Difference between revisions of "Nginx"
Jump to navigation
Jump to search
Rafahsolis (talk | contribs) |
Rafahsolis (talk | contribs) m (→Example 1) Tag: visualeditor |
||
| Line 1: | Line 1: | ||
| − | == Django site-available (HTTPS)== | + | ==Django site-available (HTTPS)== |
<nowiki>upstream leaks { | <nowiki>upstream leaks { | ||
| − | + | server unix:/home/bbvaleaks/BBVALeaks/bbvaleaks.sock; | |
| + | } | ||
| + | |||
| + | server { | ||
| + | listen 443 ssl; | ||
| + | server_name leaks.rra.lan; | ||
| + | charset utf-8; | ||
| + | client_max_body_size 4G; | ||
| + | ssl on; | ||
| + | ssl_certificate /etc/ssl/certs/redteamweb.crt; | ||
| + | ssl_certificate_key /etc/ssl/private/redteamweb.key; | ||
| + | ssl_protocols TLSv1.2; | ||
| + | ssl_prefer_server_ciphers on; | ||
| + | ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DDS"; | ||
| + | |||
| + | location /media { | ||
| + | alias /var/www/leaks/media; # your Django project's media files | ||
| + | } | ||
| + | |||
| + | location /static { | ||
| + | alias /var/www/leaks/static; # your Django project's static files | ||
| + | } | ||
| + | |||
| + | location / { | ||
| + | proxy_pass http://leaks; | ||
| + | include /etc/nginx/uwsgi_params; | ||
| + | proxy_set_header Host $host; | ||
| + | proxy_set_header X-Real-IP $remote_addr; | ||
| + | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| + | proxy_set_header X-Forwarded-Proto https; | ||
| + | # proxy_read_timeout 300s; | ||
| + | # proxy_connect_timeout 300; | ||
| + | # proxy_send_timeout 300; | ||
| + | # send_timeout 300; | ||
| + | } | ||
| + | }</nowiki> | ||
| + | |||
| + | == Django Site with Let's Encrypt == | ||
| + | <syntaxhighlight lang="nginx"> | ||
| + | upstream apify { | ||
| + | server unix:/home/apify/ApiFy/apify.sock; | ||
} | } | ||
server { | server { | ||
| − | + | if ($host = apify.dyndns.org) { | |
| − | + | return 301 https://$host$request_uri; | |
| − | + | } # managed by Certbot | |
| − | + | ||
| − | + | ||
| − | + | listen 80 ; | |
| − | + | server_name apify.dyndns.org; | |
| − | + | return 404; # managed by Certbot | |
| − | + | } | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | server { | |
| − | + | server_name apify.dyndns.org; # managed by Certbot | |
| − | + | charset utf-8; | |
location / { | location / { | ||
| − | proxy_pass http:// | + | proxy_pass http://apify; |
include /etc/nginx/uwsgi_params; | include /etc/nginx/uwsgi_params; | ||
proxy_set_header Host $host; | proxy_set_header Host $host; | ||
| Line 31: | Line 67: | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto https; | proxy_set_header X-Forwarded-Proto https; | ||
| − | + | proxy_connect_timeout 6000; | |
| − | + | proxy_send_timeout 6000; | |
| − | + | proxy_read_timeout 6000; | |
| − | + | send_timeout 6000; | |
| + | |||
} | } | ||
| − | |||
| − | + | location /static { | |
| − | + | alias /var/www/ApiFy/static; | |
| − | + | } | |
| − | |||
| − | |||
| − | |||
| − | } | ||
| − | + | listen 443 ssl; # managed by Certbot | |
| − | + | ssl_certificate /etc/letsencrypt/live/apify.dyndns.org/fullchain.pem; # managed by Certbot | |
| − | + | ssl_certificate_key /etc/letsencrypt/live/apify.dyndns.org/privkey.pem; # managed by Certbot | |
| − | + | include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
| + | ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | ||
| − | + | } | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | </syntaxhighlight> | |
| − | |||
| − | + | ==Example 1== | |
| − | + | <nowiki>server { | |
| − | + | #connections on port 80 should be redirected to port 443 | |
| − | + | listen 80; | |
| − | + | server_name localhost; | |
| − | + | return 301 https://$host$request_uri; | |
| − | + | } | |
| − | + | ||
| − | + | server { | |
| − | + | #connections on port 443 should use ssl | |
| − | + | listen 443 ssl; | |
| − | + | server_name localhost; | |
| − | + | ||
| − | + | #specify the ssl certifcate and key file | |
| − | + | ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt; | |
| − | + | ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key; | |
| − | + | ||
| − | + | root /srv/insight/www; | |
| − | + | ||
| − | + | access_log /var/log/nginx/webconfig.ssl.access.log; | |
| − | + | error_log /var/log/nginx/webconfig.ssl.error.log; | |
| − | + | ||
| − | + | include fastcgi_params; | |
| − | + | ||
| − | + | #increase the max body size to support uploading system images | |
| − | + | client_max_body_size 1g; | |
| − | + | ||
| − | + | location / { | |
