25-07-2021

2021-07-25 13:17:19 +02:00
parent e02b036875
commit 25789f522b
39 changed files with 2593 additions and 121 deletions
--- a/docs/Synology/nginx.md
+++ b/docs/Synology/nginx.md
@@ -0,0 +1,460 @@
+# nginx
+
+
+
+#### SSL
+
+Création d'un certificat ssl self-signed:
+
+```bash
+$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
+# => /etc/ssl/certs/nginx-selfsigned.crt
+
+$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
+# => /etc/ssl/certs/dhparam.pem 
+
+$ sudo nano /etc/nginx/snippets/self-signed.conf
+# ajouter:
+ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+
+$ sudo nano /etc/nginx/snippets/ssl-params.conf
+# ajouter:
+# from https://cipherli.st/
+# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now.  You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+```
+
+Configurer nginx pour qu'il utilise SSL:
+
+```bash
+$ sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak
+$ sudo nano /etc/nginx/sites-available/default
+```
+
+```nginx
+# 1. Redirection http vers https
+# /etc/nginx/sites-available/default
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    root /var/www/debian/html;
+
+    index index.html index.htm index.php index.nginx-debian.html;
+
+    server_name localhost;
+  	# redirection temporaire (302), permanente (301)
+    return 302 https://$server_name$request_uri;
+
+    location / {
+        # First attempt to serve request as file, then
+        # as directory, then fall back to displaying a 404.
+        try_files $uri $uri/ =404;
+    }
+}
+
+server {
+    # SSL configuration
+
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+    include snippets/self-signed.conf;
+    include snippets/ssl-params.conf;
+}
+```
+
+```nginx
+# 2. Autoriser http et https
+# /etc/nginx/sites-available/default
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+
+    root /var/www/debian/html;
+
+    index index.html index.htm index.php index.nginx-debian.html;
+
+    server_name localhost;
+    return 302 https://$server_name$request_uri;
+
+    location / {
+        # First attempt to serve request as file, then
+        # as directory, then fall back to displaying a 404.
+        try_files $uri $uri/ =404;
+    }
+
+    include snippets/self-signed.conf;
+    include snippets/ssl-params.conf;
+}
+```
+
+Tester la configuration et redémarrer nginx:
+
+```bash
+# message normal pour certificat auto-signé
+
+$ sudo /usr/sbin/nginx -t
+nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/ssl/certs/nginx-selfsigned.crt"
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+
+$ sudo systemctl restart nginx
+```
+
+Vérifier le status de nginx:
+
+```bash
+$ systemctl status nginx
+● nginx.service - A high performance web server and a reverse proxy server
+   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
+   Active: active (running) since Tue 2021-07-13 09:30:48 CEST; 2min 58s ago
+     Docs: man:nginx(8)
+  Process: 14769 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, sta
+  Process: 14770 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUC
+ Main PID: 14771 (nginx)
+    Tasks: 5 (limit: 4682)
+   Memory: 5.7M
+   CGroup: /system.slice/nginx.service
+           ├─14771 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
+           ├─14772 nginx: worker process
+           ├─14773 nginx: worker process
+           ├─14774 nginx: worker process
+           └─14775 nginx: worker process
+
+```
+
+#### Logs
+
+```bash
+/var/log/nginx$ ls -la
+-rw-r-----  1 www-data adm  2812 juil. 13 12:00 access.log
+-rw-r-----  1 www-data adm  3252 juil. 13 11:51 error.log
+```
+```bash
+$ nano /etc/nginx/nginx.conf 
+```
+
+```nginx
+    ##
+    # Logging Settings
+    ##
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+```
+
+
+
+#### Utilisation
+
+On commande nginx avec SystemD (Debian 8+, ubuntu 16+, CentOS):
+
+```bash
+$ systemctl stop nginx.service
+
+$ systemctl start nginx.service
+
+$ systemctl restart nginx
+
+$ systemctl reload nginx
+
+$ systemctl disable nginx
+
+$ systemctl enable nginx
+
+```
+
+On peut controller directement nginx avec les signals:
+
+```bash
+# Relancer nginx
+
+$ sudo /usr/sbin/nginx -s reload
+```
+
+Aide:
+
+```bash
+$ sudo /usr/sbin/nginx -h
+nginx version: nginx/1.14.2
+Usage: nginx [-?hvVtTq] [-s signal] [-c filename] [-p prefix] [-g directives]
+
+Options:
+  -?,-h         : this help
+  -v            : show version and exit
+  -V            : show version and configure options then exit
+  -t            : test configuration and exit
+  -T            : test configuration, dump it and exit
+  -q            : suppress non-error messages during configuration testing
+  -s signal     : send signal to a master process: stop, quit, reopen, reload
+  -p prefix     : set prefix path (default: /usr/share/nginx/)
+  -c filename   : set configuration file (default: /etc/nginx/nginx.conf)
+  -g directives : set global directives out of configuration file
+```
+
+Tester la configuration:
+
+```bash
+$ sudo /usr/sbin/nginx -t
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+```
+
+Tester la configuration et l'afficher:
+
+```nginx
+$ sudo /usr/sbin/nginx -T
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+# configuration file /etc/nginx/nginx.conf:
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+.../...
