Changes

Nginx (edit)

Revision as of 11:02, 29 March 2019

152 bytes added , 11:02, 29 March 2019

m

→‎Django site-available (HTTPS)

Line 31: Line 31:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto https;

+

# proxy_ssl_verify off;

# proxy_read_timeout 300s;

# proxy_connect_timeout 300;

Line 38: Line 39:

}</syntaxhighlight>

−

== Django Site with Let's Encrypt ==

+

==Django Site with Let's Encrypt==

<syntaxhighlight lang="nginx">upstream apify {

server unix:/home/apify/ApiFy/apify.sock;

Line 87: Line 88:

==Example 1==

<nowiki>server {

−

#connections on port 80 should be redirected to port 443

+

#connections on port 80 should be redirected to port 443

−

listen 80;

+

listen 80;

−

server_name localhost;

+

server_name localhost;

−

return 301 https://$host$request_uri;

+

return 301 https://$host$request_uri;

−

}

+

}

−

+

−

server {

+

server {

−

#connections on port 443 should use ssl

+

#connections on port 443 should use ssl

−

listen 443 ssl;

+

listen 443 ssl;

−

server_name localhost;

+

server_name localhost;

−

+

−

#specify the ssl certifcate and key file

+

#specify the ssl certifcate and key file

−

ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;

+

ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;

−

ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;

+

ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;

−

+

−

root /srv/insight/www;

+

root /srv/insight/www;

−

+

−

access_log /var/log/nginx/webconfig.ssl.access.log;

+

access_log /var/log/nginx/webconfig.ssl.access.log;

−

error_log /var/log/nginx/webconfig.ssl.error.log;

+

error_log /var/log/nginx/webconfig.ssl.error.log;

−

+

−

include fastcgi_params;

+

include fastcgi_params;

−

+

−

#increase the max body size to support uploading system images

+

#increase the max body size to support uploading system images

−

client_max_body_size 1g;

+

client_max_body_size 1g;

−

+

−

location / {

+

location / {

−

#attempt to serve static files first

+

#attempt to serve static files first

−

#if that fails send request along to the webconfig app

+

#if that fails send request along to the webconfig app

−

try_files $uri @webconfig;

+

try_files $uri @webconfig;

−

}

+

}

−

+

−

location @webconfig {

+

location @webconfig {

−

#don't cache content generated by the webconfig

+

#don't cache content generated by the webconfig

−

expires -1;

+

expires -1;

−

fastcgi_read_timeout 3m;

+

fastcgi_read_timeout 3m;

−

fastcgi_send_timeout 90m;

+

fastcgi_send_timeout 90m;

−

fastcgi_pass unix:/tmp/insight.wsgi.sock;

+

fastcgi_pass unix:/tmp/insight.wsgi.sock;

−

fastcgi_param GATEWAY_INTERFACE CGI/1.1;

+

fastcgi_param GATEWAY_INTERFACE CGI/1.1;

−

fastcgi_param QUERY_STRING $query_string;

+

fastcgi_param QUERY_STRING $query_string;

−

fastcgi_param REQUEST_METHOD $request_method;

+

fastcgi_param REQUEST_METHOD $request_method;

−

fastcgi_param CONTENT_TYPE $content_type;

+

fastcgi_param CONTENT_TYPE $content_type;

−

fastcgi_param CONTENT_LENGTH $content_length;

+

fastcgi_param CONTENT_LENGTH $content_length;

−

fastcgi_param REQUEST_URI $request_uri;

+

fastcgi_param REQUEST_URI $request_uri;

−

fastcgi_param DOCUMENT_URI $document_uri;

+

fastcgi_param DOCUMENT_URI $document_uri;

−

fastcgi_param DOCUMENT_ROOT $document_root;

+

fastcgi_param DOCUMENT_ROOT $document_root;

−

fastcgi_param REMOTE_ADDR $remote_addr;

+

fastcgi_param REMOTE_ADDR $remote_addr;

−

fastcgi_param REMOTE_PORT $remote_port;

+

fastcgi_param REMOTE_PORT $remote_port;

−

fastcgi_param SERVER_PROTOCOL $server_protocol;

+

fastcgi_param SERVER_PROTOCOL $server_protocol;

−

fastcgi_param SERVER_NAME $server_name;

+

fastcgi_param SERVER_NAME $server_name;

−

fastcgi_param SERVER_PORT $server_port;

