-
Notifications
You must be signed in to change notification settings - Fork 0
/
Nginx_Config.txt
147 lines (91 loc) · 6.13 KB
/
Nginx_Config.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
--------------------------- CONFIGURING NGINX ON UBUNTU ------------------------------
1). sudo apt-get update // For updating repository
2). sudo apt-get install nginx // For installing nginx from ubuntu repository
3). sudo ufw allow 'Nginx Full' // It will allow both port, i.e. port 80 and 443
3). In browser --> YOUR_SERVER_IP
NOTE - If it does not work, then make sure you allow port 80 and 443 by adding a custom rule in AWS server.
4). In browser --> YOUR_SERVER_IP
5). sudo mkdir -p /var/www/brocode/html // give any name to the directory inside /var/www
6). sudo chown -R $USER:$USER /var/www/brocode/html // It will assign ownership to the account that we are currently signed in on (make sure you're not logged in as root for security p // Changing mode on directory
8). sudo ls -l /var/www/brocode // For checking
9). sudo vim /var/www/brocode/html/index.html // Opening text editor
10). In index.html -->
<html>
<head>
<title>Welcome to Brocode.in</title>
</head>
<body>
<h1>Brocode successfully hosted!!</h1>
</body>
</html>
11). sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/brocode.in // copy default block
12). sudo vim /etc/nginx/sites-available/brocode.in // Creating server-block
13). In /etc/nginx/sites-available/brocode.in -->
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/brocode/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
14). sudo rm /etc/nginx/sites-enabled/default // Delete this default server-block to make your server-block enabled
15). sudo ln -s /etc/nginx/sites-available/brocode.in /etc/nginx/sites-enabled/brocode.in // Linking your server-block
16). sudo nginx -t // For checking any syntax errors in nginx config file
17). sudo systemctl restart nginx // Restart service for changes
18). Login to go daddy account
19). Go to your's domain DNS settings
20). Add a record to point to your server ip
21). In browser --> http://www.brocode.in
------------------------------- SSL CONFIGURATION ---------------------------------
1). Go to https://certbot.eff.org/
2). sudo add-apt-repository ppa:certbot/certbot // adding certbot PPA to Ubuntu's repository
3). sudo apt-get update // To update changes in Ubuntu's repository
4). sudo apt-get install certbot // Installing certbot from Ubuntu's repository
5). sudo certbot certonly --webroot -w /var/www/brocode/html -d brocode.in -d www.brocode.in // Creating SSL certificate
NOTE - You account credentials have been saved in /etc/letsencrypt. Make a secure backup of this folder.
Let's Encrypt certificates last for 90 days.
You can test automatic renewal for your certificates by running this command in crontab job :
certbot renew --dry-run
6). To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 // Creating strong DH group at /etc/ssl/certs/dhparam.pem
7). sudo vim /etc/nginx/sites-available/brocode.in
8). Comment out or delete the lines that configure this server block to listen on port 80.
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
9). Within your server block add this line -
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/brocode.in/fullchain.pem; // fullchain.pem contains your domain's cert and lets's encrypt cert
ssl_certificate_key /etc/letsencrypt/live/brocode.in/privkey.pem; // privkey.pem contains your certificate's private key
10). To allow only the most secure SSL protocols and ciphers, and use the strong Diffie-Hellman group we generated, add the following lines to the same server block:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
11). Lastly, outside of the original server block (that is listening on HTTPS, port 443), add this server block to redirect HTTP (port 80) to HTTPS-
server {
listen 80;
server_name brocode.in www.brocode.in;
return 301 https://$host$request_uri;
}
12). You can use the Qualys SSL Labs Report to see how your server configuration scores:
https://www.ssllabs.com/ssltest/analyze.html?d=brocode.in
13). Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error.
WEB CONTENT- /var/www
SERVER CONFIGURATION -
1). /etc/nginx/nginx.conf (global config file)
2). /etc/nginx/sites-available // per site server-blocks stored here
3). /etc/nginx/sites-enabled // enabled per site server-blocks stored here
SERVER LOGS -
1). /var/log/nginx/access.log
2). /var/log/nginx/error.log
NOTE - 1). Your private key(from AWS) should not be readable by others. So change its permission(chmod 400 YOUR_PRIVATE_KEY_PATH)
2). Now communicate with your AWS server by this private key and allow port 22 on firewall so that you can ssh in future.