Wissen

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Sie befinden sich hier: Start » nginx
Zuletzt angesehen: linux_netzwerkkonfiguration mysql_tuning home-server mysql-dump microsoft_office mysql_-_load_data_infile internet-browser winget
nginx

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen RevisionVorhergehende Überarbeitung
Nächste Überarbeitung		Vorhergehende Überarbeitung
nginx [2023-09-05 15:54:17] – [SSL/TLS] davidnginx [2024-07-27 22:34:48] (aktuell) – [SSL/TLS] david
Zeile 1: Zeile 1:
 +====== NGINX ======
 +
 +  * Neues: [[https://www.heise.de/news/Webserver-nginx-Fork-kommt-nach-Knatsch-zwischen-Kernentwickler-und-F5-9628847.html|Fork des Webservers nginx: Open Source statt Unternehmenswillkür]] - //2024-02-15//
 +  * [[http://nginx.org/|NGINX]] - freie Version
 +  * [[http://nginx.com/products/content-caching-nginx-plus/|NGINX Plus]] - kommerzielle Version
 +
 +  * [[https://www.howtoforge.com/serving-cgi-scripts-with-nginx-on-debian-squeeze-ubuntu-11.04-p3]]
 +
 +
 +===== Basic Authentication =====
 +
 +  * [[https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/]]
 +
 +
 +===== Konfiguration auf FreeBSD =====
 +
 +  > cd /usr/ports/www/nginx/ && make clean && make install
 +  > cd /usr/ports/www/fcgi/ && make clean && make install
 +  > cd /usr/ports/www/fcgiwrap/ && make clean && make install
 +
 +<code txt /etc/rc.conf>
 +...
 +nginx_enable=YES
 +php_fpm_enable=YES                      # für PHP
 +fcgiwrap_enable="YES"                   # für CGI (bash)
 +fcgiwrap_user="www"
 +fcgiwrap_socket="unix:/var/run/fcgiwrap.socket"
 +fcgiwrap_socket_owner="www"
 +fcgiwrap_socket_mode="0770"
 +</code>
 +
 +  > /usr/local/etc/rc.d/nginx restart
 +  > /usr/local/etc/rc.d/php-fpm restart
 +  > /usr/local/etc/rc.d/fcgiwrap restart
 +
 +
 +===== Konfigurationsdatei (FreeBSD) =====
 +<code nginx /home/etc/nginx/conf.d/server.conf>
 +# Redirect all HTTP traffic to HTTPS
 +server {
 +    listen 80 default_server;
 +    listen [::]:80 default_server;
 +
 +    location / {
 +        return 301 https://$host$request_uri;
 +    }
 +}
 +
 +# Default server
 +server {
 +    listen 443 ssl http2 default_server;
 +    listen [::]:443 ssl http2 default_server;
 + 
 +    ssl_certificate         /usr/local/etc/letsencrypt/live/EXAMPLE.COM/fullchain.pem;
 +    ssl_certificate_key     /usr/local/etc/letsencrypt/live/EXAMPLE.COM/privkey.pem;
 + 
 +    location / {
 +        return 404;
 +    }
 +}
 +
 +server {
 +    listen 443 ssl http2;
 +    listen [::]:443 ssl http2;
 +
 +    # Server Whitelist for SNI Header (Server Name Indication)
 +    server_name EXAMPLE.COM *.TESTSERVER.COM 10.0.0.100;
 +
 +    ssl_certificate         /usr/local/etc/letsencrypt/live/EXAMPLE.COM/fullchain.pem;
 +    ssl_certificate_key     /usr/local/etc/letsencrypt/live/EXAMPLE.COM/privkey.pem;
 +
 +    # verify chain of trust of OCSP response using Root CA and Intermediate certs
 +    ssl_trusted_certificate /usr/local/etc/letsencrypt/live/EXAMPLE.COM/chain.pem;
 +
 +    # OCSP stapling
 +    ssl_stapling on;
 +    ssl_stapling_verify on;
 +
 +    # Improve HTTPS performance with session resumption
 +    ssl_session_timeout 1d;
 +    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
 +    ssl_session_tickets off;
 +
 +    # only TLS 1.3 ciphers -> 100% ssllabs (cipher strength)
 +    ssl_protocols TLSv1.3;
 +    ssl_prefer_server_ciphers on;
 +
 +    # curves which are equivalent of >=4096 rsa (only secp521r1 and secp384r1) -> 100% ssllabs (kex/key exchange)
