<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset='utf-8'>
<title>Nginx</title>
</head>
<body>
<a href="index.html">Tools Index</a>
<h1>Nginx</h1>
<h2 id="install">1. Install Nginx</h2>
<pre>
$ prt-get depinst nginx
</pre>
<p>Allow minimal privileges via mount options, view /etc/fstab;</p>
<pre>
UID=xxxxx-xxx-xxx-xxx-xxxxxxxx /srv/www ext4 defaults,nosuid,noexec,nodev,noatime 1 2
</pre>
<p>Add user nginx to www group;</p>
<pre>
# usermod -a -G www nginx
</pre>
<p>Change default home directory of nginx user;</p>
<pre>
# usermod -m -d /srv/www nginx
</pre>
<p>Create configuration directory's for better organization;</p>
<pre>
$ sudo mkdir /etc/nginx/conf.d
$ sudo mkdir /etc/nginx/sites-enable
$ sudo mkdir /etc/nginx/sites
</pre>
<h2 id="certs">2. Certificates</h2>
<h3 id="letsencrypt">2.1. Lets encrypt</h3>
<p>Example of nginx location block on public pmwiki setup;</p>
<pre>
#ACME challenge
location ^~ /.well-known {
allow all;
alias /srv/www/machine-pmwiki/pub/cert/.well-known/;
default_type "text/plain";
try_files $uri =404;
}
</pre>
<p>First run dryrun to test if everything is ok;</p>
<pre>
# certbot certonly --dry-run --email user@mail.org --webroot -w /srv/www/machine-pmwiki/pub/cert/-d machine.example.org
</pre>
<pre>
# certbot certonly --email user@mail.org --webroot -w /srv/www/machine-pmwiki/pub/cert/-d machine.example.org
</pre>
<h3 id="mancert">2.2. Self certificate</h2>
<p>Certificates allow a more secure connection. Lets create
self-signed certificate;</p>
<p>Create private key;</p>
<pre>
$ sudo openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048
Password:
Generating RSA private key, 2048 bit long modulus
..............................+++
............+++
e is 65537 (0x10001)
Enter pass phrase for /etc/ssl/keys/nginx.key:
Verifying - Enter pass phrase for /etc/ssl/keys/nginx.key:
</pre>
<p>Create ceritificate signing request. For "Common Name"
provide domain name or ip address, leave challange password
and optional company name blank;</p>
<pre>
$ sudo openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr
Enter pass phrase for /etc/ssl/keys/nginx.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PT
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:machine.example.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$
</pre>
<p>Having password is a good idea, but requires it every
time nginx is restarted. To remove;</p>
<pre>
$ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass
$ sudo openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key
</pre>
<pre>
Enter pass phrase for /etc/ssl/keys/nginx.key.pass:
writing RSA key
</pre>
<pre>
$ sudo chown nginx /etc/ssl/keys/nginx.key*
$ sudo chmod 0600 /etc/ssl/keys/nginx.key*
# chmod 644 /etc/ssl/certs/exim.cert
</pre>
<p>Sign SSL cetificate;</p>
<pre>
$ sudo openssl x509 -req -days 365 \
-in /etc/ssl/certs/nginx.csr \
-signkey /etc/ssl/keys/nginx.key \
-out /etc/ssl/certs/nginx.crt
</pre>
Signature ok
subject=/C=PT/ST=Some-State/O=Internet Widgits Pty Ltd/CN=machine.example.org
Getting Private key
Enter pass phrase for /etc/ssl/keys/nginx.key:
</pre>
<pre>
$ sudo chown nginx:nginx /etc/ssl/keys/nginx.key*
$ sudo chmod 0600 /etc/ssl/keys/nginx.key*
$ sudo chmod 644 /etc/ssl/certs/nginx.crt
</pre>
<h2 id="nginxconf">3. Nginx Configuration</h2>
<p>This is the "main" nginx configuration not the servers, the way this configuration is setup nginx will load virtual servers configuration files with extension .conf from /etc/nginx/sites-enabled/.</p>
<p>Number of worker_processes must be equal or less than
the number of available cpu cores. This is set to auto.</p>
<pre>
$ nproc
2
</pre>
<p>Number of worker_connections must be equal or less than
the number file-size writing limit, you can get it by;</p>
<pre>
$ nlimit -n
1024
</pre>
<p>Edit ngnix configutarion;</p>
<pre>
#
# /etc/nginx/nginx.conf - nginx server configuration
#
user www;
worker_processes auto;
error_log syslog:server=unix:/dev/log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
#tcp_nopush on;
# Allow attach iso to wiki
#client_max_body_size 8M;
client_max_body_size 30M;
#keepalive_timeout 65;
keepalive_timeout 120;
#client_body_timeout 12;
client_body_timeout 24;
#client_header_timeout 12;
client_header_timeout 24;
send_timeout 65;
gzip on;
gzip_vary on;
#gzip_proxied any;
gzip_comp_level 9;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}
# End of file
</pre>
<h2 id="server">4. Virtual servers</h2>
<p>Read <a href="http://wiki.nginx.org/Pitfalls">nginx pitfalls</a> and
