Tools Index

Nginx

1. Install Nginx

        $  prt-get depinst nginx
        

Allow minimal privileges via mount options, view /etc/fstab;

        UID=xxxxx-xxx-xxx-xxx-xxxxxxxx  /srv/www                ext4 defaults,nosuid,noexec,nodev,noatime       1 2
        

Add user nginx to www group;

        # usermod -a -G www nginx
        

Change default home directory of nginx user;

        # usermod -m -d /srv/www nginx
        

Create configuration directory's for better organization;

        $ sudo mkdir /etc/nginx/conf.d
        $ sudo mkdir /etc/nginx/sites-enable
        $ sudo mkdir /etc/nginx/sites
        

2. Certificates

2.1. Lets encrypt

Example of nginx location block on public pmwiki setup;

        #ACME challenge
        location ^~ /.well-known {
              allow all;
              alias /srv/www/c9-pmwiki/pub/cert/.well-known/;
              default_type "text/plain";
              try_files $uri =404;
        }
        

First run dryrun to test if everything is ok;

        # certbot certonly --dry-run --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d example.sub.domain
        
        # certbot certonly --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d example.sub.domain
        

2.2. Self certificate

Certificates allow a more secure connection. Lets create self-signed certificate;

Create private key;

        $ sudo openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048
        Password:
        Generating RSA private key, 2048 bit long modulus
        ..............................+++
        ............+++
        e is 65537 (0x10001)
        Enter pass phrase for /etc/ssl/keys/nginx.key:
        Verifying - Enter pass phrase for /etc/ssl/keys/nginx.key:
        

Create ceritificate signing request. For "Common Name" provide domain name or ip address, leave challange password and optional company name blank;

        $ sudo openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr
        Enter pass phrase for /etc/ssl/keys/nginx.key:
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter '.', the field will be left blank.
        -----
        Country Name (2 letter code) [AU]:PT
        State or Province Name (full name) [Some-State]:
        Locality Name (eg, city) []:
        Organization Name (eg, company) [Internet Widgits Pty Ltd]:
        Organizational Unit Name (eg, section) []:
        Common Name (e.g. server FQDN or YOUR name) []:core.privat-network.net
        Email Address []:

        Please enter the following 'extra' attributes
        to be sent with your certificate request
        A challenge password []:
        An optional company name []:
        $
        

Having password is a good idea, but requires it every time nginx is restarted. To remove;

        $ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass
        $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key
        
        Enter pass phrase for /etc/ssl/keys/nginx.key.pass:
        writing RSA key
        
        $ sudo chown nginx /etc/ssl/keys/nginx.key*
        $ sudo chmod 0600 /etc/ssl/keys/nginx.key*
	# chmod 644 /etc/ssl/certs/exim.cert
        

Sign SSL cetificate;

        $ sudo openssl x509 -req -days 365 \
            -in /etc/ssl/certs/nginx.csr \
            -signkey /etc/ssl/keys/nginx.key \
            -out /etc/ssl/certs/nginx.crt
        
Signature ok subject=/C=PT/ST=Some-State/O=Internet Widgits Pty Ltd/CN=core.privat-network.net Getting Private key Enter pass phrase for /etc/ssl/keys/nginx.key:
        $ sudo chown nginx:nginx /etc/ssl/keys/nginx.key*
        $ sudo chmod 0600 /etc/ssl/keys/nginx.key*
	$ sudo chmod 644 /etc/ssl/certs/nginx.crt
        

3. Nginx Configuration

Read nginx pitfalls, for more information about optimization digitalocean,

Number of worker_processes must be equal or less than the number of available cpu cores. This is set to auto.

        $ nproc
        2
        

Number of worker_connections must be equal or less than the number file-size writing limit, you can get it by;

        $ nlimit -n
        1024
        

Edit ngnix configutarion;

        #
        # /etc/nginx/nginx.conf - nginx server configuration
        #


        user www;
        worker_processes auto;

        error_log /var/log/nginx/error.log;

        pid /var/run/nginx.pid;


        events {
            worker_connections  1024;
        }

        http {
            include       mime.types;
            default_type  application/octet-stream;

            #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
            #                  '$status $body_bytes_sent "$http_referer" '
            #                  '"$http_user_agent" "$http_x_forwarded_for"';

            sendfile        on;
            #tcp_nopush     on;

            # Allow attach iso to wiki
            #client_max_body_size 8M;
            client_max_body_size 30M;
            #keepalive_timeout  65;
            keepalive_timeout  120;
            #client_body_timeout 12;
            client_body_timeout 24;
            #client_header_timeout 12;
            client_header_timeout 24;

            #client_max_body_size 10000M;
            #keepalive_timeout  10000;
            #client_body_timeout 10000;
            #client_header_timeout 10000;
            send_timeout 65;


            gzip  on;
            gzip_vary on;
            #gzip_proxied any;
            gzip_comp_level 9;
            # gzip_buffers 16 8k;
            # gzip_http_version 1.1;
            gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;


            include /etc/nginx/conf.d/*.conf;
            include /etc/nginx/sites-enabled/*.conf;

        }
        # End of file
        

4. Server with PHP

To debug configurations check logs and;

        nginx -V
        

4.1. Setup PHP

Install php and setup php.ini as development mode;

        $ sudo prt-get depinst php php-fpm php-gd php-pdo-pgsql php-postgresql
        

Setup php ini in development mode;