 +    ssl_ecdh_curve secp521r1:secp384r1;
 +
 +    # HSTS (ngx_http_headers_module is required)
 +    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # 1 year = 31536000 seconds
 +
 +    # replace with the IP address of your resolver
 +    #resolver 127.0.0.1;
 +    #resolver [2606:4700:4700::1111] 1.1.1.1 [2606:4700:4700::1001] 1.0.0.1;
 +    resolver 192.168.1.4 [2606:4700:4700::1111] 1.1.1.1;
 +
 +    root /home/http;
 +
 +    index index.html index.php doku.php;
 +
 +    client_max_body_size 15M;
 +    client_body_buffer_size 128K;
 +
 +    location /
 +    {
 +        try_files $uri $uri/ @dokuwiki;
 +    }
 +
 +    location ^~ /conf/
 +    {
 +        return 403;
 +    }
 +
 +    location ^~ /data/
 +    {
 +        return 403;
 +    }
 +
 +    location ~ /\.ht
 +    {
 +        deny all;
 +    }
 +
 +    location @dokuwiki
 +    {
 +        rewrite ^/_media/(.*)           /lib/exe/fetch.php?media=$1     last;
 +        rewrite ^/_detail/(.*)          /lib/exe/detail.php?media=$1    last;
 +        rewrite ^/_export/([^/]+)/(.*)  /doku.php?do=export_$1&id=$2    last;
 +        rewrite ^/(.*)                  /doku.php?id=$1                 last;
 +    }
 +
 +    location ~ \.php$
 +    {
 +        include fastcgi_params;
 +        fastcgi_pass 127.0.0.1:9000;
 +        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +    }
 +
 +    location /cgi-bin/
 +    {
 +        include fcgiwrap_params;
 +        fastcgi_pass unix:/var/run/fcgiwrap.socket;
 +        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +    }
 +
 +    location ~ /cgi-bin/foto\.cgi$
 +    {
 +        auth_basic              "Multimedia";
 +        auth_basic_user_file    /home/etc/httpd/.htpwd_multimedia;
 +
 +        include fcgiwrap_params;
 +        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +        fastcgi_pass  unix:/var/run/fcgiwrap.socket;
 +    }
 +    
 +    location /daten/mm/oeffentlich/
 +    {
 +        auth_basic              "Multimedia";
 +        auth_basic_user_file    /home/etc/httpd/.htpwd_multimedia;
 +
 +        autoindex on;
 +    }
 +
 +    location /foto/
 +    {
 +        auth_basic              "Multimedia";
 +        auth_basic_user_file    /home/etc/httpd/.htpwd_multimedia;
 +    }
 +
 +    location ~* ^(\/_matrix|\/_synapse\/client) {
 +        proxy_pass http://localhost:8008;
 +        proxy_set_header X-Forwarded-For $remote_addr;
 +        proxy_set_header X-Forwarded-Proto $scheme;
 +        proxy_set_header Host $host;
 +
 +        # Nginx by default only allows file uploads up to 1M in size
 +        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
 +        client_max_body_size 50M;
 +    }
 +}
 +
 +</code>
 +
 +
 +===== Beispielkonfiguration (Ubuntu) =====
 +
 +Unterstützt PHP, CGI und Webapps hinter einem Reverse Proxy (z.B. NodeJS und ASP.NET Core)
 +
 +<code nginx /etc/nginx/conf.d/server.conf>
 +# Redirect all HTTP traffic to HTTPS
 +server {
 +    listen 80 default_server;
 +    listen [::]:80 default_server;
 +
 +    location / {
 +        return 301 https://$host$request_uri;
 +    }
 +}
 +
 +# Default server
 +server {
 +    listen 443 ssl http2 default_server;
 +    listen [::]:443 ssl http2 default_server;
 +
 +    include snippets/ssl.conf;
 +
 +    location / {
 +        return 404;
 +    }
 +}
 +
 +server {
 +    listen 443 ssl http2;
 +    listen [::]:443 ssl http2;
 +
 +    include snippets/ssl.conf;
