {
            alias /var/www/leaks/static;     # your Django project's static files
        }

        location / {
                # proxy_pass unix:///home/bbvaleaks/BBVALeaks/bbvaleaks.sock;
                proxy_pass http://leaks;
                include /etc/nginx/uwsgi_params;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}

Redirect HTTP to HTTPS

Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf 

server {
    listen 80;
    rewrite ^(.*) https://$host$1 permanent;
}

enable it with ln -s /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf /etc/ngix/sites-available/RedirectHTTPtoHTTPS
Restart Nginx service: sudo service nginx restart

Password protected

Create a /etc/nginx/.htpasswd 

sudo sh -c "echo -n 'sammy:' >> /etc/nginx/.htpasswd"
sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd"  # you will be prompt for password

sudo nano /etc/nginx/sites-enabled/default 

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    root /usr/share/nginx/html;
    index index.html index.htm;

    server_name localhost;

    location / {
        try_files $uri $uri/ =404;
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
}
Retrieved from "https://wiki.herrerosolis.com/index.php?title=Nginx&oldid=1285"