MY NGINX setup cheat sheet

# MY NGINX setup cheat sheet ###### tags: `c4lab` ## Path Nginx root: `/etc/nginx/` Main config: `/etc/nginx/nginx.conf` ## Add SSL Put your certification in `/certs` and than ``` nginx server { server_name toolmen.bime.ntu.edu.tw; listen 8080 ssl http2; listen [::]:8080 ssl http2; ssl_certificate /certs/fullchain.pem; ssl_certificate_key /certs/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; } ``` If you want to get A+, check this out https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ``` bash openssl dhparam -out /certs/certsdhparam.pem 4096 ``` ``` nginx ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_dhparam /certs/certsdhparam.pem; ssl_ecdh_curve secp521r1:secp384r1; ssl_stapling on; ssl_stapling_verify on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; "; ``` ## Redirect to domain name ``` nginx server { ... return 301 $scheme://toolmen.bime.ntu.edu.tw:8080$request_uri; } ``` ## Redirect when query http from https endpoint ``` nginx server { ... error_page 497 https://toolmen.bime.ntu.edu.tw:$server_port$request_uri; } ``` ## Run nginx in docker ``` ! docker pull nginx docker run --name web443 -d -p 80:80 -p 443:443 --restart always -v $(pwd):/etc/nginx -v ./certs:/certs:ro nginx ``` ## docker-compose ``` yml services: web: image: nginx restart: always ports: - 8080:8080 volumes: - ./web/certs/:/certs:ro - ./web/nginx.conf:/etc/nginx/nginx.conf:ro - ./web_log:/var/log/nginx/ ``` # Certification We use free service, Let's encrypt me. ## standalone(Not good if you have production on port 443) ``` sh mkdir -p letsencrypt docker run --rm -it -p 80:80 --security-opt label=disable -v $PWD/letsencrypt:/etc/letsencrypt certbot/certbot certonly --standalone cp letsencrypt/live/toolmen.bime.ntu.edu.tw/* certs/ ``` And renew it every three months ``` sh docker run --rm -it -p 80:80 -p 443:443 --security-opt label=disable -v $PWD/letsencrypt:/etc/letsencrypt certbot/certbot renew cp letsencrypt/live/toolmen.bime.ntu.edu.tw/* certs/ ``` ## Webroot With webroot, you can renew the certs without stop 80 and 443 service ### Setup acme challenge `nginx.conf` ``` conf server { server_name toolmen.bime.ntu.edu.tw; listen 80; location ^~ /.well-known/acme-challenge/ { root /var/www/letsencrypt; } location / { return 301 https://toolmen.bime.ntu.edu.tw; } } ``` ### renew inside the container If the container called `web` with image `docker.io/library/nginx` and the mounted your letsencrypt folder to `/etc/letsencrypt`. i.e. `-p 80:80 -p 443:443 -v $PWD/letsencrypt:/etc/letsencrypt` `docker exec -it web bash` ``` bash apt update apt install python3-certbot-nginx -y certbot renew --webroot --webroot-path /var/www/letsencrypt/ certbot certonly --webroot -d your.domain.tw --webroot-path /var/www/letsencrypt/ ``` ## Self-signed ``` sh cd certs openssl genrsa 1024 > privkey.pem chmod 400 privkey.pem openssl req -new -x509 -nodes -sha1 -days 365 -key privkey.pem -out fullchain.pem cd .. ```