 +
 +    # Server Whitelist for SNI Header (Server Name Indication)
 +    server_name EXAMPLE.COM *.TESTSERVER.COM 10.0.0.100;
 +
 +    root /var/www;
 +
 +    index index.html index.php;
 +
 +    # replace with the IP address of your resolver
 +    #resolver 127.0.0.1;
 +    resolver [2606:4700:4700::1111] 1.1.1.1 [2606:4700:4700::1001] 1.0.0.1;
 +
 +    # redirect to custom 404 error page on 403 or 404
 +    error_page 403 =404 /404.html;
 +    error_page 404 =404 /404.html;
 +
 +    client_max_body_size 15M;
 +    client_body_buffer_size 128K;
 +
 +    location /
 +    {
 +        autoindex off;
 +        try_files $uri $uri/ =404;
 +    }
 +
 +    location ~ /\.ht
 +    {
 +        deny all;
 +    }
 +
 +    location ^~ /data/
 +    {
 +        autoindex on;
 +        auth_basic "Please enter your login information";
 +        auth_basic_user_file /etc/nginx/.htpasswd;
 +    }
 +
 +    # CGI
 +    location ^~ /cgi-bin/
 +    {
 +        include fastcgi_params;
 +
 +        fastcgi_pass unix:/var/run/fcgiwrap.socket;
 +        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +    }
 +
 +    # PHP
 +    location ~ \.php$
 +    {
 +        include snippets/fastcgi-php.conf;
 +        include fastcgi_params;
 +
 +        fastcgi_pass unix:/var/run/php/php-fpm.sock;
 +        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +    }
 +
 +    # NodeJS
 +    location ^~ /helloworld-nodejs
 +    {
 +        include snippets/webapp-proxy.conf;
 +        proxy_pass http://localhost:8001/;
 +    }
 +
 +    # ASP.NET Core
 +    location ^~ /helloworld-aspnet
 +    {
 +        include snippets/webapp-proxy.conf;
 +        proxy_pass http://localhost:8002/;
 +    }
 +}
 +
 +</code>
 +
 +
 +===== Konfiguration mit Snippets (Ubuntu) =====
 +
 +<code nginx /etc/nginx/nginx.conf>
 +user www-data;
 +worker_processes auto;
 +pid /run/nginx.pid;
 +include /etc/nginx/modules-enabled/*.conf;
 +
 +events {
 +    worker_connections 768;
 +    # multi_accept on;
 +}
 +
 +http {
 +    map $http_upgrade $connection_upgrade {
 +        default upgrade;
 +        ''      close;
 +    }
 +
 +    include mime.types;
 +    default_type application/octet-stream;
 +
 +    include snippets/ssl.conf;
 +    http2 on;
 +    http3 on;
 +
 +    client_body_buffer_size 128K;
 +    client_max_body_size 128M;
 +    fastcgi_hide_header X-Powered-By;
 +    gzip on;
 +    index index.html;
 +    proxy_hide_header X-Powered-By;
 +    resolver [2606:4700:4700::1111] 1.1.1.1 [2606:4700:4700::1001] 1.0.0.1;
 +    sendfile on;
 +    server_tokens off;
 +    tcp_nopush on;
 +    types_hash_max_size 2048;
 +
 +    ##
 +    # Basic Settings
 +    ##
 +
 +    #types_hash_max_size 2048;
 +    #server_tokens off;
 +
 +    # server_names_hash_bucket_size 64;
 +    # server_name_in_redirect off;
 +
 +    #include mime.types;
 +    #default_type application/octet-stream;
 +
 +    ##
 +    # SSL Settings
 +    ##
 +
 +    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
 +    #ssl_protocols TLSv1.3 TLSv1.2;
 +    #ssl_prefer_server_ciphers on;
 +
 +    ##
 +    # Logging Settings
 +    ##
 +
 +    access_log /var/log/nginx/access.log;
 +    error_log /var/log/nginx/error.log;
 +
 +    ##
 +    # Gzip Settings
 +    ##
 +
 +    #gzip on;
 +
 +    # gzip_vary on;
 +    # gzip_proxied any;
 +    # gzip_comp_level 6;
 +    # gzip_buffers 16 8k;
 +    # gzip_http_version 1.1;
 +    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 +
 +    ##