+

fastcgi_param SERVER_PORT $server_port;

−

fastcgi_param HTTPS on;

+

fastcgi_param HTTPS on;

−

}

+

}

−

}</nowiki>

+

}</nowiki>

==Example 2==

<nowiki>server {

−

listen 8080;

+

listen 8080;

−

server_name localhost;

+

server_name localhost;

−

return 301 https://$host:8443$request_uri;

+

return 301 https://$host:8443$request_uri;

−

}

+

}

−

+

−

server {

+

server {

−

listen 8443 ssl;

+

listen 8443 ssl;

−

server_name localhost;

+

server_name localhost;

−

+

−

ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;

+

ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;

−

ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;

+

ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;

−

+

−

access_log /var/log/nginx/kibana.ssl.access.log;

+

access_log /var/log/nginx/kibana.ssl.access.log;

−

error_log /var/log/nginx/kibana.ssl.error.log;

+

error_log /var/log/nginx/kibana.ssl.error.log;

−

+

−

# TODO: decide on authentication

+

# TODO: decide on authentication

−

auth_basic "Restricted Access";

+

auth_basic "Restricted Access";

−

auth_basic_user_file /etc/nginx/.htpasswd;

+

auth_basic_user_file /etc/nginx/.htpasswd;

−

+

−

location / {

+

location / {

−

proxy_pass http://localhost:5601;

+

proxy_pass http://localhost:5601;

−

proxy_http_version 1.1;

+

proxy_http_version 1.1;

−

proxy_set_header Upgrade $http_upgrade;

+

proxy_set_header Upgrade $http_upgrade;

−

proxy_set_header Connection 'upgrade';

+

proxy_set_header Connection 'upgrade';

−

proxy_set_header Host $host;

+

proxy_set_header Host $host;

−

proxy_cache_bypass $http_upgrade;

+

proxy_cache_bypass $http_upgrade;

−

}

+

}

−

}</nowiki>

+

}</nowiki>

==Redirect HTTP to HTTPS==

Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf

<nowiki>server {

−

listen 80;

+

listen 80;

−

rewrite ^(.*) https://$host$1 permanent;

+

rewrite ^(.*) https://$host$1 permanent;

−

}</nowiki>

+

}</nowiki>

enable it with ln -s /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf /etc/ngix/sites-available/RedirectHTTPtoHTTPS<br />

Restart Nginx service: sudo service nginx restart

Line 188: Line 189:

sudo nano /etc/nginx/sites-enabled/default

<nowiki>server {

−

listen 80 default_server;

+

listen 80 default_server;

−

listen [::]:80 default_server ipv6only=on;

+

listen [::]:80 default_server ipv6only=on;

−

+

−

root /usr/share/nginx/html;

+

root /usr/share/nginx/html;

−

index index.html index.htm;

+

index index.html index.htm;

−

+

−

server_name localhost;

+

server_name localhost;

−

+

−

location / {

+

location / {

−

try_files $uri $uri/ =404;

+

try_files $uri $uri/ =404;

−

auth_basic "Restricted Content";

+

auth_basic "Restricted Content";

−

auth_basic_user_file /etc/nginx/.htpasswd;

+

auth_basic_user_file /etc/nginx/.htpasswd;

−

}

+

}

−

}</nowiki>

+

}</nowiki>

==Solve Nginx 504 Gateway Timeout==

===Global===

Add the folowing lines to /etc/nginx/nginx.conf

<nowiki>http {

−

...

+

...

−

proxy_connect_timeout 600;

+

proxy_connect_timeout 600;

−

proxy_send_timeout 600;

+

proxy_send_timeout 600;

−

proxy_read_timeout 600;

+

proxy_read_timeout 600;

−

...

+

...

−

}</nowiki>

+

}</nowiki>

===For one location===

At the site-available file add:

<nowiki>...

−

location / {

+

location / {

−

...

+

...

−

proxy_connect_timeout 300;

+

proxy_connect_timeout 300;

−

proxy_send_timeout 300;

+

proxy_send_timeout 300;

−

proxy_read_timeout 300;

+

proxy_read_timeout 300;

−

send_timeout 300;

+

send_timeout 300;

−

...

+

...

−

}

+

}

−

...</nowiki>

+

...</nowiki>

Rafahsolis

Bureaucrats, Administrators

2,306

edits

Changes

Nginx (edit)

Revision as of 11:02, 29 March 2019

Navigation menu

Search