Webseiten-Werkzeuge


nginx

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
nginx [2021/05/19 13:07]
manfred [Konfiguration auf FreeBSD]
nginx [2021/05/19 21:55] (aktuell)
david
Zeile 1: Zeile 1:
 +====== NGINX ======
 +
 +  * [[http://nginx.org/|NGINX]] - freie Version
 +  * [[http://nginx.com/products/content-caching-nginx-plus/|NGINX Plus]] - kommerzielle Version
 +
 +  * [[https://www.howtoforge.com/serving-cgi-scripts-with-nginx-on-debian-squeeze-ubuntu-11.04-p3]]
 +
 +
 +==== Basic Authentication ====
 +
 +  * [[https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/]]
 +
 +
 +==== Konfiguration auf FreeBSD ====
 +
 +  > cd /usr/ports/www/nginx/ && make clean && make install
 +  > cd /usr/ports/www/fcgi/ && make clean && make install
 +  > cd /usr/ports/www/fcgiwrap/ && make clean && make install
 +
 +<file properties /home/etc/nginx/conf.d/server.conf>
 +# Redirect all HTTP traffic to HTTPS
 +server {
 +    listen 80 default_server;
 +    listen [::]:80 default_server;
 +
 +    location / {
 +        return 301 https://$host$request_uri;
 +    }
 +}
 +
 +server {
 +    listen 443 ssl http2;
 +    listen [::]:443 ssl http2;
 +
 +    server_name example.com;
 +
 +    ssl_certificate         /usr/local/etc/letsencrypt/live/example.com/fullchain.pem;
 +    ssl_certificate_key     /usr/local/etc/letsencrypt/live/example.com/privkey.pem;
 +
 +    # Improve HTTPS performance with session resumption
 +    ssl_session_timeout 1d;
 +    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
 +    ssl_session_tickets off;
 +
 +    # only safe TLS 1.3 and 1.2 ciphers -> 100% ssllabs (cipher strength)
 +    # min. AES 256 -> 100% ssllabs
 +    #ssl_protocols TLSv1.3 TLSv1.2;
 +    #ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 +    ssl_protocols TLSv1.3;
 +    ssl_prefer_server_ciphers on;
 +
 +    # curves which are equivalent of >=4096 rsa (only secp521r1 and secp384r1) -> 100% ssllabs (kex/key exchange)
 +    ssl_ecdh_curve secp521r1:secp384r1;
 +
 +    # HSTS (ngx_http_headers_module is required)
 +    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # 1 year = 31536000 seconds
 +
 +    # OCSP stapling
 +    ssl_stapling on;
 +    ssl_stapling_verify on;
 +
 +    # verify chain of trust of OCSP response using Root CA and Intermediate certs
 +    ssl_trusted_certificate /usr/local/etc/letsencrypt/live/example.com/chain.pem;
 +
 +    # replace with the IP address of your resolver
 +    #resolver 127.0.0.1;
 +    resolver 192.168.2.1 1.1.1.1;
 +
 +    root /home/http;
 +
 +    # redirect to root on error
 +    error_page 404 /;
 +    error_page 403 /;
 +
 +    #index index.html index.php;
 +    index index.html doku.php;
 +
 +    client_max_body_size 15M;
 +    client_body_buffer_size 128K;
 +
 +    location /
 +    {
 +        #try_files $uri $uri/ =404;
 +        try_files $uri $uri/ @dokuwiki;
 +    }
 +
 +    location ^~ /conf/
 +    {
 +        return 403;
 +    }
 +
 +    location ^~ /data/
 +    {
 +        return 403;
 +    }
 +
 +    location ~ /\.ht
 +    {
 +        deny all;
 +    }
 +
 +    # dokuwiki
 +    location @dokuwiki
 +    {
 +        rewrite ^/_media/(.*)           /lib/exe/fetch.php?media=$1     last;
 +        rewrite ^/_detail/(.*)          /lib/exe/detail.php?media=$1    last;
 +        rewrite ^/_export/([^/]+)/(.*)  /doku.php?do=export_$1&id=$2    last;
 +        rewrite ^/(.*)                  /doku.php?id=$1                 last;
 +    }
 +
 +    location ~ \.php$
 +    {
 +        try_files $uri =404;
 +        fastcgi_pass 127.0.0.1:9000;
 +        fastcgi_index index.php;
 +        include fastcgi_params;
 +        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +    }
 +
 +    location /cgi-bin/
 +    {
 +        include fcgiwrap_params;
 +        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +        fastcgi_pass  unix:/var/run/fcgiwrap/fcgiwrap.sock;
 +    }
 +}
 +</file>
 +
 +<file properties /etc/rc.conf>
 +...
 +nginx_enable=YES
 +php_fpm_enable=YES                      # für PHP
 +fcgiwrap_enable="YES"                   # für CGI (bash)
 +fcgiwrap_user="www"
 +fcgiwrap_socket="unix:/var/run/fcgiwrap/fcgiwrap.sock"
 +fcgiwrap_socket_owner="www"
 +fcgiwrap_socket_mode="0770"
 +</file>
 +
 +  > /usr/local/etc/rc.d/nginx restart
 +  > /usr/local/etc/rc.d/php-fpm restart
 +  > /usr/local/etc/rc.d/fcgiwrap restart
 +
  
nginx.txt · Zuletzt geändert: 2021/05/19 21:55 von david