「Nginx」:修訂間差異

出自Gea-Suan Lin's Wiki
跳至導覽 跳至搜尋
本頁面具有訪問限制。如果您看見此訊息,這代表您沒有訪問本頁面的權限。
 
(未顯示同一使用者於中間所作的 13 次修訂)
行 44: 行 44:


 這邊是<code>/etc/nginx/sites-available/default</code>的內容,配合[[Dehydrated]]的需求:
 這邊是<code>/etc/nginx/sites-available/default</code>的內容,配合[[Dehydrated]]的需求:
<syntaxhighlight lang="nginx">
<syntaxhighlight lang="nginx">
#
#
行 55: 行 56:
    location /.well-known/acme-challenge/ {
    location /.well-known/acme-challenge/ {
      alias /var/www/dehydrated/;
      alias /var/www/dehydrated/;
   }
}
server {
   listen 127.0.0.1:80;
   listen [::1]:80;
   root /srv/localhost/public;
   index index.html;
   server_name _;
   location = /stub_status {
     stub_status;
    }
    }
}
}
</syntaxhighlight>
對於後端接HTTP backend的設定(需要放到<code>server</code>區段裡):
<syntaxhighlight lang="nginx">
   location / {
     proxy_pass http://127.0.0.1:8000/;
     proxy_set_header Host $http_host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
     proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
   }
</syntaxhighlight>
後端接uwsgi的設定(需要放到<code>server</code>區段裡):
<syntaxhighlight lang="nginx">
   location / {
     include uwsgi_params;
     uwsgi_pass 127.0.0.1:9000;
   }
</syntaxhighlight>
</syntaxhighlight>


== 快速安裝 ==
== 快速安裝 ==


 這邊包括一些[[Dehydrated]]的設定(沒有先裝沒關係),另 外uuencode的內容 括了<code>conf.d</code>內的 設定
 這邊包括一些[[Dehydrated]]的設定(沒有先裝沒關係),另 外這邊用uuencode 起來是因為<code>conf.d</code>內的 檔案太多,所以包起來處理


