Difference between revisions of "Nginx"
Jump to navigation
Jump to search
Line 139: | Line 139: | ||
# make a <code><?php phpinfo(); ?></code> tag and check that it works | # make a <code><?php phpinfo(); ?></code> tag and check that it works | ||
+ | ==Configuring HTTPS== | ||
+ | ===The Dance=== | ||
+ | # TLS handshake is a shared secret that is negotiated at the start of a session. Client connects to port 443 and presents a list of supported ciphers/hash_functions to server | ||
+ | # Server pick a cipher suite and tells the client | ||
+ | # Server provides identification in the form of a digital certificate. | ||
+ | # Yadda yadda yadda... | ||
+ | ===ssl parameter=== | ||
+ | * put ssl parameter after listing the listening sockets on the listen line. | ||
+ | ===ssl_certificate=== | ||
+ | * The server certificate is a public entity. It is sent to every client that connects to the server. | ||
+ | * In nginx this file contains a certificate bundle or chain - a concatenation of your certificate and the certification authority (CA) certificate | ||
+ | ===ssl_certificate_key=== | ||
+ | * The private key is a secure entity and it should be stored in a file with restricted access. | ||
+ | * HOWEVER, it must be accessible by nginx's master process | ||
+ | ===ssl_protocols=== | ||
+ | * Used to limit connections to include only the strong versions and ciphers of SSL/TLS | ||
+ | * SSL = Secure sockets layer is COMPLETELY DEPRECATED since 2015 | ||
+ | * TLS = Transport Layer Security 1.0 is deprecated as of March 2020, use only 1.1, 1.2, and 1.3 | ||
+ | ** 1.3 is the best; don't use ETS or eTLS | ||
+ | ===ssl_ciphers=== | ||
+ | |||
+ | ===ssl_session_cache & ssl_session_timeout=== | ||
+ | * Reduces CPU load | ||
+ | * Default is 5 minutes, make it 10. | ||
+ | * <code>ssl_session_cache shared:SSL:10m;</code> | ||
+ | * <code>ssl_session_timeout 10m;</code> | ||
+ | |||
+ | ===ssl_dhparams=== | ||
+ | * On command line | ||
+ | ** <code>openssl genpkey -genparam -algorithm DH -out /etc/pki/nginx/dhparam4096.pem -pkeyopt dh_paramgen_prime_len:4096</code> | ||
+ | * In conf file | ||
+ | ** <code>ssl_dhparam /etc/pki/nginx/dhparam4096.pem;</code> | ||
+ | |||
+ | ===Other directives=== | ||
+ | * <code>ssl_prefer_server_ciphers on;</code> | ||
+ | * <code>keepalive_timeout 75;</code | ||
==FastCGI== | ==FastCGI== |
Revision as of 18:54, 3 October 2019
General
- HTTP and reverse proxy server, mail proxy server
- Employs event-based model and OS-dependent mechanisms to efficiently distribute requests among worker processes
- docs
- Beginner's Guide
- Pitfalls and Common Mistakes
- Alphabetical List of Directives
- Alphabetical index of VARIABLES - start with dollar sign $, like
$uri
, $document_root etc... - Master process - read and evaluate configuration, and maintain worker processes
- Worker processes - do actual processing of requests; # is defined in the configuration file
Configuration File
- Comments start with hash #
Log Levels
- debug
- info
- notice
- warn
- error (default)
- crit
- alert
- emerg
Structure
- nginx modules controlled by directives
- two types of directives: simple and block directives
- simple directive - directive name, followed by params, ends with a semicolon
- block directives ("context") - same as simple, but instead of semicolon ends with curly braces
Common directives
- Regular expressions parameter arguments for location directives always start with a tilde ~ and usually are between ^ and $ opperators.
events
- top-level "main" context, cannot be within another
http
- top-level "main" context, cannot be within another
server
- Within http context only
- Can have multiple server names
- Once nginx decides which server will process the request, it tests the URI specified in the request's header against the location directives defined in the server block.
- Order of precedence is longest to shortest prefix, so location '/' will match last, THEN regular expressions terminating on the first match
- listen on different ports
systemctl restart nginx
etstat -tlpn| grep nginx
semanage port -l
semanage port -a -t http_port_t -p tcp 3200
semanage port -m -t http_port_t -p tcp 3200
location
- server context, plus nested inside another location directive is possible, i guess?
- Performs mapping of URL to route to static files on server, or proxy, etc.
