Nginx: Difference between revisions
Line 18: | Line 18: | ||
ssl_certificate_key /etc/ssl/DOMAIN/privkey.pem; | ssl_certificate_key /etc/ssl/DOMAIN/privkey.pem; | ||
location / { | location / { | ||
proxy_pass http:// | proxy_pass http://localhost:8080; | ||
} | } | ||
} | } |
Revision as of 06:13, 19 January 2024
Nginx
Pronounced "Engine X"
"Developed by Igor Sysoev in 2002, Nginx was finally released to the public in 2004 and continues to grow in popularity every year. Nginx is an open-sourced, free HTTP server and reverse proxy. It can also act as an IMAP/POP3 server. Benefiting from being fully scalable, Nginx combines the use of a predictable small amount of memory with asynchronous architecture, resulting in a small memory footprint and low resource consumption. Nginx offers a high-performance, stable environment and is currently the chosen web server for WordPress, SourceForge, and TorrentReactor. Nginx is currently the 3rd most popular web server (behind Apache and IIS) with a market share of 7.65% (according to Netcraft’s March 2011 survey)." [1]
Installation
apt install nginx
SSL Proxy
Simple Example:
server { listen 443 ssl default_server; ssl_certificate /etc/ssl/DOMAIN/fullchain.pem; ssl_certificate_key /etc/ssl/DOMAIN/privkey.pem; location / { proxy_pass http://localhost:8080; } }
Example:
http { #... upstream backend.example.com { server backend1.example.com:443; server backend2.example.com:443; } server { listen 80; server_name www.example.com; #... location /upstream { proxy_pass https://backend.example.com; proxy_ssl_certificate /etc/nginx/client.pem; proxy_ssl_certificate_key /etc/nginx/client.key; proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; proxy_ssl_ciphers HIGH:!aNULL:!MD5; proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; proxy_ssl_session_reuse on; } } server { listen 443 ssl; server_name backend1.example.com; ssl_certificate /etc/ssl/certs/server.crt; ssl_certificate_key /etc/ssl/certs/server.key; ssl_client_certificate /etc/ssl/certs/ca.crt; ssl_verify_client optional; location /yourapp { proxy_pass https://url_to_app.com; #... } server { listen 443 ssl; server_name backend2.example.com; ssl_certificate /etc/ssl/certs/server.crt; ssl_certificate_key /etc/ssl/certs/server.key; ssl_client_certificate /etc/ssl/certs/ca.crt; ssl_verify_client optional; location /yourapp { proxy_pass https://url_to_app.com; #... } } }
ref: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/