2,306
edits
Changes
Jump to navigation
Jump to search
mLine 1:
Line 1: − <nowiki>upstream leaks {+ Line 31:
Line 31: + Line 36:
Line 37: − + − + − + + + + + + + + + + + + Line 84:
Line 96: − + − − − #connections on port 80 should be redirected to port 443+ − listen 80;+ − server_name localhost;+ − return 301 https://$host$request_uri;+ − }+ − + − server {+ − #connections on port 443 should use ssl+ − listen 443 ssl;+ − server_name localhost;+ − + − #specify the ssl certifcate and key file+ − ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;+ − ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;+ − + − root /srv/insight/www;+ − + − access_log /var/log/nginx/webconfig.ssl.access.log;+ − error_log /var/log/nginx/webconfig.ssl.error.log;+ − + − include fastcgi_params;+ − + − #increase the max body size to support uploading system images+ − client_max_body_size 1g;+ − + − location / {+ − #attempt to serve static files first+ − #if that fails send request along to the webconfig app+ − try_files $uri @webconfig;+ − }+ − + − location @webconfig {+ − #don't cache content generated by the webconfig+ − expires -1;+ − fastcgi_read_timeout 3m;+ − fastcgi_send_timeout 90m;+ − fastcgi_pass unix:/tmp/insight.wsgi.sock;+ − fastcgi_param GATEWAY_INTERFACE CGI/1.1;+ − fastcgi_param QUERY_STRING $query_string;+ − fastcgi_param REQUEST_METHOD $request_method;+ − fastcgi_param CONTENT_TYPE $content_type;+ − fastcgi_param CONTENT_LENGTH $content_length;+ − fastcgi_param REQUEST_URI $request_uri;+ − fastcgi_param DOCUMENT_URI $document_uri;+ − fastcgi_param DOCUMENT_ROOT $document_root;+ − fastcgi_param REMOTE_ADDR $remote_addr;+ − fastcgi_param REMOTE_PORT $remote_port;+ − fastcgi_param SERVER_PROTOCOL $server_protocol;+ − fastcgi_param SERVER_NAME $server_name;+ − fastcgi_param SERVER_PORT $server_port;+ − fastcgi_param HTTPS on;+ − }+ − }</nowiki>+ − listen 8080;+ − server_name localhost;+ − return 301 https://$host:8443$request_uri;+ − }+ − + − server {+ − listen 8443 ssl;+ − server_name localhost;+ − + − ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;+ − ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;+ − + − access_log /var/log/nginx/kibana.ssl.access.log;+ − error_log /var/log/nginx/kibana.ssl.error.log;+ − + − # TODO: decide on authentication+ − auth_basic "Restricted Access";+ − auth_basic_user_file /etc/nginx/.htpasswd;+ − + − location / {+ − proxy_pass http://localhost:5601;+ − proxy_http_version 1.1;+ − proxy_set_header Upgrade $http_upgrade;+ − proxy_set_header Connection 'upgrade';+ − proxy_set_header Host $host;+ − proxy_cache_bypass $http_upgrade;+ − }+ − }</nowiki>+ − listen 80;+ − rewrite ^(.*) https://$host$1 permanent;+ − }</nowiki>+ Line 191:
Line 201: − listen 80 default_server;+ − listen [::]:80 default_server ipv6only=on;+ − + − root /usr/share/nginx/html;+ − index index.html index.htm;+ − + − server_name localhost;+ − + − location / {+ − try_files $uri $uri/ =404;+ − auth_basic "Restricted Content";+ − auth_basic_user_file /etc/nginx/.htpasswd;+ − }+ − }</nowiki>+ − ...+ − proxy_connect_timeout 600;+ − proxy_send_timeout 600;+ − proxy_read_timeout 600;+ − ...+ − }</nowiki>+ − location / {+ − ...+ − proxy_connect_timeout 300;+ − proxy_send_timeout 300;+ − proxy_read_timeout 300;+ − send_timeout 300;+ − ...+ − }+ − ...</nowiki>+
→Django Site with Let's Encrypt
==Django site-available (HTTPS)==
==Django site-available (HTTPS)==
<syntaxhighlight lang="nginx">upstream leaks {
server unix:/home/bbvaleaks/BBVALeaks/bbvaleaks.sock;
server unix:/home/bbvaleaks/BBVALeaks/bbvaleaks.sock;
}
}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Proto https;
