「Nginx」:修訂間差異
跳至導覽
跳至搜尋
本頁面具有訪問限制。如果您看見此訊息,這代表您沒有訪問本頁面的權限。
(→設定) |
(→快速安裝) |
||
| (未顯示同一使用者於中間所作的 65 次修訂) | |||
| 行 1: | 行 1: | ||
{{Lowercase}} | {{Lowercase}} | ||
'''nginx'''是一套網頁伺服器,在效能與設定彈性上取得不錯的平衡點。 | |||
== 安裝 == | |||
在[[Ubuntu]]上的內建版本應該夠用(18.04上是1.14.0;20.04上是1.18.0),如果不夠新的話可以選擇用Ondřej Surý所維護的版本: | |||
* [https://packages.ubuntu.com/search?keywords=nginx Ubuntu – Package Search Results -- nginx] | |||
* [https://launchpad.net/~ondrej/+archive/ubuntu/nginx PPA for NGINX Stable with HTTP/2] | |||
有<code>nginx-light</code>(basic version)、<code>nginx-full</code>(standard version)、<code>nginx-extras</code>(extended version)可以安裝,一般裝<code>nginx-full</code>算是夠用。 | |||
== 設定 == | == 設定 == | ||
=== Log === | |||
我希望記錄使用者在HTTPS環境下用的TLS Protocol與Cipher,所以將這兩個資訊放到Log內。 | |||
在<code>/etc/nginx/conf.d/combined_ssl.conf</code>內的設定如下: | |||
<syntaxhighlight lang="nginx"> | |||
# | |||
log_format combined_ssl '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_protocol/$ssl_cipher'; | |||
</syntaxhighlight> | |||
=== SSL === | === SSL === | ||
在<code>/etc/nginx/conf.d/ssl.conf</code>內: | 在<code>/etc/nginx/conf.d/ssl.conf</code>內 的設定如下 : | ||
< | |||
ssl_protocols TLSv1 TLSv1. | <syntaxhighlight lang="nginx"> | ||
ssl_ciphers " | # https://www.eff.org/deeplinks/2015/04/effs-updated-ssl-configuration | ||
ssl_protocols TLSv1.2 TLSv1.3; | |||
ssl_ciphers "CHACHA20+ECDHE:AESGCM+ECDHE:AES+ECDHE:CAMELLIA+ECDHE:!ADH:!AECDH:!DSS:!ECDSA:!MD5:!SHA1"; | |||
ssl_session_cache shared:SSL:30m; | ssl_session_cache shared:SSL:30m; | ||
ssl_session_timeout 30m; | ssl_session_timeout 30m; | ||
</ | </syntaxhighlight> | ||
這跟其他網站上建議的有些差異: | |||
; 直接關掉<code>TLSv1.1</code>: | |||
: 因為就瀏覽器安全性來說,應該使用<code>TLSv1.2</code>,就相容性來說,則是使用<code>TLSv1.0</code>,而目前沒有看到需要開<code>TLSv1.1</code>才會動情況,直接關掉反而可以避免nginx實做<code>TLSv1.1</code>有問題時的風險(因為用的人少,眼球會比較少,這個協定風險反而比另外兩個高)。 | |||
; 試著支援非NIST架構的協定: | |||
: 目前cipher都是NIST所選出的協定,所以還是多選了ChaCha20與Camellia讓使用者可以用。 | |||
== 範例 == | |||
這邊是<code>/etc/nginx/sites-available/default</code>的內容,配合[[Dehydrated]]的需求: | |||
<syntaxhighlight lang="nginx"> | |||
# | |||
server { | |||
listen 80 default_server; | |||
listen [::]:80 default_server; | |||
root /srv/www/public; | |||
index index.html; | |||
server_name _; | |||
location /.well-known/acme-challenge/ { | |||
alias /var/www/dehydrated/; | |||
} | |||
} | |||
server { | |||
listen 127.0.0.1:80; | |||
listen [::1]:80; | |||
root /srv/localhost/public; | |||
index index.html; | |||
