Nginx: Unterschied zwischen den Versionen
Admin (Diskussion | Beiträge) K |
Admin (Diskussion | Beiträge) |
||
(8 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
<source lang="bash"> | == Nginx installieren == | ||
=== Debian / Ubuntu === | |||
<syntaxhighlight lang="bash"> | |||
sudo apt update | |||
sudo apt install nginx -y | |||
</syntaxhighlight> | |||
=== CentOS === | |||
<syntaxhighlight lang="bash"> | |||
sudo yum install epel-release -y | |||
sudo yum install nginx -y | |||
</syntaxhighlight> | |||
==== Zusätzliche Befehle ==== | |||
Nginx starten und automatisch starten lassen:<syntaxhighlight lang="bash"> | |||
systemctl start nginx | |||
systemctl enable nginx | |||
</syntaxhighlight>Wenn Änderungen in der Konfiguration vorgenommen werden, muss nginx neu gestartet werden:<syntaxhighlight lang="bash"> | |||
sudo systemctl reload nginx | |||
</syntaxhighlight>Ports auf den nginx läuft:<syntaxhighlight lang="bash"> | |||
netstat -plntu | |||
</syntaxhighlight> | |||
== Firewall konfigurieren == | |||
=== UFW Firewall === | |||
<syntaxhighlight lang="bash"> | |||
ufw allow ssh | |||
ufw enable | |||
ufw allow http | |||
ufw allow https | |||
ufw status | |||
</syntaxhighlight> | |||
=== Firewalld === | |||
<syntaxhighlight lang="bash"> | |||
systemctl start firewalld | |||
systemctl enable firewalld | |||
firewall-cmd --add-service=http --permanent | |||
firewall-cmd --add-service=https --permanent | |||
firewall-cmd --reload | |||
firewall-cmd --list-services | |||
</syntaxhighlight>'''ssh ist standardmäßig aktiviert.''' | |||
== Letsencrypt == | |||
=== Installation === | |||
==== Debian / Ubuntu ==== | |||
<syntaxhighlight lang="bash"> | |||
sudo apt install letsencrypt -y | |||
cd /etc/nginx/ | |||
vim snippets/certbot.conf | |||
</syntaxhighlight>einfügen:<syntaxhighlight lang="bash"> | |||
location /.well-known { | |||
alias /var/www/html/.well-known; | |||
} | |||
</syntaxhighlight>Bearbeiten Sie nun die standardmäßige virtuelle Nginx-Hostdatei. | |||
vim sites-available/default | |||
Fügen Sie folgende Konfiguration unter den Blöcken ’server {..}‘ hinzu. | |||
include snippets/certbot.conf; | |||
==== CentOS ==== | |||
<syntaxhighlight lang="bash"> | |||
sudo yum install certbot -y | |||
cd /etc/nginx/ | |||
vim default.d/certbot.conf | |||
</syntaxhighlight>einfügen<syntaxhighlight lang="bash"> | |||
location /.well-known { | |||
alias /usr/share/nginx/html/.well-known; | |||
} | |||
</syntaxhighlight>Nginx neu starten | |||
=== SSL letsencrypt Zertifikate installieren === | |||
==== Debian / Ubuntu ==== | |||
<syntaxhighlight lang="bash"> | |||
certbot certonly --rsa-key-size 4096 --webroot --agree-tos --no-eff-email --email mail@akluge.de -w /var/www/html -d kluge-pferde.de | |||
</syntaxhighlight> | |||
==== CentOS ==== | |||
<syntaxhighlight lang="bash"> | |||
certbot certonly --rsa-key-size 4096 --webroot --agree-tos --no-eff-email --email mail@akluge.de -w /usr/share/nginx/html -d kluge-pferde.de | |||
</syntaxhighlight>Wenn es vollständig ist, erhält man alle SSL-Zertifikatsdateien für den Domainnamen im Verzeichnis ‚/etc/letsencrypt/live‘. | |||
==== Zusätzliche Sicherheit ==== | |||
Um eine zusätzliche Sicherheit zu erhalten, werden wir den DHPARAM-Schlüssel’4096′ mit dem OpenSSL-Befehl wie unten gezeigt erzeugen. | |||
openssl dhparam -out /etc/nginx/dhparam.pem 4096 | |||
Der DHPARAM-Schlüssel wurde in das Verzeichnis’/etc/nginx‘ generiert. | |||
== SSL-Konfiguration == | |||
=== Debian / Ubuntu === | |||
<syntaxhighlight lang="bash"> | |||
cd /etc/nginx/ | |||
vim snippets/ssl.conf | |||
</syntaxhighlight> | |||
=== CentOS === | |||
<syntaxhighlight lang="bash"> | |||
cd /etc/nginx/ | |||
vim default.d/ssl.conf | |||
</syntaxhighlight> | |||
Dort einfügen:<syntaxhighlight lang="bash"> | |||
# Specify the TLS versions | |||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |||
ssl_prefer_server_ciphers on; | |||
# Ciphersuites recommendation from the chiper.li | |||
# Use this chipersuites to get 100 points of the SSLabs test | |||
# Some device will not support | |||
#ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"; | |||