# proxy_ssl_verify off;
# proxy_read_timeout 300s;
# proxy_read_timeout 300s;
# proxy_connect_timeout 300;
# proxy_connect_timeout 300;
# send_timeout 300;
# send_timeout 300;
}
}
}</nowiki>
}</syntaxhighlight>
== Django Site with Let's Encrypt ==
== ssl-options.conf ==
<syntaxhighlight lang="nginx">
<syntaxhighlight lang="nginx">
upstream apify {
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
</syntaxhighlight>
==Django Site with Let's Encrypt==
<syntaxhighlight lang="nginx">upstream apify {
server unix:/home/apify/ApiFy/apify.sock;
server unix:/home/apify/ApiFy/apify.sock;
}
}
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
}</syntaxhighlight>
</syntaxhighlight>
==Example 1==
==Example 1==
<nowiki>server {
<nowiki>server {
#connections on port 80 should be redirected to port 443
listen 80;
server_name localhost;
return 301 https://$host$request_uri;
}
server {
#connections on port 443 should use ssl
listen 443 ssl;
server_name localhost;
#specify the ssl certifcate and key file
ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;
ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;
root /srv/insight/www;
access_log /var/log/nginx/webconfig.ssl.access.log;
error_log /var/log/nginx/webconfig.ssl.error.log;
include fastcgi_params;
#increase the max body size to support uploading system images
client_max_body_size 1g;
location / {
#attempt to serve static files first
#if that fails send request along to the webconfig app
try_files $uri @webconfig;
}
location @webconfig {
#don't cache content generated by the webconfig
expires -1;
fastcgi_read_timeout 3m;
fastcgi_send_timeout 90m;
fastcgi_pass unix:/tmp/insight.wsgi.sock;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param HTTPS on;
}
}</nowiki>
==Example 2==
==Example 2==
<nowiki>server {
<nowiki>server {
listen 8080;
server_name localhost;
return 301 https://$host:8443$request_uri;
}
server {
listen 8443 ssl;
server_name localhost;
ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;
ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;
access_log /var/log/nginx/kibana.ssl.access.log;
error_log /var/log/nginx/kibana.ssl.error.log;
# TODO: decide on authentication
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}</nowiki>
==Redirect HTTP to HTTPS==
==Redirect HTTP to HTTPS==
Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf
Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf
<nowiki>server {
<nowiki>server {
listen 80;
rewrite ^(.*) https://$host$1 permanent;
}</nowiki>
enable it with ln -s /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf /etc/ngix/sites-available/RedirectHTTPtoHTTPS<br />
enable it with ln -s /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf /etc/ngix/sites-available/RedirectHTTPtoHTTPS<br />
Restart Nginx service: sudo service nginx restart
Restart Nginx service: sudo service nginx restart
sudo nano /etc/nginx/sites-enabled/default
sudo nano /etc/nginx/sites-enabled/default
<nowiki>server {
<nowiki>server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name localhost;
location / {
try_files $uri $uri/ =404;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}</nowiki>
==Solve Nginx 504 Gateway Timeout==
==Solve Nginx 504 Gateway Timeout==
===Global===
===Global===
Add the folowing lines to /etc/nginx/nginx.conf
Add the folowing lines to /etc/nginx/nginx.conf
<nowiki>http {
<nowiki>http {
...
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
...
}</nowiki>
===For one location===
===For one location===
At the site-available file add:
At the site-available file add:
<nowiki>...
<nowiki>...
location / {
...
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
...
}
...</nowiki>