server_name _; | |||
location = /stub_status { | |||
stub_status; | |||
} | |||
} | |||
</syntaxhighlight> | |||
對於後端接HTTP backend的設定(需要放到<code>server</code>區段裡): | |||
<syntaxhighlight lang="nginx"> | |||
location / { | |||
proxy_pass http://127.0.0.1:8000/; | |||
proxy_set_header Host $http_host; | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
proxy_set_header X-Forwarded-Port $http_x_forwarded_port; | |||
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; | |||
} | |||
</syntaxhighlight> | |||
後端接uwsgi的設定(需要放到<code>server</code>區段裡): | |||
<syntaxhighlight lang="nginx"> | |||
location / { | |||
include uwsgi_params; | |||
uwsgi_pass 127.0.0.1:9000; | |||
} | |||
</syntaxhighlight> | |||
== 快速安裝 == | |||
這邊包括一些[[Dehydrated]]的設定(沒有先裝沒關係),另外這邊用uuencode包起來是因為<code>conf.d</code>內的檔案太多,所以包起來處理: | |||
<syntaxhighlight lang="bash"> | |||
sudo apt install -y nginx-full prometheus-nginx-exporter; sudo apt clean; sudo sed -i -e "s/\tssl_protocols/#\tssl_protocols/" /etc/nginx/nginx.conf; echo -e "#\nserver {\n listen 80 default_server;\n listen [::]:80 default_server;\n root /srv/www/public;\n index index.html;\n server_name _;\n\n location /.well-known/acme-challenge/ {\n alias /var/www/dehydrated/;\n }\n}\n\nserver {\n listen 127.0.0.1:80;\n listen [::1]:80;\n root /srv/localhost/public;\n index index.html;\n server_name _;\n\n location = /stub_status {\n stub_status;\n }\n}" | sudo tee /etc/nginx/sites-available/default; cd /etc/nginx; sudo uudecode <<"EOF" | |||
begin 644 conf.d.tgz | |||
M'XL(`````````^U8;6^K-A3NY_P*YT6ZTJ:`;0SNJ/HA2J-E4JM=+?VP:9J0 | |||
M"R:P!,QLDR:=]M]G*+EM[K2;#Q.)=L.C!&P?3HQRSG->'(H\MB+[JDU``^JZ | |||
M]=W@\WL]1H1`A#P$(;F""%*$KX#;ZELU*)5F$H`K*83^TG/'Y/]3A*_V+Y+" | |||
MJH:M[%$9V"/D7^V/J6OLCZCG8@<1;.R/'6KL#UMYF\]PX?8?]LI":<E9!HP/ | |||
M4`+^[`$#Q>6&2U#FZ=:W99E7#E)]J47&<9%92H2KF]Y?O4/U:WA$_=J"7U)' | |||
M1]71@?JY_[RO``W_E5J?C_\$F?CO>`YV"86TBO_8)(.._Z?`$"1:%\JW[>?G | |||
M9XO'L27DTHXX+]9IOE(VALBU(;&-1(W+(F*:1V/C+>/*6])E*9E.1=XS*T$A | |||
MA1:A6"OP>+_8(`LW=^>F%H=ID7"IP&`ZGY@/AM_.IG?SF3^9+;Z?/KQ-FM%T | |||
M\C"[O_]ATDS[D[NYN503OW^W6/A],UQ,_/[#G>OW%_,)&KQNH[A2YHV"D(4) | |||
M!RIADD?^8G'O.S`[?$*G&1>E!K7@W'8X%QK^5TX@MKMV8L`Q_D/'Y'],*78\ | |||
MB@DR_'<<W.7_DR!F2H?+-"B8-$EX_OCX,?CXTX\__P(&@\LEQ06AX?_R)6VO | |||
M`3A:_QNR5_V?J00H,KV`R?\NZ?+_25`9/@A%5@1KON%K\-U-KU[2NX(KP`I3 | |||
M!H1UBK=_9QNF0ID6^G!9B?Q@89NM09JQ);<W>61E:2B%$K&V4N->C6`[KB>: | |||
M;[7]3;/AALD=$'D7=$Z+AO]UM=16`#C.?U+5_]"CG@MIW?][A';\/P6&O7T% | |||