| − | + | #attempt to serve static files first | |
| − | + | #if that fails send request along to the webconfig app | |
| − | + | try_files $uri @webconfig; | |
| − | + | } | |
| − | }</nowiki> | + | |
| + | location @webconfig { | ||
| + | #don't cache content generated by the webconfig | ||
| + | expires -1; | ||
| + | fastcgi_read_timeout 3m; | ||
| + | fastcgi_send_timeout 90m; | ||
| + | fastcgi_pass unix:/tmp/insight.wsgi.sock; | ||
| + | fastcgi_param GATEWAY_INTERFACE CGI/1.1; | ||
| + | fastcgi_param QUERY_STRING $query_string; | ||
| + | fastcgi_param REQUEST_METHOD $request_method; | ||
| + | fastcgi_param CONTENT_TYPE $content_type; | ||
| + | fastcgi_param CONTENT_LENGTH $content_length; | ||
| + | fastcgi_param REQUEST_URI $request_uri; | ||
| + | fastcgi_param DOCUMENT_URI $document_uri; | ||
| + | fastcgi_param DOCUMENT_ROOT $document_root; | ||
| + | fastcgi_param REMOTE_ADDR $remote_addr; | ||
| + | fastcgi_param REMOTE_PORT $remote_port; | ||
| + | fastcgi_param SERVER_PROTOCOL $server_protocol; | ||
| + | fastcgi_param SERVER_NAME $server_name; | ||
| + | fastcgi_param SERVER_PORT $server_port; | ||
| + | fastcgi_param HTTPS on; | ||
| + | } | ||
| + | }</nowiki> | ||
| − | == Example 2 == | + | ==Example 2== |
<nowiki>server { | <nowiki>server { | ||
| − | + | listen 8080; | |
| − | + | server_name localhost; | |
| − | + | return 301 https://$host:8443$request_uri; | |
| − | } | + | } |
| − | + | ||
| − | server { | + | server { |
| − | + | listen 8443 ssl; | |
| − | + | server_name localhost; | |
| + | |||
| + | ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt; | ||
| + | ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key; | ||
| + | |||
| + | access_log /var/log/nginx/kibana.ssl.access.log; | ||
| + | error_log /var/log/nginx/kibana.ssl.error.log; | ||
| + | |||
| + | # TODO: decide on authentication | ||
| + | auth_basic "Restricted Access"; | ||
| + | auth_basic_user_file /etc/nginx/.htpasswd; | ||
| + | |||
| + | location / { | ||
| + | proxy_pass http://localhost:5601; | ||
| + | proxy_http_version 1.1; | ||
| + | proxy_set_header Upgrade $http_upgrade; | ||
| + | proxy_set_header Connection 'upgrade'; | ||
| + | proxy_set_header Host $host; | ||
| + | proxy_cache_bypass $http_upgrade; | ||
| + | } | ||
| + | }</nowiki> | ||
| − | + | ==Redirect HTTP to HTTPS== | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | == Redirect HTTP to HTTPS == | ||
Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf | Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf | ||
<nowiki>server { | <nowiki>server { | ||
| − | + | listen 80; | |
| − | + | rewrite ^(.*) https://$host$1 permanent; | |
| − | }</nowiki> | + | }</nowiki> |
enable it with ln -s /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf /etc/ngix/sites-available/RedirectHTTPtoHTTPS<br /> | enable it with ln -s /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf /etc/ngix/sites-available/RedirectHTTPtoHTTPS<br /> | ||
Restart Nginx service: sudo service nginx restart | Restart Nginx service: sudo service nginx restart | ||
| − | == Password protected == | + | ==Password protected== |
Create a /etc/nginx/.htpasswd | Create a /etc/nginx/.htpasswd | ||
| − | + | <source lang="bash">sudo sh -c "echo -n 'sammy:' >> /etc/nginx/.htpasswd" | |
sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd" # you will be prompt for password</source> | sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd" # you will be prompt for password</source> | ||
sudo nano /etc/nginx/sites-enabled/default | sudo nano /etc/nginx/sites-enabled/default | ||
<nowiki>server { | <nowiki>server { | ||
| − | + | listen 80 default_server; | |
| − | + | listen [::]:80 default_server ipv6only=on; | |
| − | + | ||
| − | + | root /usr/share/nginx/html; | |
| − | + | index index.html index.htm; | |
| − | + | ||
| − | + | server_name localhost; | |
| − | + | ||
| − | + | location / { | |
| − | + | try_files $uri $uri/ =404; | |
| − | + | auth_basic "Restricted Content"; | |
| − | + | auth_basic_user_file /etc/nginx/.htpasswd; | |
| − | + | } | |
| − | }</nowiki> | + | }</nowiki> |
| − | == Solve Nginx 504 Gateway Timeout == | + | ==Solve Nginx 504 Gateway Timeout== |
| − | === Global === | + | ===Global=== |
Add the folowing lines to /etc/nginx/nginx.conf | Add the folowing lines to /etc/nginx/nginx.conf | ||
<nowiki>http { | <nowiki>http { | ||
| − | + | ... | |
| − | + | proxy_connect_timeout 600; | |
| − | + | proxy_send_timeout 600; | |
