nginx

出自Gea-Suan Lin's Wiki
於 2024年5月28日 (二) 23:41 由 Gslin留言 | 貢獻 所做的修訂 →‎範例
(差異) ←上個修訂 | 最新修訂 (差異) | 下個修訂→ (差異)
跳至導覽 跳至搜尋

nginx是一套網頁伺服器,在效能與設定彈性上取得不錯的平衡點。

安裝

Ubuntu上的內建版本應該夠用(18.04上是1.14.0;20.04上是1.18.0),如果不夠新的話可以選擇用Ondřej Surý所維護的版本:

nginx-light(basic version)、nginx-full(standard version)、nginx-extras(extended version)可以安裝,一般裝nginx-full算是夠用。

設定

Log

我希望記錄使用者在HTTPS環境下用的TLS Protocol與Cipher,所以將這兩個資訊放到Log內。

/etc/nginx/conf.d/combined_ssl.conf內的設定如下:

#
log_format combined_ssl '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_protocol/$ssl_cipher';

SSL

/etc/nginx/conf.d/ssl.conf內的設定如下:

# https://www.eff.org/deeplinks/2015/04/effs-updated-ssl-configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "CHACHA20+ECDHE:AESGCM+ECDHE:AES+ECDHE:CAMELLIA+ECDHE:!ADH:!AECDH:!DSS:!ECDSA:!MD5:!SHA1";
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 30m;

這跟其他網站上建議的有些差異:

直接關掉TLSv1.1
因為就瀏覽器安全性來說,應該使用TLSv1.2,就相容性來說,則是使用TLSv1.0,而目前沒有看到需要開TLSv1.1才會動情況,直接關掉反而可以避免nginx實做TLSv1.1有問題時的風險(因為用的人少,眼球會比較少,這個協定風險反而比另外兩個高)。
試著支援非NIST架構的協定:
目前cipher都是NIST所選出的協定,所以還是多選了ChaCha20與Camellia讓使用者可以用。

範例

這邊是/etc/nginx/sites-available/default的內容,配合Dehydrated的需求:

#
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /srv/www/public;
    index index.html;
    server_name _;

    location /.well-known/acme-challenge/ {
        alias /var/www/dehydrated/;
    }
}

server {
    listen 127.0.0.1:80;
    listen [::1]:80;
    root /srv/localhost/public;
    server_name _;

    location = /stub_status {
        stub_status;
    }
}

對於一般的virtual host,如果是HTTPS的站台可能會長這樣,像是API類的應該直接拒絕HTTP,只允許ACME的認證:

#
server {
    listen 80;
    listen [::]:80;
    server_name example.com;

    root /srv/example.com/public;
    access_log /var/log/nginx/example.com-access.log combined;

    location / {
        deny all;
    }
    location /.well-known/acme-challenge/ {
        allow all;
    }
}

server {
    listen 443 http2 ssl;
    listen [::]:443 http2 ssl;
    server_name example.com;

    ssl_certificate /etc/dehydrated/certs/example.com/fullchain.pem;
    ssl_certificate_key /etc/dehydrated/certs/example.com/privkey.pem;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/dehydrated/certs/example.com/fullchain.pem;

    add_header Strict-Transport-Security "max-age=31536000";

    root /srv/example.com/public;
    index index.html;
    access_log /var/log/nginx/example.com_ssl-access.log combined_ssl;
}

如果是使用者網站類的可以在HTTP段改用:

    return 301 https://$server_name$request_uri;

對於後端接HTTP backend的設定(需要放到server區段裡):

    location / {
        proxy_pass http://127.0.0.1:8000/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    }

後端接uwsgi的設定(需要放到server區段裡):

    location / {
        include uwsgi_params;
        uwsgi_pass 127.0.0.1:9000;
    }

