====== NGINX ======
Serveur HTTP.
===== Documentation =====
* https://www.nginx.com/resources/admin-guide/
* [[https://www.nginx.com/resources/admin-guide/reverse-proxy/|NGINX Reverse Proxy]]
* [[http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_pass|fastcgi]]
* [[http://nginx.org/en/docs/http/ngx_http_uwsgi_module.html#uwsgi_pass|uwsgi]]
* http://wiki.nginx.org
* http://wiki.nginx.org/NginxConfiguration
[[http://calomel.org/nginx.html|Nginx "how to" - Fast and Secure Web Server]]
==== CGI ====
* [[http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html|Module ngx_http_fastcgi_module]]
* [[https://www.digitalocean.com/community/tutorials/understanding-and-implementing-fastcgi-proxying-in-nginx|Understanding and Implementing FastCGI Proxying in Nginx]]
* Php-fpm
* [[http://interfacelab.com/nginx-php-fpm-apc-awesome|NGINX + PHP-FPM + APC = Awesome]]
* [[http://download.pureftpd.org/docs/configuration_nginx_php.pdf|La mise en place de Nginx avec PHP-fpm]]
===== Securité =====
==== WAF (Web Application Firewall) ====
* ModSecurity
* [[https://blog.wpsec.com/wordpress-modsecurity-waf/|Protecting WordPress with Open Source Web Application Firewall ModSecurity]]
* [[https://medium.com/building-goalwise/how-to-implement-modsecurity-waf-with-nginx-15fdd42fa3|How to implement ModSecurity WAF with NGINX]] 2019 (Installing ModSecurity v3)
* [[https://geekflare.com/install-modsecurity-on-nginx/|How to Install & Configure ModSecurity on Nginx]] 2018
* NAXSI (Nginx Anti Xss & Sql Injection)
* https://github.com/nbs-system/naxsi
* https://github.com/nbs-system/naxsi-rules
* [[https://connect.ed-diamond.com/GNU-Linux-Magazine/GLMF-152/NAXSI-un-WAF-open-source-pour-Nginx|NAXSI, un WAF open source pour Nginx]] 2012
==== Autre ====
[[/informatique/securite/crowdsec|Crowdsec]]
* Bunkerized Nginx
* https://github.com/bunkerity/bunkerized-nginx
* [[https://korben.info/bunkerized-nginx-docker-nginx-securise.html||Bunkerized Nginx – L’image Docker Nginx sécurisée]] 2020
===== Tips & Tricks =====
==== Nginx auth request ====
Nginx peut authentifier des requêtes en effectuant une requête intermédiaire auprès d'un service (//HTTP subrequest to an external server//). C'est le module ''[[https://nginx.org/en/docs/http/ngx_http_auth_request_module.html|ngx_http_auth_request_module]]'' qui le permet, présent dès ''nginx-light''.
Utile pour servir des fichiers statiques aux seuls utilisateurs connectés ce qui évite de monopoliser un slot du moteur d'application (python, php, ...) pour servir un fichier.
* [[https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/|Authentication Based on Subrequest Result]]
* [[https://www.danielwerner.dev/how-to-authorize-static-files-in-laravel-with-nginx-auth-request|Tuto avec Laravel]]
==== Letsencrypt certbot reload ====
''Certbot'' sur les debian récentes utilisent un ''systemd timer''. Pour reloader ''nginx'' après un renouvellement de certificat il faut créer un script du genre :
''/etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx'' :
#!/bin/sh
# set -e
systemctl reload nginx
==== Optimize Nginx ====
[[https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration|How To Optimize Nginx Configuration]]
==== Logging ====
* [[https://gock.net/blog/2020/nginx-conditional-logging-responses/|NGINX conditional logging and responses]] (2020-11)
==== more than one worker process ====
http://articles.slicehost.com/2008/5/15/ubuntu-hardy-nginx-configuration/
user www-data www-data;
# Nginx can have more than one worker process running at the same time.
# To take advantage of SMP and to enable good efficiency I would recommend changing this to read:
worker_processes 4;
events {
worker_connections 1024;
}
http {
tcp_nodelay on;
include /usr/local/nginx/sites-enabled/*;
}
Sets the number of connections that each worker can handle. This is a good default setting.
You can work out the maximum clients value from this and the worker_processes settings:
max_clients = worker_processes * worker_connections
Sendfile is used when the server (Nginx) can actually ignore the contents of the file it is sending. It uses the kernel sendfile support instead of using it's own resources on the request.
It is generally used for larger files (such as images) which do not need use of a multiple request/confirmation system to be served - thus freeing resources for items that do need that level of 'supervision' from Nginx.
Keep it an on unless you know why you need to turn it off.
==== nginx proxy cache tuiles OSM ====
configuration nginx pour installer un cache de tuiles OSM par CQuest : https://gist.github.com/cquest/ef82d82e7700e116b340ca3f77532880
# tilecache.conf
# conserver les tuiles dans /var/cache, pendant 24h et au maximum 16Go
proxy_cache_path /var/cache/nginx-tilecache levels=1:2 keys_zone=tilecache:100m inactive=24h max_size=16G;
server {
server_name tilecache.mondomaine.tld a.tilecache.mondomaine.tld b.tilecache.mondomaine.tld c.tilecache.mondomaine.tld;
listen 80;
location / {
proxy_pass http://tilecache.openstreetmap.fr;
proxy_cache tilecache;
proxy_cache_valid 200 302 24h;
proxy_cache_valid 404 1m;
proxy_cache_lock on;
# on ajoute l'IP du client dans la requête vers le upstream
proxy_set_header X-Forwarded-For $remote_addr;
# on indique le status du cache dans la réponse au client
add_header X-Cache-Status $upstream_cache_status;
# si upstream down, on envoie la copie qu'on a en cache
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
}
}