nginx

来自Gea-Suan Lin's Wiki
跳转到导航 跳转到搜索

nginx是一套网页服务器,在效能与设定弹性上取得不错的平衡点。

安装

Ubuntu上的内建版本应该够用(18.04上是1.14.0;20.04上是1.18.0),如果不够新的话可以选择用Ondřej Surý所维护的版本:

nginx-light(basic version)、nginx-full(standard version)、nginx-extras(extended version)可以安装,一般装nginx-full算是够用。

设定

Log

我希望记录使用者在HTTPS环境下用的TLS Protocol与Cipher,所以将这两个资讯放到Log内。

/etc/nginx/conf.d/combined_ssl.conf内的设定如下:

#
log_format combined_ssl '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_protocol/$ssl_cipher';

SSL

/etc/nginx/conf.d/ssl.conf内的设定如下:

# https://www.eff.org/deeplinks/2015/04/effs-updated-ssl-configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "CHACHA20+ECDHE:AESGCM+ECDHE:AES+ECDHE:CAMELLIA+ECDHE:!ADH:!AECDH:!DSS:!ECDSA:!MD5:!SHA1";
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 30m;

这跟其他网站上建议的有些差异:

直接关掉TLSv1.1
因为就浏览器安全性来说,应该使用TLSv1.2,就相容性来说,则是使用TLSv1.0,而目前没有看到需要开TLSv1.1才会动情况,直接关掉反而可以避免nginx实做TLSv1.1有问题时的风险(因为用的人少,眼球会比较少,这个协定风险反而比另外两个高)。
试着支援非NIST架构的协定:
目前cipher都是NIST所选出的协定,所以还是多选了ChaCha20与Camellia让使用者可以用。

范例

这边是/etc/nginx/sites-available/default的内容,配合Dehydrated的需求:

#
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /srv/www/public;
    index index.html;
    server_name _;

    location /.well-known/acme-challenge/ {
        alias /var/www/dehydrated/;
    }
}

server {
    listen 127.0.0.1:80;
    listen [::1]:80;
    root /srv/localhost/public;
    server_name _;

    location = /stub_status {
        stub_status;
    }
}

对于一般的virtual host,如果是HTTPS的站台可能会长这样,像是API类的应该直接拒绝HTTP,只允许ACME的认证:

#
server {
    listen 80;
    listen [::]:80;
    server_name example.com;

    root /srv/example.com/public;
    access_log /var/log/nginx/example.com-access.log combined;

    location / {
        deny all;
    }
    location /.well-known/acme-challenge/ {
        allow all;
    }
}

server {
    listen 443 http2 ssl;
    listen [::]:443 http2 ssl;
    server_name example.com;

    ssl_certificate /etc/dehydrated/certs/example.com/fullchain.pem;
    ssl_certificate_key /etc/dehydrated/certs/example.com/privkey.pem;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/dehydrated/certs/example.com/fullchain.pem;

    add_header Strict-Transport-Security "max-age=31536000";

    root /srv/example.com/public;
    index index.html;
    access_log /var/log/nginx/example.com_ssl-access.log combined_ssl;
}

如果是使用者网站类的可以在HTTP段改用:

    return 301 https://$server_name$request_uri;

对于后端接HTTP backend的设定(需要放到server区段里):

    location / {
        proxy_pass http://127.0.0.1:8000/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    }

后端接uwsgi的设定(需要放到server区段里):

    location / {
        include uwsgi_params;
        uwsgi_pass 127.0.0.1:9000;
    }

