Setting up NGINX

assuming NGINX is installed or built from scratch already

Introduction

It is usually assumed that everybody wants HTTPS, right? This is untrue esp. if your website is read-only or providing content without any authentication scheme. You can have a strong SSL setup if you like, while still allowing plain HTTP at the same time. For those out there who are stuck in the past, and sometimes don’t even have SSL support on their ante- diluvian systems, why not serve anything that’s already public without crypto?

Of course HSTS comes in da game and any modern browser might forget about HTTP. However it is NOT a problem to serve HSTS while talking HTTP, as it does not make any difference to e.g. Lynx which did NOT implement HSTS as of Jan 2021.

Install

install from binaries –or– build from scratch.

Setup

setup the HTTP/HTTPS daemon

grep --color=always aes /proc/cpuinfo
grep --color=always avx /proc/cpuinfo

ll /dev/*random*
openssl dhparam 2048 > /etc/nginx/dhparm.pem
# -rand /dev/random:/dev/urandom
cat /etc/nginx/dhparm.pem

cd /etc/nginx/

cp -pi mime.types mime.types.dist
vi mime.types

text/plain                              bash;
text/plain                              ksh;
text/plain                              sh;
text/plain                              log;
text/plain                              out;
text/plain                              md;
text/plain                              tex;
application/gzip                        gz;
application/gzip                        tgz;

#mv -i /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.dist
#grep -vE '^[[:space:]]*(#|$)' /etc/nginx/conf.d/default.conf.dist > /etc/nginx/conf.d/default.conf.clean
#grep -vE '^[[:space:]]*(#|$)' /etc/nginx/conf.d/default.conf.dist > /etc/nginx/conf.d/default.conf
rm -f /etc/nginx/conf.d/default.conf

# official repo
ls -alF /usr/share/nginx/html/
rm -rf /usr/share/nginx/html/

# SBo
ls -alF /var/www/html/
rm -rf /var/www/html/

mv -i /etc/nginx/nginx.conf /etc/nginx/nginx.conf.dist
grep -vE '^[[:space:]]*(#|$)' /etc/nginx/nginx.conf.dist > /etc/nginx/nginx.conf.clean
grep -vE '^[[:space:]]*(#|$)' /etc/nginx/nginx.conf.dist > /etc/nginx/nginx.conf
vi /etc/nginx/nginx.conf

user nginx nginx; # changed
worker_processes auto;

events {
    worker_connections 1024;
}

http {
    include mime.types;
    default_type text/html; # changed
    sendfile on;
    keepalive_timeout 65;
    server_tokens off; # changed
    gzip on; # changed
    log_format compression '$remote_addr - $remote_user [$time_local] '
                   '"$request" $status $body_bytes_sent '
                   '"$http_referer" "$http_user_agent" "$gzip_ratio"'; # changed

    # https://pub.nethence.com/security/ciphers
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers off;
    ssl_ciphers ECDHE:DHE:kGOST:AEAD:!aNULL:!eNULL:!RC4:!MD5:!3DES:!AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA;
    ssl_dhparam /etc/nginx/dhparm.pem;
    # no restriction on ssl_ecdh_curve

    # without includeSubDomains
    # 15552000 seconds (180 days)
    # 31536000 seconds (365 days)
    # 63072000 seconds (730 days)
    add_header Strict-Transport-Security "max-age=15552000" always;

    # jitsi meet
    #ssl_session_cache shared:SSL:10m;
    #ssl_session_timeout 1d;
    #ssl_session_tickets off;

    # what defaults are those?
    #ssl_session_cache shared:SSL:40m;
    #ssl_session_timeout 4h;
    #ssl_session_tickets on;

    # shorter
    #ssl_session_cache shared:SSL:20m;
    #ssl_session_timeout 10m;

    add_header X-Frame-Options DENY;

    include conf.d/*.conf;
}

…and eventually tune your ciphers more.

Catch all virtual host

define the default server stanza - we need an ssl cert anyway

mkdir -p /etc/nginx/conf.d/
cd /etc/nginx/conf.d/
vi catch-all.conf

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 default_server ssl http2;
    listen [::]:443 default_server ssl http2;
    server_name _;

        access_log /var/log/nginx/catch-all.access.log compression;
        error_log  /var/log/nginx/catch-all.error.log warn;

    # http-01 sample
    ssl_certificate         /etc/dehydrated/certs/$domain/fullchain.pem;
    ssl_certificate_key     /etc/dehydrated/certs/$domain/privkey.pem;
    ssl_certificate     /etc/dehydrated/certs/ECC/$domain/fullchain.pem;
    ssl_certificate_key /etc/dehydrated/certs/ECC/$domain/privkey.pem;

    # we need to define location otherwise takes over of .well-known/
    location / {
        return 301 https://$domain/;
    }

    # deal with http-01 challenges (no http2 there)
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        # trailing slash matters
        alias /var/www/dehydrated/;
    }

    autoindex off;
    autoindex_exact_size off;
    location = /robots.txt          { access_log off; log_not_found off; }
    location = /favicon.ico         { access_log off; log_not_found off; }
    location ~ /apple-touch-icon    { access_log off; log_not_found off; }
}

Notes

        # http2 pops-up a download window on FF
    # curl: (1) Received HTTP/0.9 when not allowed

Virtual host example

Put your certs in place and define SNIs.

