nginx - Tobi´s Garden

⬅️ **[[$-Tools|Tools]]** *** # Nginx - normal **Web Server** to provide a Web Application - **Reverse Proxy** for other Web Servers and central SSL/HTTP(S) and Subdomain Management - **Certbot** usage ## Links - [HowTo: nginx 25 Security Hardening Tips](https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html) - [HowTo: How to configure nginx](https://www.linode.com/docs/web-servers/nginx/how-to-configure-nginx/) - [ubiq - How to Setup NGINX Load Balancer](https://ubiq.co/tech-blog/setup-nginx-load-balancer/) - [[Docker nginx-proxy-manager]] ## Server Configuration - **Config Doku** - [Alphabetical index of variables](https://nginx.org/en/docs/varindex.html) - [Using the Forwarded header | NGINX](https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/) - [Module ngx_http_core_module](https://nginx.org/en/docs/http/ngx_http_core_module.html) - [Module ngx_http_proxy_module](https://nginx.org/en/docs/http/ngx_http_proxy_module.html) - [ubiq - How to Increase Request Timeout in NGINX](https://ubiq.co/tech-blog/increase-request-timeout-nginx/) - [How to Fix Common NextCloud Performance Issues](https://autoize.com/nextcloud-performance-troubleshooting/) hat leider nichts gebracht ### Upload tuning ```Bash client_max_body_size 0; fastcgi_buffers 64 4K; ``` ### Download tuning ```Bash proxy_buffering off; # ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; fastcgi_max_temp_file_size 0; ``` ### Timeout Tuning ```Bash proxy_connect_timeout 6000; proxy_send_timeout 6000; proxy_read_timeout 6000; send_timeout 6000; ``` ### Nextcloud AiO (2023-03) tuning ```Bash proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; client_body_buffer_size 512k; proxy_read_timeout 86400s; # client_max_body_size 0; # Websocket proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection $connection_upgrade; ``` ### Reverse Proxy, Certbot, SSL, HTTP Redirect => [[Certbot]] ### Rewrite requested URL for files and folders Add html extension to uri. Intial solution was found here in 2018 [Add html extension to uri](https://www.garron.me/en/bits/add-html-extension-nginx-apache-htaccess.html). In 2020 the following solution was found together with the Reverse Proxy Setup: ```bash # e.g. /pocket -> /pocket.html rewrite ^/([^/.]+)$ /$1.html break; # e.g. /privat/Konzert/2018-12-Nightwish -> /privat/Konzert/2018-12-Nightwish.html rewrite ^/([^.]+/[^/.]+)$ /$1.html break; # e.g. /privat/Konzert/2018-12-Nightwish/ -> /privat/Konzert/2018-12-Nightwish/index.html rewrite ^(.*)/$ $1/index.html break; ``` ### Password Authentication for specfic location - [digitalocean Tutorial - Password Authentication](https://www.digitalocean.com/community/tutorials/how-to-set-up-password-authentication-with-nginx-on-ubuntu-14-04) 1. create a Password file and add Username and encrypted Password ``` sudo sh -c "echo -n 'jbpTobi:' >> /etc/nginx/.htpasswd" sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd" ``` 2. configure Server Location ``` # Locations with Passwort Protection location /privat/persoenlich { auth_basic "Restricted Content"; auth_basic_user_file /etc/nginx/.htpasswd; } ``` 3. Multiple `.htpasswd's` could be created for different locations. ### --DEPRECATED-- SSL Certificate and encrypted conntection - [digitalocean Tutorial - SSL Certificate](https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-nginx-for-ubuntu-14-04) - create SSL Certificate ``` sudo mkdir /etc/nginx/ssl sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt ``` - **openssl:** This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files. - **req:** This subcommand specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this subcommand. - **-x509:** This further modifies the previous subcommand by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen. - **-nodes:** This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart. - **-days 365:** This option sets the length of time that the certificate will be considered valid. We set it for one year here. - **-newkey rsa:2048:** This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long. - **-keyout:** This line tells OpenSSL where to place the generated private key file that we are creating. - **-out:** This tells OpenSSL where to place the certificate that we are creating. ``` Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Germany Locality Name (eg, city) []:Bad Homburg Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tobi Page Organizational Unit Name (eg, section) []:Life Common Name (e.g. server FQDN or YOUR name) []:Tobias.Mauritz Email Address []:[email protected] ``` - add the following to `server {...}` ``` listen 443 ssl; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ``` ### --DEPRECATED-- Redirect from HTTP to HTTPS Server - 2 `server {...}` needed - for HTTP for the pure redirect - and for HTTPS for the main server config Here the redirect: ``` # HTTP Server with redirect to HTTPS server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } # HTTPS Server server { listen 443 ssl; [...] } ``` # *** Related: - [[Blog]] - [[$-Netzwerk|Netzwerk]]