Changes

Jump to navigation Jump to search

Nginx (edit)

Revision as of 08:39, 11 July 2019

2,810 bytes added ,  08:39, 11 July 2019
m
→‎Django Site with Let's Encrypt
Line 1: Line 1: −
== Django site-available (HTTPS)==
+
==Django site-available (HTTPS)==
<nowiki>upstream leaks {
+
<syntaxhighlight lang="nginx">upstream leaks {
    server unix:/home/bbvaleaks/BBVALeaks/bbvaleaks.sock;
+
    server unix:/home/bbvaleaks/BBVALeaks/bbvaleaks.sock;
 +
}
 +
 +
server {
 +
        listen 443 ssl;
 +
        server_name leaks.rra.lan;
 +
        charset utf-8;
 +
        client_max_body_size 4G;
 +
        ssl on;
 +
        ssl_certificate /etc/ssl/certs/redteamweb.crt;
 +
        ssl_certificate_key /etc/ssl/private/redteamweb.key;
 +
        ssl_protocols TLSv1.2;
 +
        ssl_prefer_server_ciphers on;
 +
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DDS";
 +
 +
        location /media  {
 +
            alias /var/www/leaks/media;      # your Django project's media files
 +
        }
 +
 +
        location /static {
 +
            alias /var/www/leaks/static;    # your Django project's static files
 +
        }
 +
 +
        location / {
 +
                proxy_pass http://leaks;
 +
                include /etc/nginx/uwsgi_params;
 +
                proxy_set_header Host $host;
 +
                proxy_set_header X-Real-IP $remote_addr;
 +
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +
                proxy_set_header X-Forwarded-Proto https;
 +
                # proxy_ssl_verify off;
 +
                # proxy_read_timeout          300s;
 +
                # proxy_connect_timeout      300;
 +
                # proxy_send_timeout          300;
 +
                # send_timeout                300;
 +
        }
 +
}</syntaxhighlight>
 +
 
 +
== ssl-options.conf ==
 +
<syntaxhighlight lang="nginx">
 +
ssl_session_cache shared:le_nginx_SSL:1m;
 +
ssl_session_timeout 1440m;
 +
 
 +
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 +
ssl_prefer_server_ciphers on;
 +
 
 +
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
 +
 
 +
</syntaxhighlight>
 +
 
 +
==Django Site with Let's Encrypt==
 +
<syntaxhighlight lang="nginx">upstream apify {
 +
    server unix:/home/apify/ApiFy/apify.sock;
 
}
 
}
    
server {
 
server {
        listen 443 ssl;
+
    if ($host = apify.dyndns.org) {
        server_name leaks.rra.lan;
+
         return 301 https://$host$request_uri;
         charset utf-8;
+
    } # managed by Certbot
        client_max_body_size 4G;
+
 
        ssl on;
+
 
        ssl_certificate /etc/ssl/certs/redteamweb.crt;
+
    listen 80 ;
        ssl_certificate_key /etc/ssl/private/redteamweb.key;
+
    server_name apify.dyndns.org;
        ssl_protocols TLSv1.2;
+
    return 404; # managed by Certbot
        ssl_prefer_server_ciphers on;
+
}
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DDS";
     −
        location /media  {
  −
            alias /var/www/leaks/media;      # your Django project's media files
  −
        }
     −
        location /static {
+
server {
            alias /var/www/leaks/static;     # your Django project's static files
+
        server_name apify.dyndns.org; # managed by Certbot
         }
+
         charset utf-8;
    
         location / {
 
         location / {
                 proxy_pass http://leaks;
+
                 proxy_pass http://apify;
 
                 include /etc/nginx/uwsgi_params;
 
                 include /etc/nginx/uwsgi_params;
 
                 proxy_set_header Host $host;
 
                 proxy_set_header Host $host;
Line 31: Line 79:  
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
                 proxy_set_header X-Forwarded-Proto https;
 
                 proxy_set_header X-Forwarded-Proto https;
 +
                proxy_connect_timeout      6000;
 +
                proxy_send_timeout          6000;
 +
                proxy_read_timeout          6000;
 +
                send_timeout                6000;
 +
 
         }
 
         }
}</nowiki>
     −
== Example 1 ==
+
        location /static {
<nowiki>server {
+
            alias /var/www/ApiFy/static;
#connections on port 80 should be redirected to port 443
+
        }
listen 80;
  −
server_name localhost;
  −
return 301 https://$host$request_uri;
  −
}
     −
server {
+
    listen 443 ssl; # managed by Certbot
#connections on port 443 should use ssl
+
    ssl_certificate /etc/letsencrypt/live/apify.dyndns.org/fullchain.pem; # managed by Certbot
listen 443 ssl;
+
    ssl_certificate_key /etc/letsencrypt/live/apify.dyndns.org/privkey.pem; # managed by Certbot
server_name localhost;
+
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
 +
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
   −
#specify the ssl certifcate and key file
+
}</syntaxhighlight>
ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;
  −
ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;
  −
  −
root /srv/insight/www;
     −
access_log /var/log/nginx/webconfig.ssl.access.log;
+
==Example 1==
error_log /var/log/nginx/webconfig.ssl.error.log;
+
<nowiki>server {
 +
  #connections on port 80 should be redirected to port 443
 +
  listen 80;
 +
  server_name localhost;
 +
  return 301 https://$host$request_uri;
 +
  }
 +
 