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo apt install -y nginx-full; sudo sed -i -e "s/\tssl_protocols/#\tssl_protocols/" /etc/nginx/nginx.conf; echo -e "#\nserver {\n   listen 80 default_server;\n   listen [::]:80 default_server;\n   root /srv/www/public;\n   index index.html;\n   server_name _;\n\n   location /.well-known/acme-challenge/ {\n     alias /var/www/dehydrated/;\n   }\n}" | sudo tee /etc/nginx/sites-available/default; cd /etc/nginx; sudo uudecode <<"EOF"
sudo apt install -y nginx-full prometheus-nginx-exporter; sudo apt clean; sudo sed -i -e "s/\tssl_protocols/#\tssl_protocols/" /etc/nginx/nginx.conf; echo -e "#\nserver {\n   listen 80 default_server;\n   listen [::]:80 default_server;\n   root /srv/www/public;\n   index index.html;\n   server_name _;\n\n   location /.well-known/acme-challenge/ {\n     alias /var/www/dehydrated/;\n   }\n}\n\nserver {\n   listen 127.0.0.1:80;\n   listen [::1]:80;\n   root /srv/localhost/public;\n   index index.html;\n   server_name _;\n\n   location = /stub_status {\n     stub_status;\n   }\n}" | sudo tee /etc/nginx/sites-available/default; cd /etc/nginx; sudo uudecode <<"EOF"
begin 644 conf.d.tgz
begin 644 conf.d.tgz
M'XL(`!-KGEX``^V976_:,!2&N<ZO,+12+R82QW$2+5PA6HU)K5:-7FR:)BM-
M'XL(`````````^U8;6^K-A3NY_P*YT6ZTJ:`;0SNJ/HA2J-E4JM=+?VP:9J0
M'(B:Q)GMT-)I_WTV'_V:UF@:4*WS(\`YL0^$^+SG&).P*K-3)V'E95[1E`A1
M"R:P!,QLDR:=]M]G*+EM[K2;#Q.)=L.C!&P?3HQRSG->'(H\MB+[JDU``^JZ
MV(DZU]DB4!%@O&P53UN(?-AQ/=<-`Q\&T.M`%R,/=0#<YD7\CD;(F`/0X8S)
M]=W@\WL]1H1`A#P$(;F""%*$KX#;ZELU*)5F$H`K*83^TG/'Y/]3A*_V+Y+"
MY\:U]?^C'%@%FY*,\3*6X&$4@*-#3DLF*8G3E(,^V)B-H!Q\.91Y24G!DKCX
MJH:M[%$9V"/D7^V/J6OLCZCG8@<1;.R/'6KL#UMYF\]PX?8?]LI":<E9!HP/
M"GJJ[UM#A>R!0W4[92/`X25+%^1R(:D@@E92C9E)61-.,\HI[VUL_6XDGJH1
M4`+^[`$#Q>6&2U#FZ=:W99E7#E)]J47&<9%92H2KF]Y?O4/U:WA$_=J"7U)'
MVE<4I.9,LH05SM)*\GI&^='`>NG[]%I)5OJ?WN;UUG6_H4W_+O*4_GV(W!!C
M1]71@?JY_[RO``W_E5J?C_\$F?CO>`YV"86TBO_8)(.._Z?`$"1:%\JW[>?G
M7^L?^=@S^M\'>N*)TGU-"CJG!7@[L):GY**F`N2EDJ8SKU*[S!/.!,NDG:LP
M9XO'L27DTHXX+]9IOE(VALBU(;&-1(W+(F*:1V/C+>/*6])E*9E.1=XS*T$A
M67?<]+6Q]IC'?`&T]=)?R?`'K/6O<S&[6>PF!;3I'WI^QT5AB+P@1-A5^O<\
MA1:A6"OP>+_8(`LW=^>F%H=ID7"IP&`ZGY@/AM_.IG?SF3^9+;Z?/KQ-FM%T
M9.K_7LAB(9-I3NJ8QR487UR<D_./'SY]!KV>4?)_P%K_]6QWY;]5_SC4]3_`
M\C"[O_]ATDS[D[NYN503OW^W6/A],UQ,_/[#G>OW%_,)&KQNH[A2YHV"D(4)
M(0Y\+T"Z_F/H&_WO@P.KJ87D5(E?Q4`(P7<+*-2J?*Z6^4V5WT0.;RH=(/H9
M!RIADD?^8G'O.S`[?$*G&1>E!K7@W'8X%QK^5TX@MKMV8L`Q_D/'Y'],*78\
MVK"?U:4M6'(UL'Y83]S=5G?W.7?4ZHZ><_=:W;WGW'&K.W[D_M)3MQ76^A<T
MB@DR_'<<W.7_DR!F2H?+-"B8-$EX_OCX,?CXTX\__P(&@\LEQ06AX?_R)6VO
M:7@N=[,`:*W_Z+[^>S#0]5__###ZWP,'UBK<B617M!*`99FI^_\1=_I?!D$5
M`3A:_QNR5_V?J00H,KV`R?\NZ?+_25`9/@A%5@1KON%K\-U-KU[2NX(KP`I3
MEY3,8C$CETUR1241^2W]ZYS0JG^,[O6/0J7_T%=IP.A_#SR8>/'+S(,`FV3P
M!H1UBK=_9QNF0ID6^G!9B?Q@89NM09JQ);<W>61E:2B%$K&V4N->C6`[KB>:
MNMGH?P?;_G>TKO]=O?\?>,C'(0SQ:OWO&OWO@P.@MWY$Y#C7U]<VS3*;\:F3
M;[7]3;/AALD=$'D7=$Z+AO]UM=16`#C.?U+5_]"CG@MIW?][A';\/P6&O7T%
M4EH7>74E'`1=WX'843VBW]1I+&G:5]'2U]&23QL>RYQ5UL.=>P$N3B=SUT;K
M4+M`L.([,!A)_D?)E0XRKA,1@9$RHHR#42*4!I^DI4Q-D7"H7S"=`%MGA9TO
MUAM8]UOY`O1&XZ%Z(/CF9'0\/HF&)Y-WH[-[8WTT&IZ=G)Z^'Z[-[O!XK%ZT
MTWP[?BW#Z]BB;I&/@=E`!2\BY[=3TP;,?(2O,Y#F+-3IAM]ZEUR+GP-[_HOL
M$76/)Y.HJPXGPZA[=NQ'W<EXZ/96'R.H$.J*2!(G,PK$+.8TC2:3T\B#Y>,1
M*<UY%+1Q$'"4_V[5_Z/J`!!ZT#'\)]CIZO^38-A;BV40"YDQ#=Y[`?A@>)X)
@^A\,UDBP['CI>3`8#`:#P6`P&`R&7?,3;5<`+P`H````
MS0,611*,P7Y:*B[!KZ.J>P[6(F3KW]X"QL"$"LUTJ<#H242[X&FGN3(-=Z[-
M,U6/&4@><\GE8#^O?BTP-4%>Z[X[1;!';X<&'[J8T!;VYW\\--%<MW,`<+3_
MQV_]OP.]JO\GKM/Q_Q08]EX/VP,M5CQ70,1Q1[8+PB?^UTZ0,Q/4$Z:2X*D,
M5UP'*GWY[VW!4?X3Q_3_$%.,"*W6$24>Z?A_"KPSO/J'Y8$ISKMHT*%#APX=
-.GQU^!L:2#0J`"@`````
`
`
end
end
行 90: 行 128:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cd /etc/nginx; sudo tar zxvf conf.d.tgz; sudo rm conf.d.tgz; sudo pkill -1 nginx
cd /etc/nginx; sudo tar zxvf conf.d.tgz; sudo rm conf.d.tgz; sudo pkill -1 nginx; sudo sed -i 's@^ARGS=""@ARGS="--nginx.scrape-uri=http://127.0.0.1/stub_status"@' /etc/default/prometheus-nginx-exporter; sudo service prometheus-nginx-exporter restart
</syntaxhighlight>
</syntaxhighlight>