 +    # Virtual Host Configs
 +    ##
 +
 +    include /etc/nginx/conf.d/*.conf;
 +    include /etc/nginx/sites-enabled/*;
 +}
 +</code>
 +
 +<code nginx /etc/nginx/conf.d/default.conf>
 +server {
 +    listen 80 default_server;
 +    listen [::]:80 default_server;
 +
 +    include snippets/header.conf;
 +
 +    location / {
 +        return 308 https://$host$request_uri;
 +    }
 +}
 +
 +server {
 +    listen 443 quic default_server;
 +    listen [::]:443 quic default_server;
 +    listen 443 ssl default_server;
 +    listen [::]:443 ssl default_server;
 +
 +    include snippets/header.conf;
 +    include snippets/header-policy.conf;
 +
 +    location / {
 +        return 404;
 +    }
 +}
 +
 +</code>
 +
 +<code nginx /etc/nginx/conf.d/www.conf>
 +server {
 +    listen 443 quic;
 +    listen [::]:443 quic;
 +    listen 443 ssl;
 +    listen [::]:443 ssl;
 +
 +    server_name ~^www.(?<domain>.+)$;
 +
 +    include snippets/header.conf;
 +    include snippets/header-policy.conf;
 +
 +    location / {
 +        return 308 https://$domain$request_uri;
 +    }
 +}
 +
 +</code>
 +
 +<code nginx /etc/nginx/conf.d/EXAMPLE.COM.conf>
 +server {
 +    listen 443 quic;
 +    listen [::]:443 quic;
 +    listen 443 ssl;
 +    listen [::]:443 ssl;
 +
 +    # Server Whitelist for SNI Header (Server Name Indication)
 +    server_name EXAMPLE.COM;
 +    root /data/www/EXAMPLE.COM;
 +
 +    include snippets/header.conf;
 +    include snippets/header-policy.conf;
 +    include snippets/fastcgi.conf;
 +
 +    location / {
 +        try_files $uri $uri/ =404;
 +    }
 +
 +    location /data/ {
 +        auth_basic "Please enter your login information";
 +        auth_basic_user_file /etc/nginx/.htpasswd;
 +
 +        autoindex on;
 +    }
 +}
 +
 +</code>
 +
 +
 +==== Snippets ====
 +
 +=== SSL/TLS ===
 +
 +siehe [[letsencrypt#mit_hook|letsencrypt (mit hook)]]
 +
 +<code nginx /etc/nginx/snippets/ssl.conf>
 +# ssl certificate and private key
 +# ECDSA
 +ssl_certificate         /etc/letsencrypt/live/ecdsa-EXAMPLE.COM/fullchain.pem;
 +ssl_certificate_key     /etc/letsencrypt/live/ecdsa-EXAMPLE.COM/privkey.pem;
 +
 +# RSA
 +ssl_certificate         /etc/letsencrypt/live/rsa-EXAMPLE.COM/fullchain.pem;
 +ssl_certificate_key     /etc/letsencrypt/live/rsa-EXAMPLE.COM/privkey.pem;
 +
 +# SSL Labs (Cipher Strength): min. AES-256 equivalent for 100% grade (TLS 1.3 requires a AES-128 cipher tho)
 +ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 +ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256;
 +#ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
 +ssl_conf_command Options ServerPreference,PrioritizeChaCha;
 +
 +# curl -so /etc/ssl/ffdhe4096.pem https://ssl-config.mozilla.org/ffdhe4096.txt
 +# ln -s /etc/ssl/ffdhe4096.pem /etc/nginx/dhparam.pem
 +ssl_dhparam dhparam.pem;
 +
 +# SSL Labs (Key Exchange): min RSA 4096 equivalent curves for 100% grade (x25519 is only equivalent to RSA 3072)
 +ssl_ecdh_curve X448:X25519:secp521r1:secp384r1;
 +#ssl_ecdh_curve X448:secp521r1:secp384r1;
 +
 +ssl_prefer_server_ciphers on;
 +ssl_protocols TLSv1.3 TLSv1.2;
 +
 +# improve HTTPS performance with session resumption
 +ssl_session_timeout 1d;
 +ssl_session_cache shared:SSL:10m;  # about 40000 sessions
 +ssl_session_tickets off;
 +
 +# OCSP stapling
 +ssl_stapling on;
 +ssl_stapling_verify on;
 +
 +# verify chain of trust of OCSP response using root ca and intermediate certs
 +# combine to one file as this directive can only be specified once
