Show pageBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== NGINX ====== See [[linux:misc|Common Linux Commands]] for [start | restart | stop | status] service commands ## stop $ ps -ef | grep nginx $ kill -9 ${pid} ## test $ nginx -t ===== Installation ===== $ sudo apt-get install nginx iptables-persistent ===== Setup ===== ## allow ports 80,443 $ sudo iptables -A INPUT -i lo -j ACCEPT $ sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT $ sudo iptables -A INPUT -j DROP $ sudo iptables -S $ /etc/init.d/networking restart ## set up certificates and keys ssl: $ sudo mkdir /etc/nginx/ssl $ sudo cd /etc/nginx/ssl $ sudo openssl req -new -x509 -days 365 -nodes -out /etc/nginx/ssl/${site}.crt -keyout /etc/nginx/ssl/${site}.key $ sudo chmod 400 ${site}.key configuration: cert: /etc/nginx/ssl/${site}.crt key: /etc/nginx/ssl/${site}.key ## enable sites $ sudo ln -s /etc/nginx/sites-available/${site} /etc/nginx/sites-enabled/ ## test ## restart ===== Configuration ===== ## default config file config: /etc/nginx/sites-available/${site} $ sudo nano ${config} ==== Sample Configuration Options ==== simple: server { listen 80; server_name ${servername}; access_log ${accesslog}; error_log ${errorlog}; root ${root}; location / { try_files $uri /index.html; } } simple_with_upstream: upstream ${upstreamname} { server ${server}; } server { listen 80; server_name ${servername}; access_log ${accesslog}; error_log ${errorlog}; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://${upstreamname}; } } simple_with_upstream_ssl: upstream ${upstreamname} { server ${server}; } server { listen 80; server_name ${servername}; return 301 https://$server_name$request_uri; } server { listen 443; server_name ${servername}; access_log ${accesslog}; error_log ${errorlog}; ssl on; ssl_certificate /etc/letsencrypt/live/somedomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/somedomain.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECHD+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://${upstreamname}; } } simple_with_upstream_ssl_cache: upstream ${upstreamname} { server ${server}; } proxy_cache_path /var/cache/nginx/${site} levels=1:2 keys_zone=${site}_cache:10m max_size=3g inactive=120m use_temp_path=off; server { listen 80; server_name ${servername}; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name ${servername}; ssl on; ssl_certificate ${cert}; ssl_certificate_key ${key}; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; location / { proxy_cache ${site}_cache; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://${upstreamname}; } } standard: server { listen 80; server_name ${servername}; location / { gzip off; proxy_set_header X-Forwarded-Ssl on; client_max_body_size 50M; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://127.0.0.1:${port}; } } standard_with_ssl: server { listen 80; server_name ${servername}; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name ${servername}; ssl on; ssl_certificate ${cert}; ssl_certificate_key ${key}; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; location / { gzip off; proxy_set_header X-Forwarded-Ssl on; client_max_body_size 50M; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://127.0.0.1:${port}; } } standard_with_upstream_ssl: upstream ${upstreamname} { server ${server}; } proxy_cache_path /var/cache/nginx/${site} levels=1:2 keys_zone=${site}_cache:10m max_size=3g inactive=120m use_temp_path=off; server { listen 80; server_name ${servername}; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name ${servername}; ssl on; ssl_certificate ${cert}; ssl_certificate_key ${key}; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; location / { access_log /var/log/nginx/${site}.access.log; error_log /var/log/nginx/${site}.error.log; gzip off; proxy_set_header X-Forwarded-Ssl on; client_max_body_size 50M; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://${upstreamname}; } } standard_with_upstream_ssl_websocket: upstream ${upstreamname} { server ${server}; } proxy_cache_path /var/cache/nginx/${site} levels=1:2 keys_zone=${site}_cache:10m max_size=3g inactive=120m use_temp_path=off; server { listen 80; server_name ${servername}; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name ${servername}; ssl on; ssl_certificate ${cert}; ssl_certificate_key ${key}; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; location /api/v3/users/websocket { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; client_max_body_size 50M; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_buffers 256 16k; proxy_buffer_size 16k; proxy_read_timeout 600s; proxy_pass http://${upstreamname}; } location / { client_max_body_size 50M; proxy_set_header Connection ""; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_buffers 256 16k; proxy_buffer_size 16k; proxy_read_timeout 600s; proxy_cache ${site}_cache; proxy_cache_revalidate on; proxy_cache_min_uses 2; proxy_cache_use_stale timeout; proxy_cache_lock on; proxy_pass http://${upstreamname}; } } ===== Errors ===== See: < Notes/Server/misc.notes > ## status services: servicename: nginx # Apr 27 16:09:18 mattermost systemd[1]: nginx.service: Failed to read PID from file /run/nginx.pid: Invalid argument $ sudo mkdir /etc/systemd/system/nginx.service.d $ sudo printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf ## reload daemon ## if site keeps redirecting to a particular subdomain, check that all the server_names are correct ===== Logs ===== /var/log/nginx/access.log /var/log/nginx/error.log selfhosted/nginx.txt Last modified: 2023/07/03 02:36by hli