Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente |
informatique:nginx [17/02/2021 20:24] – [WAF (Web Application Firewall)] cyrille | informatique:nginx [21/09/2023 11:47] (Version actuelle) – [Nginx auth request] cyrille |
---|
* [[http://interfacelab.com/nginx-php-fpm-apc-awesome|NGINX + PHP-FPM + APC = Awesome]] | * [[http://interfacelab.com/nginx-php-fpm-apc-awesome|NGINX + PHP-FPM + APC = Awesome]] |
* [[http://download.pureftpd.org/docs/configuration_nginx_php.pdf|La mise en place de Nginx avec PHP-fpm]] | * [[http://download.pureftpd.org/docs/configuration_nginx_php.pdf|La mise en place de Nginx avec PHP-fpm]] |
| |
| ===== Securité ===== |
| |
==== WAF (Web Application Firewall) ==== | ==== WAF (Web Application Firewall) ==== |
| |
* Mod Security | * ModSecurity |
| * [[https://blog.wpsec.com/wordpress-modsecurity-waf/|Protecting WordPress with Open Source Web Application Firewall ModSecurity]] |
* [[https://medium.com/building-goalwise/how-to-implement-modsecurity-waf-with-nginx-15fdd42fa3|How to implement ModSecurity WAF with NGINX]] 2019 (Installing ModSecurity v3) | * [[https://medium.com/building-goalwise/how-to-implement-modsecurity-waf-with-nginx-15fdd42fa3|How to implement ModSecurity WAF with NGINX]] 2019 (Installing ModSecurity v3) |
* [[https://geekflare.com/install-modsecurity-on-nginx/|How to Install & Configure ModSecurity on Nginx]] 2018 | * [[https://geekflare.com/install-modsecurity-on-nginx/|How to Install & Configure ModSecurity on Nginx]] 2018 |
* https://github.com/nbs-system/naxsi-rules | * https://github.com/nbs-system/naxsi-rules |
* [[https://connect.ed-diamond.com/GNU-Linux-Magazine/GLMF-152/NAXSI-un-WAF-open-source-pour-Nginx|NAXSI, un WAF open source pour Nginx]] 2012 | * [[https://connect.ed-diamond.com/GNU-Linux-Magazine/GLMF-152/NAXSI-un-WAF-open-source-pour-Nginx|NAXSI, un WAF open source pour Nginx]] 2012 |
| |
| ==== Autre ==== |
| |
| [[/informatique/securite/crowdsec|Crowdsec]] |
| |
| * Bunkerized Nginx |
| * https://github.com/bunkerity/bunkerized-nginx |
| * [[https://korben.info/bunkerized-nginx-docker-nginx-securise.html||Bunkerized Nginx – L’image Docker Nginx sécurisée]] 2020 |
| |
| |
===== Tips & Tricks ===== | ===== Tips & Tricks ===== |
| |
==== Optimize Nginx ==== | ==== Nginx auth request ==== |
| |
| Nginx peut authentifier des requêtes en effectuant une requête intermédiaire auprès d'un service (//HTTP subrequest to an external server//). C'est le module ''[[https://nginx.org/en/docs/http/ngx_http_auth_request_module.html|ngx_http_auth_request_module]]'' qui le permet, présent dès ''nginx-light''. |
| |
| Utile pour servir des fichiers statiques aux seuls utilisateurs connectés ce qui évite de monopoliser un slot du moteur d'application (python, php, ...) pour servir un fichier. |
| |
| * [[https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/|Authentication Based on Subrequest Result]] |
| * [[https://www.danielwerner.dev/how-to-authorize-static-files-in-laravel-with-nginx-auth-request|Tuto avec Laravel]] |
| |
| ==== Letsencrypt certbot reload ==== |
| |
| ''Certbot'' sur les debian récentes utilisent un ''systemd timer''. Pour reloader ''nginx'' après un renouvellement de certificat il faut créer un script du genre : |
| |
| ''/etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx'' : |
| <code bash> |
| #!/bin/sh |
| # set -e |
| systemctl reload nginx |
| </code> |
| |
| ==== Optimize Nginx ==== |
| |
[[https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration|How To Optimize Nginx Configuration]] | [[https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration|How To Optimize Nginx Configuration]] |
| |
| ==== Logging ==== |
| |
| * [[https://gock.net/blog/2020/nginx-conditional-logging-responses/|NGINX conditional logging and responses]] (2020-11) |
| |
==== more than one worker process ==== | ==== more than one worker process ==== |