Here’s the joined HTTP+HTTPS vhost sample when there is no authentication.

short=VIRTUAL-HOST-SUBDOMAIN
domain=DOMAIN.TLD

cat > /etc/nginx/conf.d/$short.conf <<EOF

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name $short.$domain;

        access_log /var/log/nginx/$short.access.log compression;
        error_log  /var/log/nginx/$short.error.log warn;

    # http-01 sample
    ssl_certificate         /etc/dehydrated/certs/$short.$domain/fullchain.pem;
    ssl_certificate_key     /etc/dehydrated/certs/$short.$domain/privkey.pem;
    ssl_certificate     /etc/dehydrated/certs/ECC/$short.$domain/fullchain.pem;
    ssl_certificate_key /etc/dehydrated/certs/ECC/$short.$domain/privkey.pem;

    location / {
        root /data/www/$server_name;
        index index index.html index.htm;
        try_files $uri $uri/ =404;
    }

    # deal with http-01 challenges (no http2 there)
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        # trailing slash matters
        alias /var/www/dehydrated/;
    }

    ssi on;
    autoindex on;
    autoindex_exact_size off;
    location = /robots.txt          { access_log off; log_not_found off; }
    location = /favicon.ico         { access_log off; log_not_found off; }
    location ~ /apple-touch-icon    { access_log off; log_not_found off; }
}

EOF

More options

    location ~ /\.                 { access_log off; log_not_found off; deny all; }
    location ~ ~$                  { access_log off; log_not_found off; deny all; }

And of course, if you really need a redirect instead of serving HTTP, here’s the sample when there is truly and mandatory need for SSL.

server {
    listen 80;
    listen [::]:80;
    server_name $short.$domain;

    # we need to define location otherwise takes over of .well-known/
    location / {
        return 301 https://$host$request_uri;
    }

    # deal with http-01 challenges (no http2 there)
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        # trailing slash matters
        alias /var/www/dehydrated/;
    }
}

Ready to go

check configuration

nginx -t

enable at boot time

# debian
vi /etc/rc.local

# slackware
vi /etc/rc.d/rc.local

echo -n nginx...
/usr/local/sbin/nginx && echo done || echo FAIL

# debian
systemctl status rc-local.service
chmod +x /etc/rc.local

status

pgrep -a nginx
ps auxfww | grep nginx | grep -v grep
cat /var/log/nginx.pid
cat /var/lock/nginx.lock
cat /var/db/nginx/nginx.lock

reload

nginx -s reload

shutdown gracefully

nginx -s quit

exit brutally

nginx -s stop

Acceptance

remotely

redirect to HTTS or serve HTTP?

curl -i http://nethence.com/
curl -i http://SHORT.nethence.com/

HTTPS just works

curl -i https://nethence.com/
curl -i https://SHORT.nethence.com/

what happens if you’re talking SSL to a non-existing vhost?

curl -i https://ipsec.nethence.com/

check 301 on 404

curl -i https://nethence.com/lala
curl -i https://SHORT.nethence.com/lala

HTTP additions vs fancy specific setups

prepare headers and footers

cd /var/www/html/
mkdir -p css/
echo '<p>header' > css/header.html
echo '<p>footer' > css/footer.html
touch check-file1
mkdir check-folder/
touch check-folder/check-file2

then enable fancy as http or server context

    location / {
        ...
        fancyindex on;
        fancyindex_exact_size off;
        #fancyindex_css_href /css/kult.custom.css;
        fancyindex_header /header.html;
        fancyindex_footer /footer.html;
        fancyindex_ignore favicon.ico robots.txt css/header.html css/footer.html css;
        #fancyindex_localtime off;
    }
    autoindex on;

or just DIY

                        #add_before_body /css/header.html;
            sub_filter '<head><title>Index of $uri</title></head>' '<head><title>TITLE-HERE - $uri</title></head>';
            sub_filter '<h1>Index of $uri</h1>' '<h1 style="font-family:Courier;font-style:italic;text-transform:uppercase;">TITLE-HERE - $uri</h1>';
                        sub_filter_once on;

                        #add_after_body  /css/footer.html;
            sub_filter '</body>' '<div>SOME FOOTER HERE</div></body>';

Note: not adding a footer as some /body and /html would remain – the filter would not differenciate those I added and those from the directory listing.