| − | + | proxy_read_timeout 600; | |
| − | + | ... | |
| − | }</nowiki> | + | }</nowiki> |
| − | === For one location === | + | ===For one location=== |
At the site-available file add: | At the site-available file add: | ||
<nowiki>... | <nowiki>... | ||
| − | + | location / { | |
| − | + | ... | |
| − | + | proxy_connect_timeout 300; | |
| − | + | proxy_send_timeout 300; | |
| − | + | proxy_read_timeout 300; | |
| − | + | send_timeout 300; | |
| − | + | ... | |
| − | + | } | |
| − | + | ...</nowiki> | |
Revision as of 12:05, 28 March 2019
Django site-available (HTTPS)
upstream leaks {
server unix:/home/bbvaleaks/BBVALeaks/bbvaleaks.sock;
}
server {
listen 443 ssl;
server_name leaks.rra.lan;
charset utf-8;
client_max_body_size 4G;
ssl on;
ssl_certificate /etc/ssl/certs/redteamweb.crt;
ssl_certificate_key /etc/ssl/private/redteamweb.key;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DDS";
location /media {
alias /var/www/leaks/media; # your Django project's media files
}
location /static {
alias /var/www/leaks/static; # your Django project's static files
}
location / {
proxy_pass http://leaks;
include /etc/nginx/uwsgi_params;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# proxy_read_timeout 300s;
# proxy_connect_timeout 300;
# proxy_send_timeout 300;
# send_timeout 300;
}
}
Django Site with Let's Encrypt
upstream apify {
server unix:/home/apify/ApiFy/apify.sock;
}
server {
if ($host = apify.dyndns.org) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
server_name apify.dyndns.org;
return 404; # managed by Certbot
}
server {
server_name apify.dyndns.org; # managed by Certbot
charset utf-8;
location / {
proxy_pass http://apify;
include /etc/nginx/uwsgi_params;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_connect_timeout 6000;
proxy_send_timeout 6000;
proxy_read_timeout 6000;
send_timeout 6000;
}
location /static {
alias /var/www/ApiFy/static;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/apify.dyndns.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/apify.dyndns.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Example 1
server {
#connections on port 80 should be redirected to port 443
listen 80;
server_name localhost;
return 301 https://$host$request_uri;
}
server {
#connections on port 443 should use ssl
listen 443 ssl;
server_name localhost;
#specify the ssl certifcate and key file
ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;
ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;
root /srv/insight/www;
access_log /var/log/nginx/webconfig.ssl.access.log;
error_log /var/log/nginx/webconfig.ssl.error.log;
include fastcgi_params;
#increase the max body size to support uploading system images
client_max_body_size 1g;
location / {
#attempt to serve static files first
#if that fails send request along to the webconfig app
try_files $uri @webconfig;
}
location @webconfig {
#don't cache content generated by the webconfig
expires -1;
fastcgi_read_timeout 3m;
fastcgi_send_timeout 90m;
fastcgi_pass unix:/tmp/insight.wsgi.sock;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param HTTPS on;
}
}
Example 2
server {
listen 8080;
server_name localhost;
return 301 https://$host:8443$request_uri;
}
server {
listen 8443 ssl;
server_name localhost;
ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;
ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;
access_log /var/log/nginx/kibana.ssl.access.log;
error_log /var/log/nginx/kibana.ssl.error.log;
# TODO: decide on authentication
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Redirect HTTP to HTTPS
Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf
server {
listen 80;
rewrite ^(.*) https://$host$1 permanent;
}
enable it with ln -s /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf /etc/ngix/sites-available/RedirectHTTPtoHTTPS
Restart Nginx service: sudo service nginx restart
Password protected
Create a /etc/nginx/.htpasswd
sudo sh -c "echo -n 'sammy:' >> /etc/nginx/.htpasswd"
sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd" # you will be prompt for password
sudo nano /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name localhost;
location / {
try_files $uri $uri/ =404;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
Solve Nginx 504 Gateway Timeout
Global
Add the folowing lines to /etc/nginx/nginx.conf
http {
...
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
...
}
For one location
At the site-available file add:
...
location / {
...
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
...
}
...