Full stack development practice - Nginx

introduce

Nginx is an open source, high-performance HTTP and reverse proxy server that powers some of the largest sites on the Internet.

Nginx can be used as a standalone web server or as a reverse proxy for Apache and other web servers.

Compared to Apache, Nginx can handle a large number of concurrent connections and has a smaller memory footprint per connection.

Install

First update the apt package list:

sudo apt update

Install Nginx:

sudo apt install nginx

The Nginx service will start automatically after the installation process is complete. You can verify by running the following curl command:

curl -I 127.0.0.1

Manage Nginx services with systemctl

You can use systemctl commands to manage Nginx services the same as any other systemd unit. Here we only list our commonly used commands.

To stop the Nginx service, run:

sudo systemctl stop nginx

To start, type:

sudo systemctl start nginx

Restart the Nginx service:

sudo systemctl restart nginx

After making some configuration changes, reload the Nginx service:

sudo systemctl reload nginx

Nginx configuration file structure and best practices

• Nginx configuration files are stored in a /etc/nginxdirectory.
• The main Nginx configuration file is /etc/nginx/nginx.conf.
• The server block (vhost) configuration file is stored in the /etc/nginx/sites-availabledirectory. Nginx will not use configuration files in the /etc/nginx/sites-enabled directory unless you link these files to that directory.
• The server block is activated by creating a symlink (pointer) from the server directory. Profile site moved from sites-availabledirectory to sites-enableddirectory, eg: ln -s /etc/nginx/sites-available/www.example.com /etc/nginx/sites-enabled/www.example.com.
• To write more maintainable code, it's a good idea to follow standard naming conventions. For example, if your domain name is www.example.com, the configuration file should be named /etc/nginx/sites-available/www.example.com.conf.
• /etc/nginx/snippetsThe directory contains configuration summaries that can be included in a server block file. If you use repeatable configuration sections, you can refactor those sections into fragments and include the fragment file into the server block.
• Nginx log files ( access.logand error.log) are located in the directory var/log/nginx/. accessIt is recommended to use a different sum errorlog file for each server block .
• You can set the domain document root to wherever you want. The most common locations for webroot include:
  • /home/<user_name>/<site_name>
  • /var/www/<site_name>
  • /var/www/html/<site_name>
  • /opt/<site_name>

https instance configuration

mozilla has open sourced a very useful tool: https://ssl-config.mozilla.org , which can automatically generate the recommended SSL configuration with a click. There is a good website for checking server certificate configuration, https://www.ssllabs.com/ssltest/analyze.html .

1. Generate the dhparam.pem file and execute the method on the command line:

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

2. Create a new directory named www.example.com in the /etc/nginx/ssl directory, and put the ssl certificate, such as the certificate downloaded from Alibaba Cloud.
3. Create a new file named www.example.com in the /etc/nginx/sites-available directory and enter the following:

server {
  # 根目录已经有个default了
  # listen 80 default_server;
  # listen [::]:80 default_server;
  listen 80;
  listen [::]:80;
  server_name www.example.com;
  # 重定向所有HTTP网站访问以使用HTTPS
  return 301 https://$host$request_uri;
}

server {
  # 指定ssl监听端口
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  # 证书绑定的域名，例如：www.example.com、localhost
  server_name www.example.com;
  # 指定服务器证书路径
  ssl_certificate /etc/nginx/ssl/www.example.com/1234567_www.example.com.pem;
  # 指定私钥证书路径
  ssl_certificate_key /etc/nginx/ssl/www.example.com/1234567_www.example.com.key;
  # 配置会话缓存为10m，大约40000个session
  ssl_session_cache shared:SSL:10m;
  # 配置会话缓存超时时间为1天
  ssl_session_timeout 1d;
  # 禁用会话重用
  ssl_session_tickets off;

  # DHE密码器的Diffie-Hellman参数, 推荐 2048 位
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;

  # 指定SSL服务器端支持的协议版本
  # ssl_protocols TLSv1.2 TLSv1.3;
  ssl_protocols TLSv1.2;
  # 指定加密算法
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  # 在使用SSLv3和TLS协议时指定服务器的加密算法要优先于客户端的加密算法
  ssl_prefer_server_ciphers on;

  # 使用严格传输策略HSTS。当浏览器从HTTPS网站看到此标头时，它“获悉”只能使用HTTPS（SSL或TLS）访问该域。它会在max-age一段时间内（通常为31,536,000秒，大约等于1年）缓存此信息
  # includeSubDomains参数告诉浏览器HSTS策略也适用于当前域的所有子域，always参数确保为所有响应（包括内部生成的错误响应）设置标头
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  # 启用ssl OCSP stapling功能, 服务端主动查询OCSP结果, 提高TLS握手效率
  ssl_stapling on;
  # 开启OCSP stapling 验证
  ssl_stapling_verify on;
  # 使用根CA和中级证书验证OCSP响应的信任链
  ssl_trusted_certificate /etc/nginx/ssl/www.example.com/1234567_www.example.com.pem;

  # replace with the IP address of your resolver
  # resolver 127.0.0.1;
  # 匹配请求
  location / {
    # 设置客户端真实的域名（包括端口号）
    proxy_set_header Host $host;
    # 设置客户端或上一级代理IP
    proxy_set_header X-Real-IP $remote_addr;
    # 设置客户端或上一级端口
    proxy_set_header X-Real-Port $remote_port;
    # 设置在多层代理时会包含真实客户端及中间每个代理服务器的IP
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # 设置客户端真实的协议（http还是https）
    proxy_set_header X-Forwarded-Proto $scheme;
    # 设置代理服务访问地址
    proxy_pass http://127.0.0.1:7060;
    # 静态资源代理
    # root /var/www/www.example.com;
    # try_files $uri $uri/ /index.html;
    # index index.html index.htm;
  }
}

4. activation

ln -s /etc/nginx/sites-available/www.example.com.conf /etc/nginx/sites-enabled/www.example.com.conf

5. systemctl restart nginxrestart nginx with

{{o.name}}

{{m.name}}