# Mozilla Ciphersuits Recommendation | |||
# Use this for all devices supports | |||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |||
# Use the DHPARAM key and ECDH curve >= 256bit | |||
ssl_ecdh_curve secp384r1; | |||
ssl_dhparam /etc/nginx/dhparam.pem; | |||
server_tokens off; | |||
ssl_session_timeout 1d; | |||
ssl_session_cache shared:SSL:50m; | |||
ssl_session_tickets off; | |||
# Enable HTTP Strict-Transport-Security | |||
# If you have a subdomain of your site, | |||
# be carefull to use the 'includeSubdomains' options | |||
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; | |||
# Enable OSCP Stapling for Nginx web server | |||
# If you're using the SSL from Letsencrypt, | |||
# use the 'chain.pem' certificate | |||
ssl_stapling on; | |||
ssl_stapling_verify on; | |||
ssl_trusted_certificate /etc/letsencrypt/live/kluge-pferde.de/chain.pem; | |||
resolver 8.8.8.8 8.8.4.4 valid=300s; | |||
resolver_timeout 5s; | |||
# XSS Protection for Nginx web server | |||
add_header X-Frame-Options DENY; | |||
add_header X-XSS-Protection "1; mode=block"; | |||
add_header X-Content-Type-Options nosniff; | |||
add_header X-Robots-Tag none; | |||
</syntaxhighlight> | |||
=== Weiterleitung von HTTP nach HTTPS === | |||
==== http.conf ==== | |||
Erstellen von /etc/nginx/sites-available/http.conf und in das Verzeichnis sites-enabled verlinken.<syntaxhighlight lang="bash" line="1"> | |||
server { | |||
listen 80; | |||
server_name kluge-pferde.de www.kluge-pferde.de; | |||
return 301 https://www.kluge-pferde.de$request_uri; | |||
} | |||
</syntaxhighlight> | |||
==== ssl.conf ==== | |||
Erstellen von /etc/nginx/sites-available/ssl.conf und in das Verzeichnis sites-enabled verlinken.<source lang="bash"> | |||
server { | server { | ||
listen | listen 443 ssl http2; | ||
server_name | listen [::]:443 ssl http2; | ||
access_log /var/log/nginx/access.log; | |||
error_log /var/log/nginx/error.log; | root /var/www/app/webroot; | ||
index index.html index.php index.htm; | |||
server_name kluge-pferde.de; | |||
# access_log /var/log/nginx/access.log; | |||
error_log /var/log/nginx/error.log warn; | |||
rewrite_log on; | rewrite_log on; | ||
ssl_certificate /etc/letsencrypt/live/kluge-pferde.de/fullchain.pem; | |||
ssl_certificate_key /etc/letsencrypt/live/kluge-pferde.de/privkey.pem; | |||
client_max_body_size 100M; | |||
# SSL Configuration | |||
include snippets/ssl.conf; | |||
location / { | |||
# First attempt to serve request as file, then | |||
# as directory, then fall back to displaying a 404. | |||
try_files $uri $uri/ =404; | |||
} | |||
# Static files. | |||
location ~ /.well-known { | |||
allow all; | |||
} | |||
# Set expire headers, Turn off access log | |||
location ~* \favicon.ico$ { | |||
access_log off; | |||
expires 1d; | |||
add_header Cache-Control public; | |||
} | |||
location ~ ^/(img|cjs|ccss)/ { | |||
access_log off; | |||
expires 7d; | |||
add_header Cache-Control public; | |||
} | |||
# Deny access to .htaccess files, | |||
# git & svn repositories, etc | |||
location ~ /(\.ht|\.git|\.svn) { | |||
deny all; | |||
} | |||
} | |||
</source> | |||
=== SSL Konfiguration testen === | |||
https://www.ssllabs.com/ssltest/ | |||
== CGI / PHP / CakePHP Einstellungen == | |||
<syntaxhighlight lang="bash" line="1"> | |||
# Not found this on disk? | # Not found this on disk? | ||
# Feed to CakePHP for further processing! | # Feed to CakePHP for further processing! | ||
Zeile 41: | Zeile 255: | ||
include fastcgi_params; | include fastcgi_params; | ||
} | } | ||
</syntaxhighlight> | |||
</ |
Aktuelle Version vom 10. April 2022, 22:16 Uhr
Nginx installieren
Debian / Ubuntu
sudo apt update
sudo apt install nginx -y
CentOS
sudo yum install epel-release -y
sudo yum install nginx -y
Zusätzliche Befehle
Nginx starten und automatisch starten lassen:
systemctl start nginx
systemctl enable nginx
Wenn Änderungen in der Konfiguration vorgenommen werden, muss nginx neu gestartet werden:
sudo systemctl reload nginx
Ports auf den nginx läuft:
netstat -plntu
Firewall konfigurieren
UFW Firewall
ufw allow ssh
ufw enable
ufw allow http
ufw allow https
ufw status
Firewalld
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
firewall-cmd --list-services
ssh ist standardmäßig aktiviert.
