Try   HackMD

MY NGINX setup cheat sheet

tags: c4lab

Path

Nginx root: /etc/nginx/
Main config: /etc/nginx/nginx.conf

Add SSL

Put your certification in /certs and than

server {
    server_name             toolmen.bime.ntu.edu.tw;
    listen                       8080 ssl http2;
    listen                  [::]:8080 ssl http2;
    ssl_certificate         /certs/fullchain.pem;
    ssl_certificate_key     /certs/privkey.pem;
    ssl_protocols           TLSv1.2 TLSv1.3;
    ssl_ciphers             HIGH:!aNULL:!MD5;
}

If you want to get A+, check this out https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

openssl dhparam -out /certs/certsdhparam.pem 4096
    ssl_ciphers                 "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers   on;
    ssl_dhparam                 /certs/certsdhparam.pem;
    ssl_ecdh_curve              secp521r1:secp384r1;
    ssl_stapling                on;
    ssl_stapling_verify         on;
    ssl_session_cache           shared:SSL:10m;
    ssl_session_timeout         10m;
    add_header                  Strict-Transport-Security "max-age=63072000; includeSubdomains; ";

Redirect to domain name

server {
    ...
    return 301 $scheme://toolmen.bime.ntu.edu.tw:8080$request_uri;
}

Redirect when query http from https endpoint

server {
    ...
    error_page 497 https://toolmen.bime.ntu.edu.tw:$server_port$request_uri;
}

Run nginx in docker

docker pull nginx
docker run --name web443 -d -p 80:80 -p 443:443 --restart always -v $(pwd):/etc/nginx -v ./certs:/certs:ro nginx

docker-compose

services:
  web:
    image: nginx
    restart: always
    ports:
      - 8080:8080
    volumes:
      - ./web/certs/:/certs:ro
      - ./web/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./web_log:/var/log/nginx/

Certification

We use free service, Let's encrypt me.

standalone(Not good if you have production on port 443)

mkdir -p letsencrypt
docker run --rm -it -p 80:80 --security-opt label=disable -v $PWD/letsencrypt:/etc/letsencrypt certbot/certbot certonly --standalone
cp letsencrypt/live/toolmen.bime.ntu.edu.tw/* certs/

And renew it every three months

docker run --rm -it -p 80:80 -p 443:443 --security-opt label=disable -v $PWD/letsencrypt:/etc/letsencrypt certbot/certbot renew
cp letsencrypt/live/toolmen.bime.ntu.edu.tw/* certs/

Webroot

With webroot, you can renew the certs without stop 80 and 443 service

Setup acme challenge nginx.conf

    server {
        server_name toolmen.bime.ntu.edu.tw;
        listen      80;

        location ^~ /.well-known/acme-challenge/ {
            root    /var/www/letsencrypt;
        }
        location / {
            return  301 https://toolmen.bime.ntu.edu.tw;
        }
    }

renew inside the container

If the container called web with image docker.io/library/nginx and the mounted your letsencrypt folder to /etc/letsencrypt. i.e. -p 80:80 -p 443:443 -v $PWD/letsencrypt:/etc/letsencrypt
docker exec -it web bash

apt update
apt install python3-certbot-nginx -y
certbot renew --webroot --webroot-path  /var/www/letsencrypt/
certbot certonly --webroot -d your.domain.tw --webroot-path  /var/www/letsencrypt/

Self-signed

cd certs
openssl genrsa 1024 > privkey.pem
chmod 400 privkey.pem
openssl req -new -x509 -nodes -sha1 -days 365 -key privkey.pem -out fullchain.pem
cd ..