Difference between revisions of "Nginx"

Latest revision as of 08:39, 11 July 2019

Django site-available (HTTPS)[edit]

upstream leaks {
     server unix:/home/bbvaleaks/BBVALeaks/bbvaleaks.sock;
 }
 
 server {
         listen 443 ssl;
         server_name leaks.rra.lan;
         charset utf-8;
         client_max_body_size 4G;
         ssl on;
         ssl_certificate /etc/ssl/certs/redteamweb.crt;
         ssl_certificate_key /etc/ssl/private/redteamweb.key;
         ssl_protocols TLSv1.2;
         ssl_prefer_server_ciphers on;
         ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DDS";
 
         location /media  {
             alias /var/www/leaks/media;      # your Django project's media files
         }
 
         location /static {
             alias /var/www/leaks/static;     # your Django project's static files
         }
 
         location / {
                 proxy_pass http://leaks;
                 include /etc/nginx/uwsgi_params;
                 proxy_set_header Host $host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header X-Forwarded-Proto https;
                 # proxy_ssl_verify off;
                 # proxy_read_timeout          300s;
                 # proxy_connect_timeout       300;
                 # proxy_send_timeout          300;
                 # send_timeout                300;
         }
 }

ssl-options.conf[edit]

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

Django Site with Let's Encrypt[edit]

upstream apify {
    server unix:/home/apify/ApiFy/apify.sock;
}

server {
    if ($host = apify.dyndns.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 ;
    server_name apify.dyndns.org;
    return 404; # managed by Certbot
}


server {
        server_name apify.dyndns.org; # managed by Certbot
        charset utf-8;

        location / {
                proxy_pass http://apify;
                include /etc/nginx/uwsgi_params;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;
                proxy_connect_timeout       6000;
                proxy_send_timeout          6000;
                proxy_read_timeout          6000;
                send_timeout                6000;

        }

        location /static {
            alias /var/www/ApiFy/static;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/apify.dyndns.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/apify.dyndns.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

Example 1[edit]

server {
   	#connections on port 80 should be redirected to port 443
   	listen	80;
   	server_name localhost;
   	return	301 https://$host$request_uri;
   }
   
   server {
   	#connections on port 443 should use ssl
   	listen 443 ssl;
   	server_name localhost;
   
   	#specify the ssl certifcate and key file
   	ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;
   	ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;
   	
   	root /srv/insight/www;
   
   	access_log /var/log/nginx/webconfig.ssl.access.log;
   	error_log /var/log/nginx/webconfig.ssl.error.log;
   
   	include fastcgi_params;
   
       #increase the max body size to support uploading system images
       client_max_body_size 1g;
       
   	location / {
   		#attempt to serve static files first
   		#if that fails send request along to the webconfig app
   		try_files $uri @webconfig;
   	}
   
   	location @webconfig {
   		#don't cache content generated by the webconfig
   		expires -1;
           fastcgi_read_timeout 3m;
           fastcgi_send_timeout 90m;
   		fastcgi_pass unix:/tmp/insight.wsgi.sock;
   		fastcgi_param GATEWAY_INTERFACE CGI/1.1;
   		fastcgi_param QUERY_STRING	$query_string;
   		fastcgi_param REQUEST_METHOD	$request_method;
   		fastcgi_param CONTENT_TYPE	$content_type;
   		fastcgi_param CONTENT_LENGTH	$content_length;
   		fastcgi_param REQUEST_URI	$request_uri;
   		fastcgi_param DOCUMENT_URI	$document_uri;
   		fastcgi_param DOCUMENT_ROOT	$document_root;
   		fastcgi_param REMOTE_ADDR	$remote_addr;
   		fastcgi_param REMOTE_PORT	$remote_port;
   		fastcgi_param SERVER_PROTOCOL	$server_protocol;
   		fastcgi_param SERVER_NAME	$server_name;
   		fastcgi_param SERVER_PORT	$server_port;
   		fastcgi_param HTTPS		on;
   	}
   }

Example 2[edit]

server {
   	listen 8080;
   	server_name localhost;
   	return 301 https://$host:8443$request_uri;
   }
   
   server {
   	listen 8443 ssl;
   	server_name localhost;
   
   	ssl_certificate /etc/ssl/certs/savvius.rra.lan.crt;
   	ssl_certificate_key /etc/ssl/private/savvius.rra.lan.key;
   
   	access_log /var/log/nginx/kibana.ssl.access.log;
   	error_log /var/log/nginx/kibana.ssl.error.log;
   
   	# TODO: decide on authentication
   	auth_basic "Restricted Access";
   	auth_basic_user_file /etc/nginx/.htpasswd;
   
   	location / {
   		proxy_pass http://localhost:5601;
   		proxy_http_version 1.1;
   		proxy_set_header Upgrade $http_upgrade;
   		proxy_set_header Connection 'upgrade';
   		proxy_set_header Host $host;
   		proxy_cache_bypass $http_upgrade;
   	}
   }

Redirect HTTP to HTTPS[edit]

Create /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf

server {
       listen 80;
       rewrite ^(.*) https://$host$1 permanent;
   }

enable it with ln -s /etc/ngix/sites-available/RedirectHTTPtoHTTPS.conf /etc/ngix/sites-available/RedirectHTTPtoHTTPS
Restart Nginx service: sudo service nginx restart

Password protected[edit]

Create a /etc/nginx/.htpasswd

sudo sh -c "echo -n 'sammy:' >> /etc/nginx/.htpasswd"
sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd"  # you will be prompt for password

sudo nano /etc/nginx/sites-enabled/default

server {
       listen 80 default_server;
       listen [::]:80 default_server ipv6only=on;
   
       root /usr/share/nginx/html;
       index index.html index.htm;
   
       server_name localhost;
   
       location / {
           try_files $uri $uri/ =404;
           auth_basic "Restricted Content";
           auth_basic_user_file /etc/nginx/.htpasswd;
       }
   }

Solve Nginx 504 Gateway Timeout[edit]

Global[edit]

Add the folowing lines to /etc/nginx/nginx.conf

http {
           ...
           proxy_connect_timeout   600;
           proxy_send_timeout      600;
           proxy_read_timeout      600;
           ...
   }

For one location[edit]

At the site-available file add:

...
       location / {
           ...
           proxy_connect_timeout       300;
           proxy_send_timeout          300;
           proxy_read_timeout          300;
           send_timeout                300;
           ...
       }
       ...