NeailWiki

Because Change Happens.
Web Server

Nginx

# Default Configuration

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /usr/share/nginx/html;
    idnex index.html index.htm index.nginx-debian.html;
    server_name _;

    location / {
        try_files $uri/ =404;
    }

    location /.git {
        deny all;
    }
}

# Http To Https Configuration

server {
    listen 80;
    server_name www.example.com;

    location /.well-known {
        default_type "text/plain";
        root /usr/share/nginx/html; 
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

with default configuration and http to https configuration,
we can use letsencrypt to get certs for any domain which resolve to this host.

# Simple Directory Index configuration

server {
    listen 80;
    server_name www.example.com;
    root /var/www/html;
    access_log /var/log/nginx/example.access.log;
    error_log /var/log/nginx/example.error.log;

    location / {
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
        charset utf-8;
    }
}

# ReverseProxy

server {
    listen 80;
    server_name new-site.com;

    location / {
        proxy_pass http://origin-site.com/;
        proxy_redirect default;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        port_in_redirect    on;
        server_name_in_redirect off;
        proxy_connect_timeout 300;
    }
}

# Nginx with ssl

Generate a stronger DHE parameter

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

then

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    keepalive_timeout    70;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  10m;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    add_header Strict-Transport-Security max-age=63072000;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;

    access_log /var/log/nginx/example.access.log;
    error_log /var/log/nginx/example.error.log;

    root /opt/www/example.com;

    location /.git {
        deny all;
    }
}

# For api proxy

location /api/ {
        proxy_pass http://hostname:port/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        break;
    }

# Increase HTTP Post Size Limit

server {
    #...
    client_max_body_size 100m;
    #...
}

# Setup Basic-Auth on NGINX

Install apache2-utils

sudo apt-get install apache2-utils

Create User and password

sudo htpasswd -c /etc/nginx/.htpasswd username

Add to Nginx site config

server {
    ...
    location / {
        ...
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;  #For Basic Auth
    }
}

# CORS Config

add_header 'Access-Control-Allow-Origin' "www.example.com";
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';

# IP Whitelist

location / {
    allow 1.1.1.1;  
    allow 192.168.1.0/24;  
    deny all; 
    ...
}

# My IP

location /ip {
    default_type text/plain;
    return 200 "$remote_addr\n";
}

# For Vue Use

location / {
    try_files $uri $uri/ /index.html last;
}

# Websocket Proxy

location /wsapp/ {
    proxy_pass http://wsbackend;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
}

# Multi File Backup

location / {
    root /path/to/file;
    try_files $uri $uri/ @backup;
}
location @backup {
    proxy_pass https://backup-server.com;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Reference:

Last Update: 2019-12-06 13:24:17 Source File

Neail
i@neail.xyz
FE | Ailurophile | Open Source
NeailWiki using MinoriWiki