Difference between revisions of "NginX"

From Indie IT Wiki
 
(25 intermediate revisions by the same user not shown)
Line 9: Line 9:
 
'''NEW'''
 
'''NEW'''
  
  sudo apt install curl gnupg2 ca-certificates lsb-release
+
#!/bin/bash
  echo "deb <nowiki>http://nginx.org/packages/ubuntu</nowiki> `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
+
  sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring -y && \
  echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx
+
curl <nowiki>https://nginx.org/keys/nginx_signing.key</nowiki> | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
  curl -s -o /tmp/nginx_signing.key <nowiki>https://nginx.org/keys/nginx_signing.key</nowiki>
+
  echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] <nowiki>http://nginx.org/packages/ubuntu</nowiki> `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list && \
  sudo mv /tmp/nginx_signing.key /etc/apt/trusted.gpg.d/nginx_signing.asc
+
  echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx && \
  cat /etc/apt/trusted.gpg.d/nginx_signing.asc | sudo apt-key add -
+
  curl -s -o /tmp/nginx_signing.key <nowiki>https://nginx.org/keys/nginx_signing.key</nowiki> && \
  sudo apt update
+
  sudo apt update -y && \
  sudo apt install nginx
+
sudo apt install nginx -y && \
 +
nginx -t && \
 +
nginx -V && \
 +
exit;
 +
 
 +
Then, edit the SystemD file to add a sleep command ...
 +
 
 +
<code>/lib/systemd/system/nginx.service</code>
 +
 
 +
[Unit]
 +
Description=nginx - high performance web server
 +
Documentation=<nowiki>https://nginx.org/en/docs/</nowiki>
 +
After=network-online.target remote-fs.target nss-lookup.target
 +
Wants=network-online.target
 +
 +
[Service]
 +
Type=forking
 +
PIDFile=/var/run/nginx.pid
 +
  ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
 +
'''ExecStartPost=/bin/sleep 0.5'''
 +
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)"
 +
ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)"
 +
 +
  [Install]
 +
  WantedBy=multi-user.target
  
 
https://nginx.org/en/linux_packages.html#Ubuntu
 
https://nginx.org/en/linux_packages.html#Ubuntu
 +
  
 
'''OLD'''
 
'''OLD'''
Line 32: Line 57:
  
 
== HOWTOS ==
 
== HOWTOS ==
 +
 +
=== Performance ===
 +
 +
==== GZip Compression ====
 +
 +
To set ...
 +
 +
<code>/etc/nginx/conf.d/web_site.conf</code>
 +
 +
# Gzip compression
 +
gzip on;
 +
gzip_vary on;
 +
gzip_min_length 1000;
 +
gzip_comp_level 5;
 +
gzip_types application/json text/css application/x-javascript application/javascript image/svg+xml;
 +
gzip_proxied any;
 +
 +
To test...
 +
 +
curl -H "Accept-Encoding: gzip" -I <nowiki>https://www.domain.co.uk/</nowiki>
 +
 +
==== Browser File Caching ====
 +
 +
To set ...
 +
 +
<code>/etc/nginx/conf.d/web_site.conf</code>
 +
 +
# Caching
 +
location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
 +
  access_log        off;
 +
  log_not_found    off;
 +
  expires          360d;
 +
  add_header        Access-Control-Allow-Origin *;
 +
  add_header        Pragma public;
 +
  add_header        Cache-Control "public, must-validate";
 +
}
 +
 +
To test, first get the Entity Tag (etag) number and then use that ...
 +
 +
curl -I <nowiki>https://www.domain.co.uk/index.html</nowiki>
 +
HTTP/2 200
 +
server: nginx/1.22.1
 +
date: Sun, 13 Nov 2022 12:56:15 GMT
 +
content-type: text/html
 +
content-length: 11
 +
last-modified: Fri, 11 Nov 2022 13:04:22 GMT
 +
'''etag: "636e4856-b"'''
 +
accept-ranges: bytes
 +
 +
curl -I -H 'If-None-Match: "636e4856-b"' <nowiki>https://www.domain.co.uk/index.html</nowiki>
 +
'''HTTP/2 304 Not Modified'''
 +
server: nginx/1.22.1
 +
date: Sun, 13 Nov 2022 12:59:23 GMT
 +
last-modified: Fri, 11 Nov 2022 13:04:22 GMT
 +
etag: "636e4856-b"
 +
 +
This means, it is working :)
 +
 +
[https://www.nginx.com/blog/rate-limiting-nginx/ Rate Limiting]
  
