diff options
Diffstat (limited to 'tools/nginx.html')
| -rw-r--r-- | tools/nginx.html | 333 |
1 files changed, 333 insertions, 0 deletions
diff --git a/tools/nginx.html b/tools/nginx.html new file mode 100644 index 0000000..b9b6488 --- /dev/null +++ b/tools/nginx.html @@ -0,0 +1,333 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Nginx</title> + </head> + <body> + <a href="index.html">Tools Index</a> + + <h1>1. Nginx</h1> + + <h2 id="install">1.1. Install Nginx</h2> + + <pre> + $ prt-get depinst nginx + </pre> + + <p>Allow minimal privileges via mount options, view /etc/fstab;</p> + + <pre> + UID=xxxxx-xxx-xxx-xxx-xxxxxxxx /srv/www ext4 defaults,nosuid,noexec,nodev,noatime 1 2 + </pre> + + <p>Remove nginx user or group, system defines www user and group;</p> + + <pre> + # userdel nginx + # groupdel nginx + </pre> + + <p>Change default home directory of www user;</p> + + <pre> + # usermod -m -d /srv/www www + </pre> + + <p>Create configuration directory's for better organization;</p> + + <pre> + $ sudo mkdir /etc/nginx/conf.d + $ sudo mkdir /etc/nginx/sites-enable + $ sudo mkdir /etc/nginx/sites + </pre> + + <h2 id="logs">1.2. Logs</h2> + + <pre> + $ sudo grep "login" /var/log/nginx/access.log + $ sudo grep "etc/passwd" /var/log/nginx/access.log + $ sudo egrep -i "denied|error|warn" /var/log/nginx/error.log + </pre> + + <h2 id="userdir">1.3. User Directory</h2> + + <p><a href="http://wiki.nginx.org/UserDir">Nginx Wiki UserDir</a></p> + + <pre> + location ~ ^/~(.+?)(/.*)?$ { + alias /home/$1/public_html$2; + index index.html index.htm; + autoindex on; + } + </pre> + + <p>Directories should have 644 or 664 and + files chmod 755 or 775;</p> + + <pre> + $ sudo find . -type f -print0 | xargs -0 chmod 644 + $ sudo find . -type d -print0 | xargs -0 chmod 755 + </pre> + + <h2 id="certs">1.4. Certificates</h2> + + <p>Certificates allow a more secure connection. Lets create + self-signed certificate;</p> + + <pre> + $ sudo mkdir /etc/nginx/ssl + $ sudo cd /etc/nginx/ssl + </pre> + + <p>Create private key;</p> + + <pre> + $ sudo openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048 + Password: + Generating RSA private key, 2048 bit long modulus + ..............................+++ + ............+++ + e is 65537 (0x10001) + Enter pass phrase for /etc/ssl/keys/nginx.key: + Verifying - Enter pass phrase for /etc/ssl/keys/nginx.key: + </pre> + + <p>Create ceritificate signing request. For "Common Name" + provide domain name or ip address, leave challange password + and optional company name blank;</p> + + <pre> + $ sudo openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr + Enter pass phrase for /etc/ssl/keys/nginx.key: + You are about to be asked to enter information that will be incorporated + into your certificate request. + What you are about to enter is what is called a Distinguished Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + Country Name (2 letter code) [AU]:PT + State or Province Name (full name) [Some-State]:Porto + Locality Name (eg, city) []: + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (e.g. server FQDN or YOUR name) []:c13.nark.biz.tm + Email Address []: + + Please enter the following 'extra' attributes + to be sent with your certificate request + A challenge password []: + An optional company name []: + $ + </pre> + + <p>Sign SSL cetificate;</p> + + <pre> + $ sudo openssl x509 -req -days 365 -in /etc/ssl/certs/nginx.csr -signkey /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.crt + Signature ok + subject=/C=PT/ST=Porto/O=Internet Widgits Pty Ltd/CN=c13.nark.biz.tm + Getting Private key + Enter pass phrase for /etc/ssl/keys/nginx.key: + $ + </pre> + + <h3>Remove Password</h3> + + <p>Having password is a good idea, but requires it every + time nginx is restarted. To remove;</p> + + <pre> + $ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.org + $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.org -out /etc/ssl/keys/nginx.key + Enter pass phrase for /etc/ssl/keys/nginx.key.org: + writing RSA key + $ + </pre> + + <h2 id="nginxconf">1.5. Nginx Configuration</h2> + + <p><a href="http://wiki.nginx.org/Pitfalls">READ NGINX PITFALLS</a>, + for more information about optimization + <a href="https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration">digitalocean</a>, + + <p>Number of worker_processes must be equal or less than + the number of available cpu cores</p> + + <pre> + $ nproc + 2 + </pre> + + <p>Number of worker_connections must be equal or less than + the number file-size writing limit, you can get it by;</p> + + <pre> + $ nlimit -n + 1024 + </pre> + + <p>Example of http block with ssl configured;</p> + + <pre> + # + # /etc/nginx/nginx.conf + # + + user www; + worker_processes 2; + + error_log /var/log/nginx/error.log info; + + events { + worker_connections 1024; + } + + http { + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 620; + keepalive_timeout 65; + client_body_timeout 12; + client_header_timeout 12; + # send_timeout 620; + send_timeout 65; + + ## + # SSL Settings + ## + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + # ssl on; + ssl_certificate /etc/ssl/certs/nginx.crt; + ssl_certificate_key /etc/ssl/keys/nginx.key; + + ## + # Logging Settings + ## + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log combined; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 9; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + + ## + # Virtual Host Configs + ## + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*.conf; + } + # End of file </pre> + + + <h2 id="server">1.6. Laravel Server</h2> + + check <a href "../conf/etc/nginx/">configuration directory</a> + for more examples. Install php and composer that is required + by Laravel;</p> + + <h3>1.6.1. Setup PHP</h3> + + <pre> + $ prt-get depinst php php-fpm php-gd php-pdo-pgsql composer + </pre> + + <p>Setup php ini in development mode;<p/> + + <pre> + $ sudo cp /etc/php/php.ini-development php.ini + $ php --ini + Configuration File (php.ini) Path: /etc/php + Loaded Configuration File: /etc/php/php.ini + Scan for additional .ini files in: /etc/php/conf.d + Additional .ini files parsed: /etc/php/conf.d/extensions.ini, + /etc/php/conf.d/pdo_pgsql.ini + + $ + </pre> + + <h3>1.6.2. Setup Virtual Host</h3> + + <p>Server (virtual host) with Laravel, + /etc/nginx/sites/<a href="../conf/etc/nginx/sites/laravel.conf">laravel.conf</a>;</p> + + <pre> + server { + listen 443 ssl; + listen [::]:443 ssl; + + root /srv/www/atom/public; + server_name c13.nark.biz.tm; + index index.html index.htm index.php; + + charset utf-8; + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location = /favicon.ico { access_log off; log_not_found off; } + location = /robots.txt { access_log off; log_not_found off; } + + access_log off; + error_log /var/log/nginx/c13-nark-biz-tm-error.log error; + + sendfile off; + + client_max_body_size 100m; + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } + + location ~ /\.ht { + deny all; + } + } + </pre> + + <a href="index.html">Tools Index</a> + + <p>This is part of the c9-doc Manual. + Copyright (C) 2016 + Silvino Silva. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + </body> +</html> |