== 外部連結 ==
== 外部連結 ==
* {{Official|https://nginx.org/}} {{en}}
* {{Official|https://nginx.org/}} {{en}}
* [https://launchpad.net/~nginx/+archive/ubuntu/stable NGINX Stable : “Nginx” team] {{en}}
* [https://launchpad.net/~nginx/+archive/ubuntu/development NGINX Mainline : “Nginx” team] {{en}}


[[Category:軟體]]
[[Category:軟體]]

於 2024年2月20日 (二) 18:32 的最新修訂

nginx是一套網頁伺服器,在效能與設定彈性上取得不錯的平衡點。

安裝

Ubuntu上的內建版本應該夠用(18.04上是1.14.0;20.04上是1.18.0),如果不夠新的話可以選擇用Ondřej Surý所維護的版本:

nginx-light(basic version)、nginx-full(standard version)、nginx-extras(extended version)可以安裝,一般裝nginx-full算是夠用。

設定

Log

我希望記錄使用者在HTTPS環境下用的TLS Protocol與Cipher,所以將這兩個資訊放到Log內。

/etc/nginx/conf.d/combined_ssl.conf內的設定如下: 

#
log_format combined_ssl '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_protocol/$ssl_cipher';

SSL

/etc/nginx/conf.d/ssl.conf內的設定如下: 

# https://www.eff.org/deeplinks/2015/04/effs-updated-ssl-configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "CHACHA20+ECDHE:AESGCM+ECDHE:AES+ECDHE:CAMELLIA+ECDHE:!ADH:!AECDH:!DSS:!ECDSA:!MD5:!SHA1";
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 30m;

這跟其他網站上建議的有些差異:

直接關掉TLSv1.1
因為就瀏覽器安全性來說,應該使用TLSv1.2,就相容性來說,則是使用TLSv1.0,而目前沒有看到需要開TLSv1.1才會動情況,直接關掉反而可以避免nginx實做TLSv1.1有問題時的風險(因為用的人少,眼球會比較少,這個協定風險反而比另外兩個高)。
試著支援非NIST架構的協定:
目前cipher都是NIST所選出的協定,所以還是多選了ChaCha20與Camellia讓使用者可以用。

範例

這邊是/etc/nginx/sites-available/default的內容,配合Dehydrated的需求: 

#
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /srv/www/public;
    index index.html;
    server_name _;

    location /.well-known/acme-challenge/ {
        alias /var/www/dehydrated/;
    }
}

server {
    listen 127.0.0.1:80;
    listen [::1]:80;
    root /srv/localhost/public;
    index index.html;
    server_name _;

    location = /stub_status {
        stub_status;
    }
}

對於後端接HTTP backend的設定(需要放到server區段裡): 

    location / {
        proxy_pass http://127.0.0.1:8000/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    }

後端接uwsgi的設定(需要放到server區段裡): 

    location / {
        include uwsgi_params;
        uwsgi_pass 127.0.0.1:9000;
    }

