Nginx

From Omnia
Revision as of 03:43, 20 January 2024 by Kenneth (talk | contribs) (→‎SSL)
Jump to navigation Jump to search

Nginx

Pronounced "Engine X"

"Developed by Igor Sysoev in 2002, Nginx was finally released to the public in 2004 and continues to grow in popularity every year. Nginx is an open-sourced, free HTTP server and reverse proxy. It can also act as an IMAP/POP3 server. Benefiting from being fully scalable, Nginx combines the use of a predictable small amount of memory with asynchronous architecture, resulting in a small memory footprint and low resource consumption. Nginx offers a high-performance, stable environment and is currently the chosen web server for WordPress, SourceForge, and TorrentReactor. Nginx is currently the 3rd most popular web server (behind Apache and IIS) with a market share of 7.65% (according to Netcraft’s March 2011 survey)." [1]

Installation

apt install nginx

SSL

Using the default self signed snakoil ssl certs:

Install the default certs (should already be installed)

apt install ssl-cert

Should have the snakeoil certs:

/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key

If the certs doing exist, regenerate: [1]

sudo make-ssl-cert generate-default-snakeoil --force-overwrite

Config: (in /etc/nginx/sites-enabled/default)

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        include snippets/snakeoil.conf;

...
systemctl restart nginx

Let's Encrypt

apt install certbot python3-certbot-nginx

config:

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
...
        server_name [DOMAIN];
...
}

== SSL Proxy ==

Simple Example:
<pre>
server {
        listen 443 ssl default_server;
        ssl_certificate /etc/ssl/DOMAIN/fullchain.pem;
        ssl_certificate_key /etc/ssl/DOMAIN/privkey.pem;
        location / {
                proxy_pass http://localhost:8080;
        }
}


Example:

http {
    #...
    upstream backend.example.com {
        server backend1.example.com:443;
        server backend2.example.com:443;
   }

    server {
        listen      80;
        server_name www.example.com;
        #...

        location /upstream {
            proxy_pass                    https://backend.example.com;
            proxy_ssl_certificate         /etc/nginx/client.pem;
            proxy_ssl_certificate_key     /etc/nginx/client.key;
            proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
            proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
            proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;

            proxy_ssl_verify        on;
            proxy_ssl_verify_depth  2;
            proxy_ssl_session_reuse on;
        }
    }

    server {
        listen      443 ssl;
        server_name backend1.example.com;

        ssl_certificate        /etc/ssl/certs/server.crt;
        ssl_certificate_key    /etc/ssl/certs/server.key;
        ssl_client_certificate /etc/ssl/certs/ca.crt;
        ssl_verify_client      optional;

        location /yourapp {
            proxy_pass https://url_to_app.com;
        #...
        }

    server {
        listen      443 ssl;
        server_name backend2.example.com;

        ssl_certificate        /etc/ssl/certs/server.crt;
        ssl_certificate_key    /etc/ssl/certs/server.key;
        ssl_client_certificate /etc/ssl/certs/ca.crt;
        ssl_verify_client      optional;

        location /yourapp {
            proxy_pass https://url_to_app.com;
        #...
        }
    }
}

ref: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/

keywords