Setting up NGINX

assuming NGINX is installed or built from scratch already

Setup

cd /var/www/html/
rm -f index.html 50x.html

grep --color=always aes /proc/cpuinfo
grep --color=always avx /proc/cpuinfo

openssl dhparam 2048 > /etc/ssl/dhparam.pem
cat /etc/ssl/dhparam.pem
#-rand /dev/urandom

mv -i /etc/nginx/nginx.conf /etc/nginx/nginx.conf.dist
grep -vE '^[[:space:]]*(#|$)' /etc/nginx/nginx.conf.dist > /etc/nginx/nginx.conf.clean
grep -vE '^[[:space:]]*(#|$)' /etc/nginx/nginx.conf.dist > /etc/nginx/nginx.conf
vi /etc/nginx/nginx.conf

user www www;
worker_processes auto;

events {
        worker_connections 1024;
}

http {
        include mime.types;
    default_type text/html;
    #default_type application/octet-stream;
        sendfile on;
        keepalive_timeout 65;

    #adding default_server here
        #http2 pops-up a download window on FF
        server {
                listen 80 default_server;
                listen [::]:80 default_server;
                server_name _;
                location / {
            #root /var/www/html;
            #index index.html index.htm;
                    #try_files $uri $uri/ =404;

                    #proxy_pass http://x.x.x.x/;

            #taking over a whole FQDN at once
                        #return 301 https://pub.nethence.com$request_uri;

            #unconditional redirect to a given page
            return 301 https://nethence.com/;
                }
        }

    ssl_prefer_server_ciphers off;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers TLS-AES-128-GCM-SHA256:TLS-AES-256-GCM-SHA384:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;
    ssl_dhparam /etc/ssl/dhparam.pem;
    ssl_session_cache shared:SSL:40m;
    ssl_session_timeout 4h;
    ssl_session_tickets on;

        include conf.d/*.conf;
}

Virtual host example

vi conf.d/VHOST.conf

server {
        listen 80;
        listen [::]:80;
        server_name VHOST.nethence.com;

        # HTTP redirect to HTTPS
        location / {
                return 301 https://$host$request_uri;
        }

        # deal with http-01 challenges (no http2 there)
        location ^~ /.well-known/acme-challenge/ {
                default_type "text/plain";
                # trailing slash matters
                alias /var/www/dehydrated/;
        }

            autoindex on;
            autoindex_exact_size off;
            location = /robots.txt          { access_log off; log_not_found off; }
            location = /favicon.ico         { access_log off; log_not_found off; }
            location ~ /apple-touch-icon    { access_log off; log_not_found off; }
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name VHOST.nethence.com;
        #without includeSubDomains
        add_header Strict-Transport-Security "max-age=31536000" always;

    #http-01
        ssl_certificate     /etc/dehydrated/certs/VHOST.nethence.com/fullchain.pem;
        ssl_certificate_key /etc/dehydrated/certs/VHOST.nethence.com/privkey.pem;

    #dns-01
    #ssl_certificate     /etc/dehydrated/certs/nethence_com/fullchain.pem;
    #ssl_certificate_key /etc/dehydrated/certs/nethence_com/privkey.pem;

        location / {
                root /var/www/html;
                index index index.html index.htm;
                try_files $uri $uri/ =404;
        }

        autoindex on;
        autoindex_exact_size off;
    location = /robots.txt          { access_log off; log_not_found off; }
    location = /favicon.ico         { access_log off; log_not_found off; }
    location ~ /apple-touch-icon    { access_log off; log_not_found off; }
}

    #location ~ /\.                 { access_log off; log_not_found off; deny all; }
    #location ~ ~$                  { access_log off; log_not_found off; deny all; }

Ready to go

check configuration

nginx -t

enable at boot time

vi /etc/rc.local

echo -n nginx...
/usr/local/sbin/nginx && echo done || echo FAIL

on Ubuntu 16+, make sure the System D service for rc-local is enabled and don’t forget to make the script executable

systemctl status rc-local.service
chmod +x /etc/rc.local

status

ps auxfww | grep nginx | grep -v grep
cat /var/log/nginx.pid
cat /var/lock/nginx.lock
cat /var/db/nginx/nginx.lock

reload

nginx -s reload

shutdown gracefully

nginx -s quit

exit brutally

nginx -s stop

Acceptance

remotely

anything HTTP redirects to HTTPS

curl -i http://VHOST.nethence.com/
curl -i http://nethence.com/

HTTPS just works

curl -i https://VHOST.nethence.com/
curl -i https://nethence.com/

what happens if you’re talking SSL on non-existing vhost?

curl -i https://ipsec.nethence.com/

check 301 on 404

curl -i https://VHOST.nethence.com/lala
curl -i https://nethence.com/lala

HTTP additions vs fancy specific setups

prepare headers and footers

cd /var/www/html/
mkdir -p css/
echo '<p>header' > css/header.html
echo '<p>footer' > css/footer.html
touch check-file1
mkdir check-folder/
touch check-folder/check-file2

then enable fancy as http or server context

    location / {
        ...
        fancyindex on;
        fancyindex_exact_size off;
        #fancyindex_css_href /css/kult.custom.css;
        fancyindex_header /header.html;
        fancyindex_footer /footer.html;
        fancyindex_ignore favicon.ico robots.txt css/header.html css/footer.html css;
        #fancyindex_localtime off;
    }
    autoindex on;

or just DIY

                        #add_before_body /css/header.html;
            sub_filter '<head><title>Index of $uri</title></head>' '<head><title>TITLE-HERE - $uri</title></head>';
            sub_filter '<h1>Index of $uri</h1>' '<h1 style="font-family:Courier;font-style:italic;text-transform:uppercase;">TITLE-HERE - $uri</h1>';
                        sub_filter_once on;

                        #add_after_body  /css/footer.html;
            sub_filter '</body>' '<div>SOME FOOTER HERE</div></body>';

Note: not adding a footer as some /body and /html would remain – the filter would not differenciate those I added and those from the directory listing.

Resources

Pitfalls and Common Mistakes https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/

Getting Started https://www.nginx.com/resources/wiki/start/index.html

http://wiki.nginx.org/QuickStart

http://wiki.nginx.org/Configuration

Default NGINX Configuration https://gist.github.com/ArunMichaelDsouza/471395af64fb52943bf1

NGINXConfig https://nginxconfig.io/

Debugging Nginx Errors https://blog.martinfjordvald.com/debugging-nginx-errors/ https://blog.martinfjordvald.com/optimizing-nginx-for-high-traffic-loads/ https://blog.martinfjordvald.com/?s=nginx

setup

How to do an Nginx redirect https://www.bjornjohansen.no/nginx-redirect

How do I force redirect all 404’s (or every page, whether invalid or not) to the homepage? https://stackoverflow.com/questions/19487365/how-do-i-force-redirect-all-404s-or-every-page-whether-invalid-or-not-to-the

http additions vs fancy

Module ngx_http_sub_module https://nginx.org/en/docs/http/ngx_http_sub_module.html

Module ngx_http_addition_module https://nginx.org/en/docs/http/ngx_http_addition_module.html

Beautiful listing of files and directories in nginx https://weekly-geekly.github.io/articles/353478/index.html

Directory Theme https://github.com/jessfraz/directory-theme/blob/master/README.md

operations

Controlling NGINX Processes at Runtime https://docs.nginx.com/nginx/admin-guide/basic-functionality/runtime-control/

nginx -s stop and -s quit what is the difference? https://serverfault.com/questions/271810/nginx-s-stop-and-s-quit-what-is-the-difference


HOME | GUIDES | BENCHMARKS | html