快速安裝

這邊包括一些Dehydrated的設定(沒有先裝沒關係),另外這邊用uuencode包起來是因為conf.d內的檔案太多,所以包起來處理: 

sudo apt install -y nginx-full prometheus-nginx-exporter; sudo apt clean; sudo sed -i -e "s/\tssl_protocols/#\tssl_protocols/" /etc/nginx/nginx.conf; echo -e "#\nserver {\n    listen 80 default_server;\n    listen [::]:80 default_server;\n    root /srv/www/public;\n    index index.html;\n    server_name _;\n\n    location /.well-known/acme-challenge/ {\n        alias /var/www/dehydrated/;\n    }\n}\n\nserver {\n    listen 127.0.0.1:80;\n    listen [::1]:80;\n    root /srv/localhost/public;\n    index index.html;\n    server_name _;\n\n    location = /stub_status {\n        stub_status;\n    }\n}" | sudo tee /etc/nginx/sites-available/default; cd /etc/nginx; sudo uudecode <<"EOF"
begin 644 conf.d.tgz
M'XL(`````````^U8;6^K-A3NY_P*YT6ZTJ:`;0SNJ/HA2J-E4JM=+?VP:9J0
M"R:P!,QLDR:=]M]G*+EM[K2;#Q.)=L.C!&P?3HQRSG->'(H\MB+[JDU``^JZ
M]=W@\WL]1H1`A#P$(;F""%*$KX#;ZELU*)5F$H`K*83^TG/'Y/]3A*_V+Y+"
MJH:M[%$9V"/D7^V/J6OLCZCG8@<1;.R/'6KL#UMYF\]PX?8?]LI":<E9!HP/
M4`+^[`$#Q>6&2U#FZ=:W99E7#E)]J47&<9%92H2KF]Y?O4/U:WA$_=J"7U)'
M1]71@?JY_[RO``W_E5J?C_\$F?CO>`YV"86TBO_8)(.._Z?`$"1:%\JW[>?G
M9XO'L27DTHXX+]9IOE(VALBU(;&-1(W+(F*:1V/C+>/*6])E*9E.1=XS*T$A
MA1:A6"OP>+_8(`LW=^>F%H=ID7"IP&`ZGY@/AM_.IG?SF3^9+;Z?/KQ-FM%T
M\C"[O_]ATDS[D[NYN503OW^W6/A],UQ,_/[#G>OW%_,)&KQNH[A2YHV"D(4)
M!RIADD?^8G'O.S`[?$*G&1>E!K7@W'8X%QK^5TX@MKMV8L`Q_D/'Y'],*78\
MB@DR_'<<W.7_DR!F2H?+-"B8-$EX_OCX,?CXTX\__P(&@\LEQ06AX?_R)6VO
M`3A:_QNR5_V?J00H,KV`R?\NZ?+_25`9/@A%5@1KON%K\-U-KU[2NX(KP`I3
M!H1UBK=_9QNF0ID6^G!9B?Q@89NM09JQ);<W>61E:2B%$K&V4N->C6`[KB>:
M;[7]3;/AALD=$'D7=$Z+AO]UM=16`#C.?U+5_]"CG@MIW?][A';\/P6&O7T%
M4+M`L.([,!A)_D?)E0XRKA,1@9$RHHR#42*4!I^DI4Q-D7"H7S"=`%MGA9TO
MTWP[?BW#Z]BB;I&/@=E`!2\BY[=3TP;,?(2O,Y#F+-3IAM]ZEUR+GP-[_HOL
M*<UY%+1Q$'"4_V[5_Z/J`!!ZT#'\)]CIZO^38-A;BV40"YDQ#=Y[`?A@>)X)
MS0,611*,P7Y:*B[!KZ.J>P[6(F3KW]X"QL"$"LUTJ<#H242[X&FGN3(-=Z[-
M,U6/&4@><\GE8#^O?BTP-4%>Z[X[1;!';X<&'[J8T!;VYW\\--%<MW,`<+3_
MQV_]OP.]JO\GKM/Q_Q08]EX/VP,M5CQ70,1Q1[8+PB?^UTZ0,Q/4$Z:2X*D,
M5UP'*GWY[VW!4?X3Q_3_$%.,"*W6$24>Z?A_"KPSO/J'Y8$ISKMHT*%#APX=
-.GQU^!L:2#0J`"@`````
`
end
EOF

cd /etc/nginx; sudo tar zxvf conf.d.tgz; sudo rm conf.d.tgz; sudo pkill -1 nginx; sudo sed -i 's@^ARGS=""@ARGS="--nginx.scrape-uri=http://127.0.0.1/stub_status"@' /etc/default/prometheus-nginx-exporter; sudo service prometheus-nginx-exporter restart

外部連結

取自「https://wiki.gslin.org/index.php?title=Nginx&oldid=5296