Nginx

1. Install Nginx

        $  prt-get depinst nginx
        

Allow minimal privileges via mount options, view /etc/fstab;

        UID=xxxxx-xxx-xxx-xxx-xxxxxxxx  /srv/www                ext4 defaults,nosuid,noexec,nodev,noatime       1 2
        

Add user nginx to www group;

        # usermod -a -G www nginx
        

Change default home directory of nginx user;

        # usermod -m -d /srv/www nginx
        

Create configuration directory's for better organization;

        $ sudo mkdir /etc/nginx/conf.d
        $ sudo mkdir /etc/nginx/sites-enable
        $ sudo mkdir /etc/nginx/sites
        

2. Certificates

2.1. Lets encrypt

Example of nginx location block on public pmwiki setup;

        #ACME challenge
        location ^~ /.well-known {
              allow all;
              alias /srv/www/machine-pmwiki/pub/cert/.well-known/;
              default_type "text/plain";
              try_files $uri =404;
        }
        

First run dryrun to test if everything is ok;

        # certbot certonly --dry-run --email user@mail.org --webroot -w /srv/www/machine-pmwiki/pub/cert/-d machine.example.org
        

        # certbot certonly --email user@mail.org --webroot -w /srv/www/machine-pmwiki/pub/cert/-d machine.example.org
        

2.2. Self certificate

Certificates allow a more secure connection. Lets create self-signed certificate;

Create private key;

        $ sudo openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048
        Password:
        Generating RSA private key, 2048 bit long modulus
        ..............................+++
        ............+++
        e is 65537 (0x10001)
        Enter pass phrase for /etc/ssl/keys/nginx.key:
        Verifying - Enter pass phrase for /etc/ssl/keys/nginx.key:
        

Create ceritificate signing request. For "Common Name" provide domain name or ip address, leave challange password and optional company name blank;

        $ sudo openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr
        Enter pass phrase for /etc/ssl/keys/nginx.key:
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter '.', the field will be left blank.
        -----
        Country Name (2 letter code) [AU]:PT
        State or Province Name (full name) [Some-State]:
        Locality Name (eg, city) []:
        Organization Name (eg, company) [Internet Widgits Pty Ltd]:
        Organizational Unit Name (eg, section) []:
        Common Name (e.g. server FQDN or YOUR name) []:machine.example.org
        Email Address []:

        Please enter the following 'extra' attributes
        to be sent with your certificate request
        A challenge password []:
        An optional company name []:
        $
        

Having password is a good idea, but requires it every time nginx is restarted. To remove;

        $ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass
        $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key
        

        Enter pass phrase for /etc/ssl/keys/nginx.key.pass:
        writing RSA key
        

        $ sudo chown nginx /etc/ssl/keys/nginx.key*
        $ sudo chmod 0600 /etc/ssl/keys/nginx.key*
	# chmod 644 /etc/ssl/certs/exim.cert
        

Sign SSL cetificate;

        $ sudo openssl x509 -req -days 365 \
            -in /etc/ssl/certs/nginx.csr \
            -signkey /etc/ssl/keys/nginx.key \
            -out /etc/ssl/certs/nginx.crt
        

        $ sudo chown nginx:nginx /etc/ssl/keys/nginx.key*
        $ sudo chmod 0600 /etc/ssl/keys/nginx.key*
	$ sudo chmod 644 /etc/ssl/certs/nginx.crt
        

3. Nginx Configuration

Read nginx pitfalls, for more information about optimization digitalocean,

Number of worker_

# Copyright (C) 2009, 2010  Roman Zimbelmann <romanz@lavabit.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

NAME = ranger
VERSION = $(shell grep -m 1 -o '[0-9][0-9.]\+' README)
SNAPSHOT_NAME ?= $(NAME)-$(VERSION)-$(shell git rev-parse HEAD | cut -b 1-8).tar.gz
# Find suitable python version (need python >= 2.6 or 3.1):
PYTHON ?= $(shell python -c 'import sys; sys.exit(sys.version < "2.6")' && \
	which python || which python3.1 || which python3 || which python2.6)
SETUPOPTS ?= '--record=install_log.txt'
DOCDIR ?= doc/pydoc
DESTDIR ?= /
PYOPTIMIZE ?= 1
BMCOUNT ?= 5  # how often to run the benchmarks?

CWD = $(shell pwd)

default: compile
	@echo 'Run `make options` for a list of all options'

options: help
	@echo
	@echo 'Options:'
	@echo 'PYTHON = $(PYTHON)'
	@echo 'PYOPT