 
[https://www.upguard.com/blog/how-to-build-a-tough-nginx-server-in-15-steps Security Hardening]
 
[https://www.upguard.com/blog/how-to-build-a-tough-nginx-server-in-15-steps Security Hardening]
Line 44: Line 128:
  
 
[https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04 How To Secure Nginx with Let's Encrypt]
 
[https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04 How To Secure Nginx with Let's Encrypt]
 +
 +
[https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache Set Up Nginx FastCGI Cache to Reduce WordPress Server Response Time]
  
 
== Monitoring ==
 
== Monitoring ==
Line 50: Line 136:
  
 
[https://amplify.nginx.com/ Amplify]
 
[https://amplify.nginx.com/ Amplify]
 +
 +
== HTTP/3 ==
 +
 +
HTTP/3 is only available on secure connections so you have to set up an SSL Certificate and add the following lines to your server block:-
 +
 +
listen [::]:443 ssl;
 +
listen 443 ssl;
 +
http3 on;
  
 
== HTTP/2 ==
 
== HTTP/2 ==
Line 55: Line 149:
 
HTTP/2 is only available on secure connections so you have to set up an SSL Certificate and add the following lines to your server block:-
 
HTTP/2 is only available on secure connections so you have to set up an SSL Certificate and add the following lines to your server block:-
  
  listen [::]:443 ssl http2;
+
  listen [::]:443 ssl;
  listen 443 ssl http2;
+
  listen 443 ssl;
 
+
http2 on;
https://www.nginx.com/blog/http2-module-nginx/
 
  
 
== Redirect HTTP to HTTPS ==
 
== Redirect HTTP to HTTPS ==
Line 72: Line 165:
  
 
https://nginx.org/en/docs/
 
https://nginx.org/en/docs/
 +
 +
== Directory Index Time ==
 +
 +
By default, nginx outputs the directory index in UTC time. If you want it to display the time in your local timezone, you should set the autoindex_localtime directive to on...
 +
 +
autoindex_localtime on
 +
 +
https://stackoverflow.com/questions/53670557/nginx-shows-wrong-time-timezone
  
 
== Fixes ==
 
== Fixes ==
 +
 +
=== Request Entity Too Large ===
 +
 +
<code>/etc/nginx/nginx.conf</code> or <code>/etc/nginx/conf.d/my_site.conf</code>
 +
 +
server {
 +
...
 +
# Fix file upload size
 +
client_max_body_size 10M;
 +
...
 +
}
 +
 +
<code>/etc/php/x.x/php-fpm/php.ini</code>
 +
 +
;This sets the maximum amount of memory in bytes that a script is allowed to allocate
 +
memory_limit = 32M
 +
 +
;The maximum size of an uploaded file.
 +
upload_max_filesize = 10M
 +
 +
;Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize
 +
post_max_size = 12M
 +
 +
https://www.cyberciti.biz/faq/linux-unix-bsd-nginx-413-request-entity-too-large/
  
 
=== nginx: [emerg] duplicate listen options for [::]:443 ===
 
=== nginx: [emerg] duplicate listen options for [::]:443 ===

Latest revision as of 16:30, 21 July 2024

Introduction

NginX is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and first publicly released in 2004.

https://www.nginx.com/

Installation

NEW

#!/bin/bash
sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring -y && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list && \
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx && \
curl -s -o /tmp/nginx_signing.key https://nginx.org/keys/nginx_signing.key && \
sudo apt update -y && \
sudo apt install nginx -y && \
nginx -t && \
nginx -V && \
exit;

Then, edit the SystemD file to add a sleep command ...

