# Lab 9: NGINX and NTP - Roman Soldatov B19-SD-01 - r.soldatov@innopolis.university ## Questions to answer ### 1. Configure static web page and generate ssl certificate - Create a Directory for the website domain and configure permissions - `sudo mkdir -p /var/www/roman_domain.com/html` - `sudo chown -R $USER:$USER/var/www/roman_domain.com` - `sudo chmod -R 755 /var/www/roman_domain.com`  - Configure static web page - `sudo nano /var/www/roman_domain.com/html/index.html` - ```html <html> <head> <title>Welcome to roman_domain.com!</title> </head> <body> <h1>Roman greets you. Great work!</h1> </body> </html> ```   - Generate ssl certificate with a domain name `www.roman_domain.com` for 365 days. Keys will be stored in `/etc/nginx/ssl` directory. - `sudo mkdir /etc/nginx/ssl` - `sudo chmod 700 /etc/nginx/ssl` - `sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/www.roman_domain.com.key -out /etc/nginx/ssl/www.roman_domain.com.crt`  - Сonfigure ssl certificate in the web server - `sudo nano /etc/nginx/sites-available/roman_domain.com` - Nginx Server Block Configuration ``` server { listen 80; server_name roman_domain.com www.roman_domain.com; return 301 https://roman_domain.com$request_uri; } server { listen 443 ssl; server_name roman_domain.com www.roman_domain.com; ssl_certificate /etc/nginx/ssl/www.roman_domain.com.crt; ssl_certificate_key /etc/nginx/ssl/www.roman_domain.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; root /var/www/roman_domain.com/html; index index.html index.htm; location / { try_files $uri $uri/ =404; } } ``` > - Redirect from http to https: ``` server { listen 80; server_name roman_domain.com www.roman_domain.com; return 301 https://roman_domain.com$request_uri; } ``` > - Configuration of SSL ``` ssl_certificate /etc/nginx/ssl/www.roman_domain.com.crt; ssl_certificate_key /etc/nginx/ssl/www.roman_domain.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ```   - Create Symbolic Link for Nginx to Read on Startup. So, the file in `sites-enabled` automatically changes if we modify `sites-available/roman_domain.com` file: `sudo ln -s /etc/nginx/sites-available/roman_domain.com /etc/nginx/sites-enabled` - Restart the Nginx Service and test the configuration - `sudo systemctl restart nginx` - `sudo nginx -t`  - Modify the Hosts File - Check IP `hostname -i` - `sudo nano /etc/hosts` - Set an IP for the `roman_domain` ``` 127.0.0.1 localhost 10.0.2.15 roman_domain.com www.roman_domain.com ```   - So, Firefox can see our self-signed certificate. The website opens using **https** connection. If we input **http** it will redirect us to the **https**. To disable warning about not trusted self-signed certificate, we can add the certificate to the trusted root CA store.     ### 2. On the webserver confgire maximum file upload/download 1GB to site. - Configure `nginx.conf` file: `sudo nano /etc/nginx/nginx.conf` - Add file size limit `client_max_body_size 1024M;` in **http block**.   - Apply changes: `sudo systemctl restart nginx` ### 3. Configure your machine synchronization with any NTP server which located in the United Kingdom. - Check NTP server in the United Kingdom: [on this website](https://www.pool.ntp.org/zone/uk)  - Configure `ntp.conf` file: `sudo nano /etc/ntp.conf` - Insert a pool zone to find the closest available server ``` server 0.uk.pool.ntp.org iburst server 1.uk.pool.ntp.org iburst server 2.uk.pool.ntp.org iburst server 3.uk.pool.ntp.org iburst ``` > Add `iburst` option to speed up the NTP time sync slightly   - Check a synchronization status: `ntpq -p`