M4+M`L.([,!A)_D?)E0XRKA,1@9$RHHR#42*4!I^DI4Q-D7"H7S"=`%MGA9TO | |||
MTWP[?BW#Z]BB;I&/@=E`!2\BY[=3TP;,?(2O,Y#F+-3IAM]ZEUR+GP-[_HOL | |||
M*<UY%+1Q$'"4_V[5_Z/J`!!ZT#'\)]CIZO^38-A;BV40"YDQ#=Y[`?A@>)X) | |||
MS0,611*,P7Y:*B[!KZ.J>P[6(F3KW]X"QL"$"LUTJ<#H242[X&FGN3(-=Z[- | |||
M,U6/&4@><\GE8#^O?BTP-4%>Z[X[1;!';X<&'[J8T!;VYW\\--%<MW,`<+3_ | |||
MQV_]OP.]JO\GKM/Q_Q08]EX/VP,M5CQ70,1Q1[8+PB?^UTZ0,Q/4$Z:2X*D, | |||
M5UP'*GWY[VW!4?X3Q_3_$%.,"*W6$24>Z?A_"KPSO/J'Y8$ISKMHT*%#APX= | |||
-.GQU^!L:2#0J`"@````` | |||
` | |||
end | |||
EOF | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
cd /etc/nginx; sudo tar zxvf conf.d.tgz; sudo rm conf.d.tgz; sudo pkill -1 nginx; sudo sed -i 's@^ARGS=""@ARGS="--nginx.scrape-uri=http://127.0.0.1/stub_status"@' /etc/default/prometheus-nginx-exporter; sudo service prometheus-nginx-exporter restart | |||
</syntaxhighlight> | |||
== 外部連結 == | == 外部連結 == | ||
* {{Official|https://nginx.org/}} {{en}} | * {{Official|https://nginx.org/}} {{en}} | ||
[[Category:軟體]] | [[Category:軟體]] | ||
於 2024年2月20日 (二) 18:32 的最新修訂
nginx是一套網頁伺服器,在效能與設定彈性上取得不錯的平衡點。
安裝
在Ubuntu上的內建版本應該夠用(18.04上是1.14.0;20.04上是1.18.0),如果不夠新的話可以選擇用Ondřej Surý所維護的版本:
有nginx-light(basic version)、nginx-full(standard version)、nginx-extras(extended version)可以安裝,一般裝nginx-full算是夠用。
設定
Log
我希望記錄使用者在HTTPS環境下用的TLS Protocol與Cipher,所以將這兩個資訊放到Log內。
在/etc/nginx/conf.d/combined_ssl.conf內的設定如下:
#
log_format combined_ssl '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_protocol/$ssl_cipher';
SSL
在/etc/nginx/conf.d/ssl.conf內的設定如下:
# https://www.eff.org/deeplinks/2015/04/effs-updated-ssl-configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "CHACHA20+ECDHE:AESGCM+ECDHE:AES+ECDHE:CAMELLIA+ECDHE:!ADH:!AECDH:!DSS:!ECDSA:!MD5:!SHA1";
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 30m;
這跟其他網站上建議的有些差異:
- 直接關掉
TLSv1.1: - 因為就瀏覽器安全性來說,應該使用
TLSv1.2,就相容性來說,則是使用TLSv1.0,而目前沒有看到需要開TLSv1.1才會動情況,直接關掉反而可以避免nginx實做TLSv1.1有問題時的風險(因為用的人少,眼球會比較少,這個協定風險反而比另外兩個高)。 - 試著支援非NIST架構的協定:
- 目前cipher都是NIST所選出的協定,所以還是多選了ChaCha20與Camellia讓使用者可以用。
範例
這邊是/etc/nginx/sites-available/default的內容,配合Dehydrated的需求:
#
server {
listen 80 default_server;
listen [::]:80 default_server;
root /srv/www/public;
index index.html;
server_name _;
location /.well-known/acme-challenge/ {
alias /var/www/dehydrated/;
}
}
server {
listen 127.0.0.1:80;
listen [::1]:80;
root /srv/localhost/public;
index index.html;
server_name _;
location = /stub_status {
stub_status;
}
}
對於後端接HTTP backend的設定(需要放到server區段裡):
location / {