/lib/systemd/system/nginx.service

[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecStartPost=/bin/sleep 0.5
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)"

[Install]
WantedBy=multi-user.target

https://nginx.org/en/linux_packages.html#Ubuntu


OLD

https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/

This will install the latest NginX server and also the OpenSSL and OpenSSL libraries.

sudo add-apt-repository ppa:ondrej/nginx
sudo apt-get -y update
sudo apt-get -y dist-upgrade
sudo apt-get -y install nginx-full openssl libssl1.1

HOWTOS

Performance

GZip Compression

To set ...

/etc/nginx/conf.d/web_site.conf

# Gzip compression
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_comp_level 5;
gzip_types application/json text/css application/x-javascript application/javascript image/svg+xml;
gzip_proxied any;

To test...

curl -H "Accept-Encoding: gzip" -I https://www.domain.co.uk/

Browser File Caching

To set ...

/etc/nginx/conf.d/web_site.conf

# Caching
location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
  access_log        off;
  log_not_found     off;
  expires           360d;
  add_header        Access-Control-Allow-Origin *;
  add_header        Pragma public;
  add_header        Cache-Control "public, must-validate";
}

To test, first get the Entity Tag (etag) number and then use that ...

curl -I https://www.domain.co.uk/index.html
HTTP/2 200 
server: nginx/1.22.1
date: Sun, 13 Nov 2022 12:56:15 GMT
content-type: text/html
content-length: 11
last-modified: Fri, 11 Nov 2022 13:04:22 GMT
etag: "636e4856-b"
accept-ranges: bytes
curl -I -H 'If-None-Match: "636e4856-b"' https://www.domain.co.uk/index.html
HTTP/2 304 Not Modified
server: nginx/1.22.1
date: Sun, 13 Nov 2022 12:59:23 GMT
last-modified: Fri, 11 Nov 2022 13:04:22 GMT
etag: "636e4856-b"

This means, it is working :)

Rate Limiting

Security Hardening

Fix 502 Bad Gateway Error - check nginx is running as user 'www-data'

How To Create a Self-Signed SSL Certificate for Nginx

How To Set Up Nginx with HTTP/2 Support

How To Set Up Nginx Server Blocks Virtual Hosts

How To Secure Nginx with Let's Encrypt

Set Up Nginx FastCGI Cache to Reduce WordPress Server Response Time

Monitoring

NGXtop

Amplify

HTTP/3

HTTP/3 is only available on secure connections so you have to set up an SSL Certificate and add the following lines to your server block:-

listen [::]:443 ssl;
listen 443 ssl;
http3 on;

HTTP/2

HTTP/2 is only available on secure connections so you have to set up an SSL Certificate and add the following lines to your server block:-

listen [::]:443 ssl;
listen 443 ssl;
http2 on;

Redirect HTTP to HTTPS

# redirect to https
server {
    listen 80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

Documentation

https://nginx.org/en/docs/

Directory Index Time

By default, nginx outputs the directory index in UTC time. If you want it to display the time in your local timezone, you should set the autoindex_localtime directive to on...

autoindex_localtime on

https://stackoverflow.com/questions/53670557/nginx-shows-wrong-time-timezone

Fixes

Request Entity Too Large

/etc/nginx/nginx.conf or /etc/nginx/conf.d/my_site.conf

server {
...
# Fix file upload size
client_max_body_size 10M;
...
}

/etc/php/x.x/php-fpm/php.ini

;This sets the maximum amount of memory in bytes that a script is allowed to allocate
memory_limit = 32M

;The maximum size of an uploaded file.
upload_max_filesize = 10M

;Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize
post_max_size = 12M

https://www.cyberciti.biz/faq/linux-unix-bsd-nginx-413-request-entity-too-large/

nginx: [emerg] duplicate listen options for [::]:443

Remove the ipv6only=on directive in your virtual host config files...

# listen [::]:443 ssl http2 ipv6only=on;
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;