====== nginx ======
===== Installation =====
** Optional: Offizielles nginx-Repo hinzufügen** \\
Datei ''/etc/apt/sources.list.d/nginx.list'' erstellen mit folgendem Inhalt ("bullseye" durch entsprechendes Release ersetzen) erstellen:
deb https://nginx.org/packages/debian/ bullseye nginx
deb-src https://nginx.org/packages/debian/ bullseye nginx
Ggf. muss der NGNINX-GPG-Key noch installiert werden:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys
** Installation von nginx **
sudo apt update
sudo apt install nginx
sudo systemctl enable --now nginx
===== Konfiguration =====
** Dateien für die Grundkonfiguration **
/etc/nginx/conf.d/default.conf
/etc/nginx/nginx.conf
==== Hide version ====
server_tokens off;
''/etc/nginx/nginx.conf''
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
server_tokens off;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
==== Reverse Proxy ====
=== LDAPS ===
stream {
server {
listen 636 ssl;
ssl_certificate /etc/nginx/certs/chain.crt;
ssl_certificate_key /etc/nginx/certs/private/certificate.key;
proxy_pass 192.168.1.123:636;
proxy_ssl on;
proxy_ssl_verify off;
}
}
=== Exchange OWA/EAS ===
default.conf (docker)
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
listen 80;
listen [::]:80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
# mail.example.org
upstream mail.example.org {
## Can be connected with "nginx-net-prod" network
# mail.example.org
server mail.example.org:443;
}
server {
server_name mail.example.org autodiscover.example.org;
listen 80 ;
access_log /var/log/nginx/access.log;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
#location ^~ /.well-known/acme-challenge/ {
# auth_basic off;
# auth_request off;
# allow all;
# root /usr/share/nginx/html;
# try_files $uri =404;
# break;
#}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name mail.example.org autodiscover.example.org;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/mail.example.org.crt;
ssl_certificate_key /etc/nginx/certs/mail.example.org.key;
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/mail.example.org.ocsp-chain.crt;
add_header Strict-Transport-Security "max-age=31536000" always;
location / { return 301 https://$host/owa; }
location /owa { proxy_pass https://mail.example.org; }
location /OWA { proxy_pass https://mail.example.org; }
location /EWS { proxy_pass https://mail.example.org; }
location /ews { proxy_pass https://mail.example.org; }
location /Microsoft-Server-ActiveSync { proxy_pass https://mail.example.org; }
location /mapi { proxy_pass https://mail.example.org; }
location /MAPI { proxy_pass https://mail.example.org; }
location /rpc { proxy_pass https://mail.example.org; }
location /RPC { proxy_pass https://mail.example.org; }
location /oab { proxy_pass https://mail.example.org; }
location /OAB { proxy_pass https://mail.example.org; }
location /autodiscover { proxy_pass https://mail.example.org; }
location /Autodiscover { proxy_pass https://mail.example.org; }
}
=== Nextcloud ===
upstream cloud.example.com-upstream {
server 192.168.1.234:80;
}
server {
server_name cloud.example.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.cloud.example.com.log vhost;
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name cloud.example.com;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
access_log /var/log/nginx/access.cloud.example.com.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/cloud.example.com.crt;
ssl_certificate_key /etc/nginx/certs/private/cloud.example.com.key;
ssl_dhparam /etc/nginx/certs/dhparam/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/cloud.example.com-fullchain.crt;
add_header Strict-Transport-Security "max-age=31536000" always;
proxy_buffering off;
client_max_body_size 64m;
location / {
proxy_pass http://cloud.example.com-upstream;
}
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
}
===== index.html =====
https://github.com/nginx/nginx/blob/master/docs/html/index.html