NGINX

NGINX

See Common Linux Commands for [start | restart | stop | status] service commands

  ## stop
  $ ps -ef | grep nginx
  $ kill -9 ${pid}

  ## test
  $ nginx -t

Installation

  $ sudo apt-get install nginx iptables-persistent

Setup

  ## allow ports 80,443
  $ sudo iptables -A INPUT -i lo -j ACCEPT
  $ sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  $ sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
  $ sudo iptables -A INPUT -j DROP
  $ sudo iptables -S
  $ /etc/init.d/networking restart

  ## set up certificates and keys
  ssl:
      $ sudo mkdir /etc/nginx/ssl
      $ sudo cd /etc/nginx/ssl
      $ sudo openssl req -new -x509 -days 365 -nodes -out /etc/nginx/ssl/${site}.crt -keyout /etc/nginx/ssl/${site}.key
      $ sudo chmod 400 ${site}.key
      configuration:
          cert: /etc/nginx/ssl/${site}.crt
          key: /etc/nginx/ssl/${site}.key

  ## enable sites
  $ sudo ln -s /etc/nginx/sites-available/${site} /etc/nginx/sites-enabled/

  ## test
  ## restart

Configuration

  ## default config file
  config: /etc/nginx/sites-available/${site}
  $ sudo nano ${config}

Sample Configuration Options

simple:

  server {
      listen 80;
      server_name ${servername};
      access_log ${accesslog};
      error_log ${errorlog};
      root ${root};
      location / {
          try_files $uri /index.html;
      }
  }

simple_with_upstream:

  upstream ${upstreamname} {
      server ${server};
  }
  server {
      listen 80;
      server_name ${servername};
      access_log ${accesslog};
      error_log ${errorlog};
      location / {
          proxy_redirect off;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://${upstreamname};
      }
  }

simple_with_upstream_ssl:

  upstream ${upstreamname} {
      server ${server};
  }
  server {
      listen 80;
      server_name ${servername};
      return 301 https://$server_name$request_uri;
  }
  server {
      listen 443;
      server_name ${servername};

      access_log ${accesslog};
      error_log ${errorlog};
      ssl on;
      ssl_certificate /etc/letsencrypt/live/somedomain.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/somedomain.com/privkey.pem;

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
      ssl_ciphers 'EECHD+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
      location / {
          proxy_redirect off;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://${upstreamname};
      }
  }

simple_with_upstream_ssl_cache:

  upstream ${upstreamname} {
      server ${server};
  }
  proxy_cache_path /var/cache/nginx/${site} levels=1:2 keys_zone=${site}_cache:10m max_size=3g inactive=120m use_temp_path=off;
  server {
       listen         80;
       server_name    ${servername};
       return         301 https://$server_name$request_uri;
  }
  server {
      listen 443 ssl;
      server_name ${servername};
      ssl on;
      ssl_certificate ${cert};
      ssl_certificate_key ${key};

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
      ssl_prefer_server_ciphers on;
      location / {
          proxy_cache ${site}_cache;
          proxy_redirect off;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://${upstreamname};
      }
  }

standard:

  server {
       listen         80;
       server_name ${servername};
       location / {
              gzip off;
              proxy_set_header X-Forwarded-Ssl on;
              client_max_body_size 50M;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              proxy_set_header Host $http_host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Frame-Options SAMEORIGIN;
              proxy_pass http://127.0.0.1:${port};
       }
  }

standard_with_ssl:

  server {
       listen         80;
       server_name    ${servername};
       return         301 https://$server_name$request_uri;
  }
  server {
       listen 443 ssl;
       server_name ${servername};
       ssl on;
       ssl_certificate ${cert};
       ssl_certificate_key ${key};
       ssl_session_timeout 5m;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
       ssl_prefer_server_ciphers on;
       ssl_session_cache shared:SSL:10m;
       location / {
              gzip off;
              proxy_set_header X-Forwarded-Ssl on;
              client_max_body_size 50M;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              proxy_set_header Host $http_host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Frame-Options SAMEORIGIN;
              proxy_pass http://127.0.0.1:${port};
       }
  }

standard_with_upstream_ssl:

  upstream ${upstreamname} {
      server ${server};
  }
  proxy_cache_path /var/cache/nginx/${site} levels=1:2 keys_zone=${site}_cache:10m max_size=3g inactive=120m use_temp_path=off;
  server {
       listen         80;
       server_name    ${servername};
       return         301 https://$server_name$request_uri;
  }
  server {
       listen 443 ssl;
       server_name ${servername};
       ssl on;
       ssl_certificate ${cert};
       ssl_certificate_key ${key};
       ssl_session_timeout 5m;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
       ssl_prefer_server_ciphers on;
       ssl_session_cache shared:SSL:10m;
       location / {
              access_log      /var/log/nginx/${site}.access.log;
              error_log       /var/log/nginx/${site}.error.log;
              gzip off;
              proxy_set_header X-Forwarded-Ssl on;
              client_max_body_size 50M;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              proxy_set_header Host $http_host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Frame-Options SAMEORIGIN;
              proxy_pass http://${upstreamname};
       }
  }

standard_with_upstream_ssl_websocket:

  upstream ${upstreamname} {
      server ${server};
  }
  proxy_cache_path /var/cache/nginx/${site} levels=1:2 keys_zone=${site}_cache:10m max_size=3g inactive=120m use_temp_path=off;
  server {
       listen         80;
       server_name    ${servername};
       return         301 https://$server_name$request_uri;
  }
  server {
      listen 443 ssl;
      server_name ${servername};
      ssl on;
      ssl_certificate ${cert};
      ssl_certificate_key ${key};
      ssl_session_timeout 5m;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
      ssl_prefer_server_ciphers on;
      ssl_session_cache shared:SSL:10m;
      location /api/v3/users/websocket {
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
          client_max_body_size 50M;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Frame-Options SAMEORIGIN;
          proxy_buffers 256 16k;
          proxy_buffer_size 16k;
          proxy_read_timeout 600s;
          proxy_pass http://${upstreamname};
      }
      location / {
          client_max_body_size 50M;
          proxy_set_header Connection "";
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Frame-Options SAMEORIGIN;
          proxy_buffers 256 16k;
          proxy_buffer_size 16k;
          proxy_read_timeout 600s;
          proxy_cache ${site}_cache;
          proxy_cache_revalidate on;
          proxy_cache_min_uses 2;
          proxy_cache_use_stale timeout;
          proxy_cache_lock on;
          proxy_pass http://${upstreamname};
      }
  }

Errors

  See: < Notes/Server/misc.notes >
      ## status
      services:
          servicename: nginx
              # Apr 27 16:09:18 mattermost systemd[1]: nginx.service: Failed to read PID from file /run/nginx.pid: Invalid argument
      $ sudo mkdir /etc/systemd/system/nginx.service.d
      $ sudo printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
      ## reload daemon

  ## if site keeps redirecting to a particular subdomain, check that all the server_names are correct

Logs

  /var/log/nginx/access.log
  /var/log/nginx/error.log

Table of Contents