Letsencrypt
Installation
Debian / Ubuntu
sudo apt install letsencrypt -y
cd /etc/nginx/
vim snippets/certbot.conf
einfügen:
location /.well-known {
alias /var/www/html/.well-known;
}
Bearbeiten Sie nun die standardmäßige virtuelle Nginx-Hostdatei.
vim sites-available/default
Fügen Sie folgende Konfiguration unter den Blöcken ’server {..}‘ hinzu.
include snippets/certbot.conf;
CentOS
sudo yum install certbot -y
cd /etc/nginx/
vim default.d/certbot.conf
einfügen
location /.well-known {
alias /usr/share/nginx/html/.well-known;
}
Nginx neu starten
SSL letsencrypt Zertifikate installieren
Debian / Ubuntu
certbot certonly --rsa-key-size 4096 --webroot --agree-tos --no-eff-email --email mail@akluge.de -w /var/www/html -d kluge-pferde.de
CentOS
certbot certonly --rsa-key-size 4096 --webroot --agree-tos --no-eff-email --email mail@akluge.de -w /usr/share/nginx/html -d kluge-pferde.de
Wenn es vollständig ist, erhält man alle SSL-Zertifikatsdateien für den Domainnamen im Verzeichnis ‚/etc/letsencrypt/live‘.
Zusätzliche Sicherheit
Um eine zusätzliche Sicherheit zu erhalten, werden wir den DHPARAM-Schlüssel’4096′ mit dem OpenSSL-Befehl wie unten gezeigt erzeugen.
openssl dhparam -out /etc/nginx/dhparam.pem 4096
Der DHPARAM-Schlüssel wurde in das Verzeichnis’/etc/nginx‘ generiert.
SSL-Konfiguration
Debian / Ubuntu
cd /etc/nginx/
vim snippets/ssl.conf
CentOS
cd /etc/nginx/
vim default.d/ssl.conf
Dort einfügen:
# Specify the TLS versions
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# Ciphersuites recommendation from the chiper.li
# Use this chipersuites to get 100 points of the SSLabs test
# Some device will not support
#ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384";
# Mozilla Ciphersuits Recommendation
# Use this for all devices supports
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# Use the DHPARAM key and ECDH curve >= 256bit
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/nginx/dhparam.pem;
server_tokens off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Enable HTTP Strict-Transport-Security
# If you have a subdomain of your site,
# be carefull to use the 'includeSubdomains' options
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Enable OSCP Stapling for Nginx web server
# If you're using the SSL from Letsencrypt,
# use the 'chain.pem' certificate
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/kluge-pferde.de/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# XSS Protection for Nginx web server
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Robots-Tag none;
Weiterleitung von HTTP nach HTTPS
http.conf
Erstellen von /etc/nginx/sites-available/http.conf und in das Verzeichnis sites-enabled verlinken.
server {
listen 80;
server_name kluge-pferde.de www.kluge-pferde.de;
return 301 https://www.kluge-pferde.de$request_uri;
}
ssl.conf
Erstellen von /etc/nginx/sites-available/ssl.conf und in das Verzeichnis sites-enabled verlinken.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/app/webroot;
index index.html index.php index.htm;
server_name kluge-pferde.de;
# access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
rewrite_log on;
ssl_certificate /etc/letsencrypt/live/kluge-pferde.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kluge-pferde.de/privkey.pem;
client_max_body_size 100M;
# SSL Configuration
include snippets/ssl.conf;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# Static files.
location ~ /.well-known {
allow all;
}
# Set expire headers, Turn off access log
location ~* \favicon.ico$ {
access_log off;
expires 1d;
add_header Cache-Control public;
}
location ~ ^/(img|cjs|ccss)/ {
access_log off;
expires 7d;
add_header Cache-Control public;
}
# Deny access to .htaccess files,
# git & svn repositories, etc
location ~ /(\.ht|\.git|\.svn) {
deny all;
}
}
SSL Konfiguration testen
https://www.ssllabs.com/ssltest/
CGI / PHP / CakePHP Einstellungen
# Not found this on disk?
# Feed to CakePHP for further processing!
if (!-e $request_filename) {
rewrite ^/(.+)$ /index.php?url=$1 last;
break;
}
# Pass the PHP scripts to FastCGI server
# listening on 127.0.0.1:9000
# location ~ \.php$ {
# fastcgi_pass unix:/tmp/php.socket;
# #fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_intercept_errors on; # to support 404s for PHP files not found
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# }
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
#fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}