 +
  server {
 +
  #connections on port 443 should use ssl
 +
  listen 443 ssl;
 +
  server_name localhost;
 +
 
 +
  #specify the ssl certifcate and key file
 +
  ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;
 +
  ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;
 +
 
 +
  root /srv/insight/www;
 +
 
 +
  access_log /var/log/nginx/webconfig.ssl.access.log;
 +
  error_log /var/log/nginx/webconfig.ssl.error.log;
 +
 
 +
  include fastcgi_params;
 +
 
 +
      #increase the max body size to support uploading system images
 +
      client_max_body_size 1g;
 +
     
 +
  location / {
 +
  #attempt to serve static files first
 +
  #if that fails send request along to the webconfig app
 +
  try_files $uri @webconfig;
 +
  }
 +
 
 +
  location @webconfig {
 +
  #don't cache content generated by the webconfig
 +
  expires -1;
 +
          fastcgi_read_timeout 3m;
 +
          fastcgi_send_timeout 90m;
 +
  fastcgi_pass unix:/tmp/insight.wsgi.sock;
 +
  fastcgi_param GATEWAY_INTERFACE CGI/1.1;
 +
  fastcgi_param QUERY_STRING $query_string;
 +
  fastcgi_param REQUEST_METHOD $request_method;
 +
  fastcgi_param CONTENT_TYPE $content_type;
 +
  fastcgi_param CONTENT_LENGTH $content_length;
 +
  fastcgi_param REQUEST_URI $request_uri;
 +
  fastcgi_param DOCUMENT_URI $document_uri;
 +
  fastcgi_param DOCUMENT_ROOT $document_root;
 +
  fastcgi_param REMOTE_ADDR $remote_addr;
 +
  fastcgi_param REMOTE_PORT $remote_port;
 +
  fastcgi_param SERVER_PROTOCOL $server_protocol;
 +
  fastcgi_param SERVER_NAME $server_name;
 +
  fastcgi_param SERVER_PORT $server_port;
 +
  fastcgi_param HTTPS on;
 +
  }
 +
  }</nowiki>
   −
include fastcgi_params;
+
==Example 2==
 
  −
    #increase the max body size to support uploading system images
  −
    client_max_body_size 1g;
  −
   
  −
location / {
  −
#attempt to serve static files first
  −
#if that fails send request along to the webconfig app
  −
try_files $uri @webconfig;
  −
}
  −
 
  −
location @webconfig {
  −
#don't cache content generated by the webconfig
  −
expires -1;
  −
        fastcgi_read_timeout 3m;
  −
        fastcgi_send_timeout 90m;
  −
fastcgi_pass unix:/tmp/insight.wsgi.sock;
  −
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
  −
fastcgi_param QUERY_STRING $query_string;
  −
fastcgi_param REQUEST_METHOD $request_method;
  −
fastcgi_param CONTENT_TYPE $content_type;
  −
fastcgi_param CONTENT_LENGTH $content_length;
  −
fastcgi_param REQUEST_URI $request_uri;
  −
fastcgi_param DOCUMENT_URI $document_uri;
  −
fastcgi_param DOCUMENT_ROOT $document_root;
  −
fastcgi_param REMOTE_ADDR $remote_addr;
  −
fastcgi_param REMOTE_PORT $remote_port;
  −
fastcgi_param SERVER_PROTOCOL $server_protocol;
  −
fastcgi_param SERVER_NAME $server_name;
  −
fastcgi_param SERVER_PORT $server_port;
  −
fastcgi_param HTTPS on;
  −
}
  −
}</nowiki>
  −
 
  −
== Example 2 ==
   
  <nowiki>server {
 
  <nowiki>server {
listen 8080;
+
  listen 8080;
server_name localhost;
+
  server_name localhost;
return 301 https://$host:8443$request_uri;
+
  return 301 https://$host:8443$request_uri;
}
+
  }
 +
 
 +
  server {
 +
  listen 8443 ssl;
 +
  server_name localhost;
 +
 
 +
  ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;
 +
  ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;
 +
 
 +
  access_log /var/log/nginx/kibana.ssl.access.log;
 +
  error_log /var/log/nginx/kibana.ssl.error.log;
 +
 
 +
  # TODO: decide on authentication
 +
  auth_basic "Restricted Access";
 +
  auth_basic_user_file /etc/nginx/.htpasswd;
 +
 