<a href="https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration">configuration optimization</a>.<p>
<p>This setup uses default virtual server as a proxy, this allows to have a clean configuration file and delegate application specific settings to other servers. Other virtual servers can run on same machine or other machines, allowing greater compartmentalization.</p>
<p>When testing or debugging configurations is useful to run nginx with following option;</p>
<pre>
nginx -V
</pre>
<h3>4.1. Setup PHP</h3>
<p> Install php and setup php.ini as development mode;</p>
<pre>
$ sudo prt-get depinst php php-fpm php-gd php-pdo-pgsql php-postgresql
</pre>
<p>Setup php ini in development mode;<p/>
<pre>
$ sudo cp /etc/php/php.ini-development /etc/php/php.ini
</pre>
<pre>
$ php --ini
Configuration File (php.ini) Path: /etc/php
Loaded Configuration File: /etc/php/php.ini
Scan for additional .ini files in: /etc/php/conf.d
Additional .ini files parsed: /etc/php/conf.d/extensions.ini,
/etc/php/conf.d/pdo_pgsql.ini
</pre>
<h3 id="default-server">4.2. Setup default server</h3>
<p>Default server that acts as a proxy except for /doc, with ssl certificates (serves port 443 and 80). Each location is proxy ed to correspondent virtual server.</p>
<pre>
server {
#if ($http_user_agent ~* (AhrefsBot|SemrushBot|MJ12Bot|DotBot)) {
# return 410;
#}
server_name tribu.semdestino.org;
listen 80 default_server;
listen 443 ssl default_server;
access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main;
error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug;
root /etc/nginx/html/;
ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
#proxy_redirect off;
#proxy_set_header Host $http_host;
#proxy_set_header X-Forwarded-Host $http_host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /doc {
alias /srv/www/doc;
index index.html;
autoindex on;
}
location /mirror {
proxy_pass http://ports.ank;
}
location /pub {
proxy_pass http://wiki.server.ank:8080;
}
location ^~ /.well-known {
# ACME challenge
proxy_pass http://wiki.server.ank;
}
location /wiki {
proxy_pass http://wiki.server.ank:8080;
}
location /git {
proxy_pass http://git.server.ank:8080;
}
location /forum/ {
proxy_pass http://forum.server.ank:8080/;
}
location /task {
proxy_pass http://task.server.ank:8080;
}
location /shop {
proxy_pass http://shop.server.ank:8080;
}
location /vexim/ {
proxy_pass http://vexim.server.ank:8080/;
}
location /email {
proxy_pass http://email.server.ank:8080;
}
location /awstats {
proxy_pass http://awstats.server.ank:8080;
}
location /stats {
proxy_pass http://stats.server.ank:8080;
}
location / {
proxy_pass http://frontpage.server.ank:8080/;
}
}
</pre>
<h3 id="virtual-server">4.3. Setup virtual server</h3>
<p>Example of pmwiki virtual server, check <a href="conf/etc/nginx/sites-enabled/">/etc/nginx/sites-enabled</a> for the rest of examples mentioned <a href="#default-server">default server</a>. If wiki server is running on same machine add following to /etc/hosts;</p>
<pre>
127.0.0.1 wiki.c2.ank
</pre>
<p>Edit /etc/nginx/sites-enabled/wiki.c2.ank.conf;</p>
<pre>
server {
listen 8080;
server_name wiki.server.ank;
access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main;
error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug;
root /srv/www/;
location /pub {
alias /srv/www/wiki/pub;
}
# ACME challenge
location ^~ /.well-known {
allow all;
alias /srv/www/wiki/pub/cert/.well-known/;
default_type "text/plain";
try_files $uri =404;
}
location @pmwiki {
rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1;
}
location /wiki {
index pmwiki.php;
try_files $uri $uri/ @pmwiki;
}
location ~ ^\/wiki(.+\.php)$ {
index pmwiki.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index pmwiki.php;
try_files $uri /pmwiki.php =404;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
}
</pre>
<h2 id="userdir">5. User Directory</h2>
<p><a href="http://wiki.nginx.org/UserDir">Nginx Wiki UserDir</a></p>
<pre>
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
index index.html index.htm;
autoindex on;
}
</pre>
<p>Directories should have 644 or 664 and
files chmod 755 or 775;</p>
<pre>
$ sudo find . -type f -print0 | xargs -0 chmod 644
$ sudo find . -type d -print0 | xargs -0 chmod 755
</pre>
<h2 id="logs">6. Logs</h2>
<pre>
$ sudo grep "login" /var/log/nginx/vhost_access
$ sudo grep "etc/passwd" /var/log/nginx/vhost_access
$ sudo egrep -i "denied|error|warn" /var/log/nginx_error
</pre>
<a href="index.html">Tools Index</a>
<p>This is part of the Tribu System Documentation.
Copyright (C) 2020
Tribu Team.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>
</body>
</html>