+}
+
+# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
+load_module modules/ngx_http_auth_pam_module.so;
+
+# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
+load_module modules/ngx_http_dav_ext_module.so;
+
+.../...
+
+# configuration file /etc/nginx/mime.types:
+
+types {
+    text/html                             html htm shtml;
+    text/css                              css;
+		.../...
+}
+
+# configuration file /etc/nginx/sites-enabled/default:
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+	
+  .../...
+
+  root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name _;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+	}
+
+	# pass PHP scripts to FastCGI server
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php-fpm (or other unix sockets):
+	#	fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+	#	# With php-cgi (or other tcp sockets):
+	#	fastcgi_pass 127.0.0.1:9000;
+	#}
+
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#	listen 80;
+#	listen [::]:80;
+#
+#	server_name example.com;
+#
+#	root /var/www/example.com;
+#	index index.html;
+#
+#	location / {
+#		try_files $uri $uri/ =404;
+#	}
+#}
+	
+```
+
+
+
+
+
+```nginx
+http {
+  
+    server {
+        listen 80;
+        server_name localhost;
+    
+    		location / {
+            root /var/service/web;
+            index index.html index.htm index.php;
+        }
+    
+    		error_page 500 502 503 504  /50x.html;
+    		location = /50x.html {
+            root /usr/share/nginx/html; 
+        }
+
+        access_log /var/log/nginx/myexample.access.http.log;
+        error_log /var/log/nginx/myexample.error.http.log;
+    }
+  
+    server {
+        listen 443;
+        server_name localhost;
+    
+    		location / {
+            root /var/service/web;
+            index index.html index.htm index.php;
+        }
+    
+    		error_page 500 502 503 504  /50x.html;
+    		location = /50x.html {
+            root /usr/share/nginx/html; 
+        }
+
+        access_log /var/log/nginx/myexample.access.https.log;
+        error_log /var/log/nginx/myexample.error.https.log;
+
+        ssl on;
+        ssl_certificate /etc/nginx/ssl/server.crt;
+        ssl_certificate_key /etc/nginx/ssl/server.key;    
+    }
+
+}
+```
+
+
+
+Site accessible via HTTP et HTTPS:
+
+```nginx
+server {
+        listen 80;
+        root /var/www/html;
+        index index.html index.htm index.php;
+        server_name example.com example;
+        access_log /var/log/nginx/myexample.access.http.log;
+        error_log /var/log/nginx/myexample.error.http.log;
+}
+
+server {
+        listen 443;
+        root /var/www/html;
+        index index.html index.htm index.php;
+        server_name example.com example;
+        access_log /var/log/nginx/myexample.access.https.log;
+        error_log /var/log/nginx/myexample.error.https.log;
+        ssl on;
+        ssl_certificate /etc/nginx/ssl/server.crt;
+        ssl_certificate_key /etc/nginx/ssl/server.key;
+}
+```
+
+Reverse proxy:
+
+```nginx
+upstream mysite {
+         server localhost:8080;
+}
+server {
+         server_name mysite.local;
+         location / {
+              proxy_pass http://mysite.local;
+              }
+}
+```
+
+PHP:
+
+```nginx
+location ~ \.php$ {
+		try_files $uri =404;
+		fastcgi_pass unix:/var/run/php5-fpm.sock;
+		fastcgi_index index.php;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		include fastcgi_params;
+}
+```
+
+Redirige les www. vers la version sans www
+
+```nginx
+server {
+    listen 80;
+    server_name www.monsupersite.fr;
+    return 301 http://monsupersite.fr$request_uri;
+}
+```
+