- The matching is performed against a normalized URI, after decoding the text encoded in the “%XX” form, resolving references to relative path components “.” and “..”, and possible compression of two or more adjacent slashes into a single slash.
- location can be prefix string or regular expression, e.g.,
location URIPREFIXARG { root /path/to/static/files;}
URI tokens
- Prefacing URI with = token sets up exact match, with search terminating immediately, speeding up processing.
- Prefacing URI with ~ token means case-sensitive matching
- Prefacing URI with ~* token means case-INsensitive matching
- Prefacing URI with ^~ token means TURN REGULAR EXPRESSION MATCHING OFF for the given prefix.
- The “@” prefix defines a named location. Such a location is not used for a regular request processing, but instead used for request redirection.
location directives
root path;
- Sets the root directory for requests.
- SIMPLE mapping URI to filepath on server.
- Path to the file is constructed by merely adding a URI to the value of the root directive.
alias path;
- Has all the functionality of root directive, plus rewrite capabilities
- If location URI has a regular expression in it, you can use the
$1
,$2
, etc capture groups in the argument to the alias directive.
try_files file1, [file2, ...] uri|=code;
- Checks the existence of files in the specified order and uses the first found file for request processing
- The path to a file is constructed from the file parameter according to the root and alias directives.
proxy_pass
- websocket proxying requires special configuration:
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
- websocket proxying requires special configuration:
FastCGI params
- PHP FastCGI Example
- Variables are exported via fastcgi_param directive; many boilerplate fvars defined in
/etc/nginx/fastcgi_params
which isinclude
d in the nginx.conf. fastcgi_pass
- Sets the address of a FastCGI server.
- The address can be specified as a domain name or IP address and a port, or a UNIX-domain socket
fastcgi_index
- If the user requests a URI with a blank slash, this provides the default script name.
- Maps a blank slash to the script that should be run.
- This parameter is ignored when the usr specifies a php script or whatever after the slash
- Sets a file name that will be appended after a URI that ends with a slash, in the value of the $fastcgi_script_name variable.
fastcgi_param
- Sets a parameter that should be passed to the FastCGI server.
- The value can contain text, variables, and their combination.
- The minimum required settings for PHP:
fastcgi_param SCRIPT_FILENAME /home/www/scripts/php$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
- For scripts that process POST requests, the following three parameters are also required:
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
Setup
yum install nginx
systemctl start nginx
systemctl enable nginx
ip addr show eth0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'
yum install mariadb-server mariadb
systemctl start mariadb
mysql_secure_installation
systemctl enable mariadb
yum install php php-mysql php-fpm
vi /etc/php.ini
cgi.fix_pathinfo=0
vi /etc/php-fpm.d/www.conf
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nobody
listen.group = nobody
user = nginx
group = nginx
systemctl start php-fpm
systemctl enable php-fpm
- Configure NGINX to to PHP with fpm
- make a
<?php phpinfo(); ?>
tag and check that it works
Configuring HTTPS
The Dance
- TLS handshake is a shared secret that is negotiated at the start of a session. Client connects to port 443 and presents a list of supported ciphers/hash_functions to server
- Server pick a cipher suite and tells the client
- Server provides identification in the form of a digital certificate.
- Yadda yadda yadda...
ssl parameter
- put ssl parameter after listing the listening sockets on the listen line.
ssl_certificate
- The server certificate is a public entity. It is sent to every client that connects to the server.
- In nginx this file contains a certificate bundle or chain - a concatenation of your certificate and the certification authority (CA) certificate
ssl_certificate_key
- The private key is a secure entity and it should be stored in a file with restricted access.
- HOWEVER, it must be accessible by nginx's master process
ssl_protocols
- Used to limit connections to include only the strong versions and ciphers of SSL/TLS
- SSL = Secure sockets layer is COMPLETELY DEPRECATED since 2015
- TLS = Transport Layer Security 1.0 is deprecated as of March 2020, use only 1.1, 1.2, and 1.3
- 1.3 is the best; don't use ETS or eTLS
ssl_ciphers
ssl_session_cache & ssl_session_timeout
- Reduces CPU load
- Default is 5 minutes, make it 10.
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_dhparams
- On command line
openssl genpkey -genparam -algorithm DH -out /etc/pki/nginx/dhparam4096.pem -pkeyopt dh_paramgen_prime_len:4096
- In conf file
ssl_dhparam /etc/pki/nginx/dhparam4096.pem;
Other directives
ssl_prefer_server_ciphers on;
keepalive_timeout 75;</code
FastCGI
PHP-fpm
- PHP FastCGI Process Manager
Perl