fachinformatiker-wiki

it's easy when it's here

User Tools

Site Tools

Trace: nginx
linux:nginx

Table of Contents

nginx

Installation

Optional: Offizielles nginx-Repo hinzufügen

Datei /etc/apt/sources.list.d/nginx.list erstellen mit folgendem Inhalt (“bullseye” durch entsprechendes Release ersetzen) erstellen: 

deb https://nginx.org/packages/debian/ bullseye nginx
deb-src https://nginx.org/packages/debian/ bullseye nginx

Ggf. muss der NGNINX-GPG-Key noch installiert werden: 

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <Key ID aus Fehlermeldung>

Installation von nginx 

sudo apt update
sudo apt install nginx
sudo systemctl enable --now nginx

Konfiguration

Dateien für die Grundkonfiguration 

/etc/nginx/conf.d/default.conf
/etc/nginx/nginx.conf

Hide version

server_tokens off;

/etc/nginx/nginx.conf 

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    server_tokens off;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

Reverse Proxy

FIXME

Exchange OWA/EAS

default.conf (docker) 

# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
                ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";


server {
    listen       80;
    listen  [::]:80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

# mail.example.org
upstream mail.example.org {
                                ## Can be connected with "nginx-net-prod" network
                        # mail.example.org
                        server mail.example.org:443;
}
server {
        server_name mail.example.org autodiscover.example.org;
        listen 80 ;
        access_log /var/log/nginx/access.log;
        # Do not HTTPS redirect Let'sEncrypt ACME challenge
        #location ^~ /.well-known/acme-challenge/ {
        #       auth_basic off;
        #       auth_request off;
        #       allow all;
        #       root /usr/share/nginx/html;
        #       try_files $uri =404;
        #       break;
        #}
        location / {
                return 301 https://$host$request_uri;
        }
}

server {
        server_name mail.example.org autodiscover.example.org;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/mail.example.org.crt;
        ssl_certificate_key /etc/nginx/certs/mail.example.org.key;
        ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/mail.example.org.ocsp-chain.crt;
        add_header Strict-Transport-Security "max-age=31536000" always;
        
        location /             { return 301 https://$host/owa; }
        location /owa          { proxy_pass https://mail.example.org; }
        location /OWA          { proxy_pass https://mail.example.org; }        
        location /EWS          { proxy_pass https://mail.example.org; }
        location /ews          { proxy_pass https://mail.example.org; }        
        location /Microsoft-Server-ActiveSync { proxy_pass https://mail.example.org; }
        location /mapi         { proxy_pass https://mail.example.org; }
        location /MAPI         { proxy_pass https://mail.example.org; }        
        location /rpc          { proxy_pass https://mail.example.org; }
        location /RPC          { proxy_pass https://mail.example.org; }        
        location /oab          { proxy_pass https://mail.example.org; }
        location /OAB          { proxy_pass https://mail.example.org; }        
        location /autodiscover { proxy_pass https://mail.example.org; }
        location /Autodiscover { proxy_pass https://mail.example.org; }
}

Nextcloud

upstream cloud.example.com-upstream {
                        # groupwise
                        server 192.168.1.234:80;
}
server {
        server_name cloud.example.com;
        listen 80 ;
        listen [::]:80 ;
        access_log /var/log/nginx/access.cloud.example.com.log vhost;
        location / {
                return 301 https://$host$request_uri;
        }
}
server {
        server_name cloud.example.com;
        listen 443 ssl http2 ;
        listen [::]:443 ssl http2 ;
        access_log /var/log/nginx/access.cloud.example.com.log vhost;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/chain.crt;
        ssl_certificate_key /etc/nginx/certs/private/wildcard-ces.key;
        ssl_dhparam /etc/nginx/certs/dhparam/dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/fullchain.crt;
        add_header Strict-Transport-Security "max-age=31536000" always;
        proxy_buffering off;
        client_max_body_size 64m;
        location / {
                proxy_pass http://cloud.example.com-upstream;
        }
        location = /.well-known/carddav {
                return 301 $scheme://$host:$server_port/remote.php/dav;
        }
        location = /.well-known/caldav {
                return 301 $scheme://$host:$server_port/remote.php/dav;
        }
}

index.html

https://github.com/nginx/nginx/blob/master/docs/html/index.html

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.  More information about cookies 
linux/nginx.txt · Last modified: 2024/09/19 13:41 by gsys