proxy_pass http://127.0.0.1:8000/;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
}
後端接uwsgi的設定(需要放到server區段裡):
location / {
include uwsgi_params;
uwsgi_pass 127.0.0.1:9000;
}
快速安裝
這邊包括一些Dehydrated的設定(沒有先裝沒關係),另外這邊用uuencode包起來是因為conf.d內的檔案太多,所以包起來處理:
sudo apt install -y nginx-full prometheus-nginx-exporter; sudo apt clean; sudo sed -i -e "s/\tssl_protocols/#\tssl_protocols/" /etc/nginx/nginx.conf; echo -e "#\nserver {\n listen 80 default_server;\n listen [::]:80 default_server;\n root /srv/www/public;\n index index.html;\n server_name _;\n\n location /.well-known/acme-challenge/ {\n alias /var/www/dehydrated/;\n }\n}\n\nserver {\n listen 127.0.0.1:80;\n listen [::1]:80;\n root /srv/localhost/public;\n index index.html;\n server_name _;\n\n location = /stub_status {\n stub_status;\n }\n}" | sudo tee /etc/nginx/sites-available/default; cd /etc/nginx; sudo uudecode <<"EOF"
begin 644 conf.d.tgz
M'XL(`````````^U8;6^K-A3NY_P*YT6ZTJ:`;0SNJ/HA2J-E4JM=+?VP:9J0
M"R:P!,QLDR:=]M]G*+EM[K2;#Q.)=L.C!&P?3HQRSG->'(H\MB+[JDU``^JZ
M]=W@\WL]1H1`A#P$(;F""%*$KX#;ZELU*)5F$H`K*83^TG/'Y/]3A*_V+Y+"
MJH:M[%$9V"/D7^V/J6OLCZCG8@<1;.R/'6KL#UMYF\]PX?8?]LI":<E9!HP/
M4`+^[`$#Q>6&2U#FZ=:W99E7#E)]J47&<9%92H2KF]Y?O4/U:WA$_=J"7U)'
M1]71@?JY_[RO``W_E5J?C_\$F?CO>`YV"86TBO_8)(.._Z?`$"1:%\JW[>?G
M9XO'L27DTHXX+]9IOE(VALBU(;&-1(W+(F*:1V/C+>/*6])E*9E.1=XS*T$A
MA1:A6"OP>+_8(`LW=^>F%H=ID7"IP&`ZGY@/AM_.IG?SF3^9+;Z?/KQ-FM%T
M\C"[O_]ATDS[D[NYN503OW^W6/A],UQ,_/[#G>OW%_,)&KQNH[A2YHV"D(4)
M!RIADD?^8G'O.S`[?$*G&1>E!K7@W'8X%QK^5TX@MKMV8L`Q_D/'Y'],*78\
MB@DR_'<<W.7_DR!F2H?+-"B8-$EX_OCX,?CXTX\__P(&@\LEQ06AX?_R)6VO
M`3A:_QNR5_V?J00H,KV`R?\NZ?+_25`9/@A%5@1KON%K\-U-KU[2NX(KP`I3
M!H1UBK=_9QNF0ID6^G!9B?Q@89NM09JQ);<W>61E:2B%$K&V4N->C6`[KB>:
M;[7]3;/AALD=$'D7=$Z+AO]UM=16`#C.?U+5_]"CG@MIW?][A';\/P6&O7T%
M4+M`L.([,!A)_D?)E0XRKA,1@9$RHHR#42*4!I^DI4Q-D7"H7S"=`%MGA9TO
MTWP[?BW#Z]BB;I&/@=E`!2\BY[=3TP;,?(2O,Y#F+-3IAM]ZEUR+GP-[_HOL
M*<UY%+1Q$'"4_V[5_Z/J`!!ZT#'\)]CIZO^38-A;BV40"YDQ#=Y[`?A@>)X)
MS0,611*,P7Y:*B[!KZ.J>P[6(F3KW]X"QL"$"LUTJ<#H242[X&FGN3(-=Z[-
M,U6/&4@><\GE8#^O?BTP-4%>Z[X[1;!';X<&'[J8T!;VYW\\--%<MW,`<+3_
MQV_]OP.]JO\GKM/Q_Q08]EX/VP,M5CQ70,1Q1[8+PB?^UTZ0,Q/4$Z:2X*D,
M5UP'*GWY[VW!4?X3Q_3_$%.,"*W6$24>Z?A_"KPSO/J'Y8$ISKMHT*%#APX=
-.GQU^!L:2#0J`"@`````
`
end
EOF
cd /etc/nginx; sudo tar zxvf conf.d.tgz; sudo rm conf.d.tgz; sudo pkill -1 nginx; sudo sed -i 's@^ARGS=""@ARGS="--nginx.scrape-uri=http://127.0.0.1/stub_status"@' /etc/default/prometheus-nginx-exporter; sudo service prometheus-nginx-exporter restart
外部連結
- 官方網站 (英文)