Try   HackMD

MY NGINX setup cheat sheet

tags: c4lab

Path

Nginx root: /etc/nginx/
Main config: /etc/nginx/nginx.conf

Add SSL

Put your certification in /certs and than

server {
    server_name             toolmen.bime.ntu.edu.tw;
    listen                       8080 ssl http2;
    listen                  [::]:8080 ssl http2;
    ssl_certificate         /certs/fullchain.pem;
    ssl_certificate_key     /certs/privkey.pem;
    ssl_protocols           TLSv1.2 TLSv1.3;
    ssl_ciphers             HIGH:!aNULL:!MD5;
}

If you want to get A+, check this out https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

openssl dhparam -out /certs/certsdhparam.pem 4096

    ssl_ciphers                 "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers   on;
    ssl_dhparam                 /certs/certsdhparam.pem;
    ssl_ecdh_curve              secp521r1:secp384r1;
    ssl_stapling                on;
    ssl_stapling_verify         on;
    ssl_session_cache           shared:SSL:10m;
    ssl_session_timeout         10m;
    add_header                  Strict-Transport-Security "max-age=63072000; includeSubdomains; ";

Redirect to domain name

server {
    ...
    return 301 $scheme://toolmen.bime.ntu.edu.tw:8080$request_uri;
}

Redirect when query http from https endpoint

server {
    ...
    error_page 497 https://toolmen.bime.ntu.edu.tw:$server_port$request_uri;
}

Run nginx in docker

docker pull nginx
docker run --name web443 -d -p 80:80 -p 443:443 --restart always -v $(pwd):/etc/nginx -v ./certs:/certs:ro nginx

docker-compose

services:
  web:
    image: nginx
    restart: always
    ports:
      - 8080:8080
    volumes:
      - ./web/certs/:/certs:ro
      - ./web/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./web_log:/var/log/nginx/

Certification

We use free service, Let's encrypt me.

standalone(Not good if you have production on port 443)

mkdir -p letsencrypt
docker run --rm -it -p 80:80 --security-opt label=disable -v $PWD/letsencrypt:/etc/letsencrypt certbot/certbot certonly --standalone
cp letsencrypt/live/toolmen.bime.ntu.edu.tw/* certs/

And renew it every three months

docker run --rm -it -p 80:80 -p 443:443 --security-opt label=disable -v $PWD/letsencrypt:/etc/letsencrypt certbot/certbot renew
cp letsencrypt/live/toolmen.bime.ntu.edu.tw/* certs/

Webroot

With webroot, you can renew the certs without stop 80 and 443 service

Setup acme challenge nginx.conf

    server {
        server_name toolmen.bime.ntu.edu.tw;
        listen      80;

        location ^~ /.well-known/acme-challenge/ {
            root    /var/www/letsencrypt;
        }
        location / {
            return  301 https://toolmen.bime.ntu.edu.tw;
        }
    }

renew inside the container

If the container called web with image docker.io/library/nginx and the mounted your letsencrypt folder to /etc/letsencrypt. i.e. -p 80:80 -p 443:443 -v $PWD/letsencrypt:/etc/letsencrypt
docker exec -it web bash

apt update
apt install python3-certbot-nginx -y
certbot renew --webroot --webroot-path  /var/www/letsencrypt/
certbot certonly --webroot -d your.domain.tw --webroot-path  /var/www/letsencrypt/

Self-signed

cd certs
openssl genrsa 1024 > privkey.pem
chmod 400 privkey.pem
openssl req -new -x509 -nodes -sha1 -days 365 -key privkey.pem -out fullchain.pem
cd ..
Last changed by 
linnil1
0
501

Read more

Install podman or Docker in Ubuntu

Install Driver check if you have GPU(pysical) lspci | grep -i nvidia Disable nouveau vim /etc/modprobe.d/blacklist-nouveau.conf blacklist nouveau options nouveau modeset=0

Nov 23, 2022
Coredns

[toc] Target I want to setup a DNS server for alias all the server in the internal networks. It's possible to use ansible to update all /etc/hosts in each server. However it is not a elegant way. Thus, I setup the coredns and try to figure out the configuration for supporting all commonly used protocols (plain, https, tls) and test them one by one. Finally, I will set this DNS IP:port in our main router. Setup Coredns

Sep 29, 2022
使用 MegaCli 換硬碟

Intro 我們的 server 的 storage 是用 megaraid 去蓋的 所以要查看硬碟 有兩種方式 關機 進 Storage 的 BIOS 看(之前都這樣)(這個 BIOS 之前案 CTRL + R) megacli + smartctl (這次要講的) Concept Overview: 相關名詞都在這裡ㄌ Preparation

Jun 23, 2022
HLA-on-aws

Upload your fastq, we will run HLA pipeline for your in aws. Github: https://github.com/linnil1/hla-on-aws Architecture API API logic I deploy my nuxt APP in Cloudflare APIGateway + lambda as API server

Apr 7, 2022
Read more from linnil1
Published on HackMD