        $ sudo cp /etc/php/php.ini-development /etc/php/php.ini
        
        $ php --ini
        Configuration File (php.ini) Path: /etc/php
        Loaded Configuration File:         /etc/php/php.ini
        Scan for additional .ini files in: /etc/php/conf.d
        Additional .ini files parsed:      /etc/php/conf.d/extensions.ini,
        /etc/php/conf.d/pdo_pgsql.ini
        

4.2. Setup Virtual Host

Server (virtual host) with pmwiki and flyspray, check /etc/nginx/sites for more examples. Install pmwiki and flyspray;

        $ sudo prt-get depinst pmwiki flyspray
        

This server is configured in a way that root serves pmwiki and /tasks serves flyspray. In order to flyspray to link correctly change index is needed. Create /etc/nginx/sites-enabled/example.sub.domain.conf;

        server {

            listen 443 ssl;
            listen 80;
            server_name example.sub.domain;

            #  listen [::]:443 ssl http2;
            ssl_certificate /etc/letsencrypt/live/example.sub.domain/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/example.sub.domain/privkey.pem;
            ssl_trusted_certificate /etc/letsencrypt/live/example.sub.domain/chain.pem;

            ssl_session_timeout 1d;
            ssl_session_cache shared:SSL:50m;
            ssl_session_tickets off;
            ssl_protocols TLSv1.2;
            ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
            ssl_prefer_server_ciphers on;
            add_header Strict-Transport-Security max-age=15768000;
            ssl_stapling on;
            ssl_stapling_verify on;

            access_log /var/log/nginx/example_access.log;
            error_log  /var/log/nginx/example_error.log;

            root /srv/www/;

            location /mirror {
                #alias /usr/ports/releases;
                proxy_pass http://10.0.0.3:80/;
            }

            location /builder {
                rewrite ^/blog(.*) /$1 break;
                proxy_pass http://10.0.0.3:80;
            }

            location /doc {
                alias /srv/www/doc;
                index index.html;
            }

            location /git/static {
                # static files (png/css) served from /usr/share/gitweb/static
                alias /srv/www/gitweb/static;
            }

            location /git {
                alias /srv/www/gitweb;
                index gitweb.cgi;
                fastcgi_split_path_info      ^/git()(/?.+)$;
                fastcgi_param GITWEB_CONFIG  /etc/gitweb.conf;
                fastcgi_param DOCUMENT_ROOT  /srv/www/gitweb;
                fastcgi_param SCRIPT_NAME    /gitweb.cgi$fastcgi_path_info;

                include fastcgi_params;
                fastcgi_pass unix:/var/run/fcgiwrap.sock;
            }

            location /chat {
                index index.php;
                alias /srv/www/chat;
                try_files $uri $uri/ index.php$is_args$args;
            }

            location ~  ^/chat(.+\.php)$ { ### This location block was the solution
                alias /srv/www/chat;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index index.php;
                try_files $uri /index.php =404;	
                include /etc/nginx/fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$1;
                # fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass 127.0.0.1:9000;
            }


            location /task {
                index index.php;
                alias /srv/www/flyspray;
                try_files $uri $uri/ index.php$is_args$args;
            }

            location ~  ^/task(.+\.php)$ { ### This location block was the solution
                alias /srv/www/flyspray;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index index.php;
                try_files $uri /index.php =404;	
                include /etc/nginx/fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$1;
                # fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass 127.0.0.1:9000;
            }

            location /pub {
                alias /srv/www/pmwiki/pub;
            }
            location /wiki {
                alias /srv/www/pmwiki/;
                index pmwiki.php;
                try_files $uri $uri/ /pmwiki.php$is_args$args;
            }
            location ~  ^/wiki(.+\.php)$ {
                alias /srv/www/pmwiki;
                index pmwiki.php;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index pmwiki.php;
                try_files $uri /pmwiki.php =404;
                include /etc/nginx/fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                # fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass 127.0.0.1:9000;
            }

            # ACME challenge
            location ^~ /.well-known {
                allow all;
                alias /srv/www/pmwiki/pub/cert/.well-known/;
                default_type "text/plain";
                try_files $uri =404;
            }

            location / {
                alias /srv/www/frontpage/;
                index index.html;
                try_files $uri $uri/ /index.html$is_args$args;
            }

        }
        

Change /srv/www/default/flyspray/index.php to;

        <?php
        /*
           This is the main script that everything else is included
           in.  Mostly what it does is check the user permissions
           to see what they have access to.
        */
        define('IN_FS', true);
        $_SERVER['SCRIPT_NAME'] = "/bug/index.php";
        require_once(dirname(__FILE__).'/header.php');
        

5. User Directory

Nginx Wiki UserDir

         location ~ ^/~(.+?)(/.*)?$ {
            alias /home/$1/public_html$2;
            index  index.html index.htm;
            autoindex on;
         }
        

Directories should have 644 or 664 and files chmod 755 or 775;

        $ sudo find . -type f -print0 | xargs -0 chmod 644
        $ sudo find . -type d -print0 | xargs -0 chmod 755
        

6. Logs

        $ sudo grep "login" /var/log/nginx/access.log
        $ sudo grep "etc/passwd" /var/log/nginx/access.log
        $ sudo egrep -i "denied|error|warn" /var/log/nginx/error.log
        
Tools Index

This is part of the Hive System Documentation. Copyright (C) 2018 Hive Team. See the file Gnu Free Documentation License for copying conditions.