快速安裝

這邊包括一些Dehydrated的設定(沒有先裝沒關係),另外這邊用uuencode包起來是因為conf.d內的檔案太多,所以包起來處理:

sudo apt install -y nginx-full prometheus-nginx-exporter; sudo apt clean; sudo sed -i -e "s/\tssl_protocols/#\tssl_protocols/" /etc/nginx/nginx.conf; echo -e "#\nserver {\n    listen 80 default_server;\n    listen [::]:80 default_server;\n    root /srv/www/public;\n    index index.html;\n    server_name _;\n\n    location /.well-known/acme-challenge/ {\n        alias /var/www/dehydrated/;\n    }\n}\n\nserver {\n    listen 127.0.0.1:80;\n    listen [::1]:80;\n    root /srv/localhost/public;\n    index index.html;\n    server_name _;\n\n    location = /stub_status {\n        stub_status;\n    }\n}" | sudo tee /etc/nginx/sites-available/default; cd /etc/nginx; sudo uudecode -o - <<"EOF" | sudo tar -zxv -f -
begin 644 conf.d.tgz
M'XL(`````````^U8;6^K-A3NY_P*YT6ZTJ:`;0SNJ/HA2J-E4JM=+?VP:9J0
M"R:P!,QLDR:=]M]G*+EM[K2;#Q.)=L.C!&P?3HQRSG->'(H\MB+[JDU``^JZ
M]=W@\WL]1H1`A#P$(;F""%*$KX#;ZELU*)5F$H`K*83^TG/'Y/]3A*_V+Y+"
MJH:M[%$9V"/D7^V/J6OLCZCG8@<1;.R/'6KL#UMYF\]PX?8?]LI":<E9!HP/
M4`+^[`$#Q>6&2U#FZ=:W99E7#E)]J47&<9%92H2KF]Y?O4/U:WA$_=J"7U)'
M1]71@?JY_[RO``W_E5J?C_\$F?CO>`YV"86TBO_8)(.._Z?`$"1:%\JW[>?G
M9XO'L27DTHXX+]9IOE(VALBU(;&-1(W+(F*:1V/C+>/*6])E*9E.1=XS*T$A
MA1:A6"OP>+_8(`LW=^>F%H=ID7"IP&`ZGY@/AM_.IG?SF3^9+;Z?/KQ-FM%T
M\C"[O_]ATDS[D[NYN503OW^W6/A],UQ,_/[#G>OW%_,)&KQNH[A2YHV"D(4)
M!RIADD?^8G'O.S`[?$*G&1>E!K7@W'8X%QK^5TX@MKMV8L`Q_D/'Y'],*78\
MB@DR_'<<W.7_DR!F2H?+-"B8-$EX_OCX,?CXTX\__P(&@\LEQ06AX?_R)6VO
M`3A:_QNR5_V?J00H,KV`R?\NZ?+_25`9/@A%5@1KON%K\-U-KU[2NX(KP`I3
M!H1UBK=_9QNF0ID6^G!9B?Q@89NM09JQ);<W>61E:2B%$K&V4N->C6`[KB>:
M;[7]3;/AALD=$'D7=$Z+AO]UM=16`#C.?U+5_]"CG@MIW?][A';\/P6&O7T%
M4+M`L.([,!A)_D?)E0XRKA,1@9$RHHR#42*4!I^DI4Q-D7"H7S"=`%MGA9TO
MTWP[?BW#Z]BB;I&/@=E`!2\BY[=3TP;,?(2O,Y#F+-3IAM]ZEUR+GP-[_HOL
M*<UY%+1Q$'"4_V[5_Z/J`!!ZT#'\)]CIZO^38-A;BV40"YDQ#=Y[`?A@>)X)
MS0,611*,P7Y:*B[!KZ.J>P[6(F3KW]X"QL"$"LUTJ<#H242[X&FGN3(-=Z[-
M,U6/&4@><\GE8#^O?BTP-4%>Z[X[1;!';X<&'[J8T!;VYW\\--%<MW,`<+3_
MQV_]OP.]JO\GKM/Q_Q08]EX/VP,M5CQ70,1Q1[8+PB?^UTZ0,Q/4$Z:2X*D,
M5UP'*GWY[VW!4?X3Q_3_$%.,"*W6$24>Z?A_"KPSO/J'Y8$ISKMHT*%#APX=
-.GQU^!L:2#0J`"@`````
`
end
EOF
sudo pkill -1 nginx; sudo sed -i 's@^ARGS=""@ARGS="--nginx.scrape-uri=http://127.0.0.1/stub_status"@' /etc/default/prometheus-nginx-exporter; sudo service prometheus-nginx-exporter restart

外部連結