 +# cat /etc/letsencrypt/live/*/chain.pem > /etc/letsencrypt/live/chain.pem
 +ssl_trusted_certificate /etc/letsencrypt/live/chain.pem;
 +
 +</code>
 +
 +
 +=== HTTP Header ===
 +
 +  * [[https://developer.mozilla.org/docs/Web/HTTP/Headers|HTTP Header]]
 +  * [[https://developer.mozilla.org/docs/Web/HTTP/Headers/Strict-Transport-Security|HTTP Strict Transport Security (HSTS)]]
 +  * [[https://developer.mozilla.org/docs/Web/HTTP/Headers/Alt-Svc|Alternative Service (Alt-Svc)]]
 +
 +<code nginx /etc/nginx/snippets/header.conf>
 +# HSTS
 +# 1 year = 31536000 seconds
 +#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;
 +# HSTS preloading (see https://hstspreload.org)
 +add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
 +
 +# HTTP/2 & HTTP/3
 +# 1 day = 86400 seconds
 +add_header Alt-Svc 'h3=":443"; ma=86400, h2=":443"; ma=86400';
 +
 +add_header Referrer-Policy 'no-referrer' always;
 +
 +add_header X-Content-Type-Options 'nosniff' always;
 +add_header X-XSS-Protection '1; mode=block' always;
 +
 +</code>
 +
 +
 +=== HTTP Header (Policy) ===
 +
 +  * [[https://developer.mozilla.org/docs/Web/HTTP/Headers|HTTP Header]]
 +  * [[https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/|Content Security Policy (CSP)]]
 +    * [[https://csp-evaluator.withgoogle.com/]]
 +  * [[https://developer.mozilla.org/docs/Web/HTTP/Headers/Permissions-Policy|Permissions Policy]]
 +
 +<code nginx /etc/nginx/snippets/header-policy.conf>
 +add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; object-src 'none'; form-action 'none'; style-src 'self' https:; script-src 'self'; img-src 'self' https: data:; font-src 'self' https:; upgrade-insecure-requests" always;
 +
 +add_header Permissions-Policy "camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=(), web-share=()" always;
 +</code>
 +
 +
 +=== PHP & CGI Location-Blöcke ===
 +
 +<code nginx /etc/nginx/snippets/fastcgi.conf>
 +# FastCGI
 +
 +# these two lines
 +#include fastcgi_params;
 +#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +# can also be replaced by 
 +#include snippets/fastcgi-php.conf
 +# if it exists
 +
 +# CGI
 +location ~ /cgi-bin/.+\.cgi$
 +{
 +    if (!-f $request_filename) { return 404; }
 +    include fastcgi_params;
 +    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +    fastcgi_param HTTPS $https;
 +    fastcgi_pass unix:/var/run/fcgiwrap.socket;
 +}
 +
 +# PHP
 +location ~ \.php$
 +{
 +    if (!-f $request_filename) { return 404; }
 +    include fastcgi_params;
 +    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +    fastcgi_param HTTPS $https;
 +    fastcgi_pass unix:/var/run/php/php-fpm.sock;
 +}
 +</code>
 +
 +
 +=== Reverse Proxy Header für Webapplikationen ===
 +
 +<code nginx /etc/nginx/snippets/proxy-headers.conf>
 +# Proxy Headers for web apps
 +proxy_http_version 1.1;
 +proxy_set_header Connection 'upgrade';
 +proxy_set_header Connection keep-alive;
 +proxy_set_header Upgrade $http_upgrade;
 +proxy_set_header Host $host;
 +proxy_set_header X-Real-IP $remote_addr;
 +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +proxy_set_header X-Forwarded-Proto $scheme;
 +proxy_cache_bypass $http_upgrade;
 +</code>
 +
 +
 +=== WebM MIME-Types für Matroska Dateien ===
 +
 +  * WebM MIME types for Matroska files
 +
 +<code nginx /etc/nginx/snippets/webm-mkv.conf>
 +location ~ \.mkv$ {
 +    types {
 +        video/webm mkv;
 +        audio/webm mka;
 +        text/vtt mks;
 +    }
 +}
 +</code>
 +