 +
  location / {
 +
  proxy_pass http://localhost:5601;
 +
  proxy_http_version 1.1;
 +
  proxy_set_header Upgrade $http_upgrade;
 +
  proxy_set_header Connection 'upgrade';
 +
  proxy_set_header Host $host;
 +
  proxy_cache_bypass $http_upgrade;
 +
  }
 +
  }</nowiki>
   −
server {
+
==Redirect HTTP to HTTPS==
listen 8443 ssl;
  −
server_name localhost;
  −
 
  −
ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;
  −
ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;
  −
 
  −
access_log /var/log/nginx/kibana.ssl.access.log;
  −
error_log /var/log/nginx/kibana.ssl.error.log;
  −
 
  −
# TODO: decide on authentication
  −
auth_basic "Restricted Access";
  −
auth_basic_user_file /etc/nginx/.htpasswd;
  −
 
  −
location / {
  −
proxy_pass http://localhost:5601;
  −
proxy_http_version 1.1;
  −
proxy_set_header Upgrade $http_upgrade;
  −
proxy_set_header Connection 'upgrade';
  −
proxy_set_header Host $host;
  −
proxy_cache_bypass $http_upgrade;
  −
                # proxy_read_timeout 300s;
  −
                # proxy_connect_timeout      300;
  −
                # proxy_send_timeout          300;
  −
                # send_timeout                300;
  −
}
  −
}</nowiki>
  −
 
  −
== Redirect HTTP to HTTPS ==
   
Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf
 
Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf
 
  <nowiki>server {
 
  <nowiki>server {
    listen 80;
+
      listen 80;
    rewrite ^(.*) https://$host$1 permanent;
+
      rewrite ^(.*) https://$host$1 permanent;
}</nowiki>
+
  }</nowiki>
 
enable it with ln -s /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf /etc/ngix/sites-available/RedirectHTTPtoHTTPS<br />
 
enable it with ln -s /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf /etc/ngix/sites-available/RedirectHTTPtoHTTPS<br />
 
Restart Nginx service: sudo service nginx restart
 
Restart Nginx service: sudo service nginx restart
   −
== Password protected ==
+
==Password protected==
 
Create a /etc/nginx/.htpasswd
 
Create a /etc/nginx/.htpasswd
<source lang="bash">sudo sh -c "echo -n 'sammy:' >> /etc/nginx/.htpasswd"
+
<source lang="bash">sudo sh -c "echo -n 'sammy:' >> /etc/nginx/.htpasswd"
 
sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd"  # you will be prompt for password</source>
 
sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd"  # you will be prompt for password</source>
    
sudo nano /etc/nginx/sites-enabled/default
 
sudo nano /etc/nginx/sites-enabled/default
 
  <nowiki>server {
 
  <nowiki>server {
    listen 80 default_server;
+
      listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;
+
      listen [::]:80 default_server ipv6only=on;
 
+
 
    root /usr/share/nginx/html;
+
      root /usr/share/nginx/html;
    index index.html index.htm;
+
      index index.html index.htm;
 
+
 
    server_name localhost;
+
      server_name localhost;
 
+
 
    location / {
+
      location / {
        try_files $uri $uri/ =404;
+
          try_files $uri $uri/ =404;
        auth_basic "Restricted Content";
+
          auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;
+
          auth_basic_user_file /etc/nginx/.htpasswd;
    }
+
      }
}</nowiki>
+
  }</nowiki>
== Solve Nginx 504 Gateway Timeout ==
+
==Solve Nginx 504 Gateway Timeout==
=== Global ===
+
===Global===
 
Add the folowing lines to /etc/nginx/nginx.conf
 
Add the folowing lines to /etc/nginx/nginx.conf
 
  <nowiki>http {
 
  <nowiki>http {
        ...
+
          ...
        proxy_connect_timeout  600;
+
          proxy_connect_timeout  600;
        proxy_send_timeout      600;
+
          proxy_send_timeout      600;
        proxy_read_timeout      600;
+
          proxy_read_timeout      600;
        ...
+
          ...
}</nowiki>
+
  }</nowiki>
=== For one location ===
+
===For one location===
 
At the site-available file add:  
 
At the site-available file add:  
 
  <nowiki>...
 
  <nowiki>...
    location / {
+
      location / {
        ...
+
          ...
        proxy_connect_timeout      300;
+
          proxy_connect_timeout      300;
        proxy_send_timeout          300;
+
          proxy_send_timeout          300;
        proxy_read_timeout          300;
+
          proxy_read_timeout          300;
        send_timeout                300;
+
          send_timeout                300;
        ...
+
          ...
    }
+
      }
    ...</nowiki>
+
      ...</nowiki>
Retrieved from "https://wiki.herrerosolis.com/index.php/Special:MobileDiff/1732...1954"

Navigation menu