快速安装

这边包括一些Dehydrated的设定(没有先装没关系),另外这边用uuencode包起来是因为conf.d内的档案太多,所以包起来处理:

sudo apt install -y nginx-full prometheus-nginx-exporter; sudo apt clean; sudo sed -i -e "s/\tssl_protocols/#\tssl_protocols/" /etc/nginx/nginx.conf; echo -e "#\nserver {\n    listen 80 default_server;\n    listen [::]:80 default_server;\n    root /srv/www/public;\n    index index.html;\n    server_name _;\n\n    location /.well-known/acme-challenge/ {\n        alias /var/www/dehydrated/;\n    }\n}\n\nserver {\n    listen 127.0.0.1:80;\n    listen [::1]:80;\n    root /srv/localhost/public;\n    index index.html;\n    server_name _;\n\n    location = /stub_status {\n        stub_status;\n    }\n}" | sudo tee /etc/nginx/sites-available/default; cd /etc/nginx; sudo uudecode -o - <<"EOF" | sudo tar -zxv -f -
begin 644 conf.d.tgz
M'XL(`````````^U8;6^K-A3NY_P*YT6ZTJ:`;0SNJ/HA2J-E4JM=+?VP:9J0
M"R:P!,QLDR:=]M]G*+EM[K2;#Q.)=L.C!&P?3HQRSG->'(H\MB+[JDU``^JZ
M]=W@\WL]1H1`A#P$(;F""%*$KX#;ZELU*)5F$H`K*83^TG/'Y/]3A*_V+Y+"
MJH:M[%$9V"/D7^V/J6OLCZCG8@<1;.R/'6KL#UMYF\]PX?8?]LI":<E9!HP/
M4`+^[`$#Q>6&2U#FZ=:W99E7#E)]J47&<9%92H2KF]Y?O4/U:WA$_=J"7U)'
M1]71@?JY_[RO``W_E5J?C_\$F?CO>`YV"86TBO_8)(.._Z?`$"1:%\JW[>?G
M9XO'L27DTHXX+]9IOE(VALBU(;&-1(W+(F*:1V/C+>/*6])E*9E.1=XS*T$A
MA1:A6"OP>+_8(`LW=^>F%H=ID7"IP&`ZGY@/AM_.IG?SF3^9+;Z?/KQ-FM%T
M\C"[O_]ATDS[D[NYN503OW^W6/A],UQ,_/[#G>OW%_,)&KQNH[A2YHV"D(4)
M!RIADD?^8G'O.S`[?$*G&1>E!K7@W'8X%QK^5TX@MKMV8L`Q_D/'Y'],*78\
MB@DR_'<<W.7_DR!F2H?+-"B8-$EX_OCX,?CXTX\__P(&@\LEQ06AX?_R)6VO
M`3A:_QNR5_V?J00H,KV`R?\NZ?+_25`9/@A%5@1KON%K\-U-KU[2NX(KP`I3
M!H1UBK=_9QNF0ID6^G!9B?Q@89NM09JQ);<W>61E:2B%$K&V4N->C6`[KB>:
M;[7]3;/AALD=$'D7=$Z+AO]UM=16`#C.?U+5_]"CG@MIW?][A';\/P6&O7T%
M4+M`L.([,!A)_D?)E0XRKA,1@9$RHHR#42*4!I^DI4Q-D7"H7S"=`%MGA9TO
MTWP[?BW#Z]BB;I&/@=E`!2\BY[=3TP;,?(2O,Y#F+-3IAM]ZEUR+GP-[_HOL
M*<UY%+1Q$'"4_V[5_Z/J`!!ZT#'\)]CIZO^38-A;BV40"YDQ#=Y[`?A@>)X)
MS0,611*,P7Y:*B[!KZ.J>P[6(F3KW]X"QL"$"LUTJ<#H242[X&FGN3(-=Z[-
M,U6/&4@><\GE8#^O?BTP-4%>Z[X[1;!';X<&'[J8T!;VYW\\--%<MW,`<+3_
MQV_]OP.]JO\GKM/Q_Q08]EX/VP,M5CQ70,1Q1[8+PB?^UTZ0,Q/4$Z:2X*D,
M5UP'*GWY[VW!4?X3Q_3_$%.,"*W6$24>Z?A_"KPSO/J'Y8$ISKMHT*%#APX=
-.GQU^!L:2#0J`"@`````
`
end
EOF
sudo pkill -1 nginx; sudo sed -i 's@^ARGS=""@ARGS="--nginx.scrape-uri=http://127.0.0.1/stub_status"@' /etc/default/prometheus-nginx-exporter; sudo service prometheus-nginx-exporter restart

外部链接