Tech geek. Life geek.

Tag: nginx (Page 1 of 2)

Nginx : Unit nginx.service is masked

Complied a Nginx server to the latest version and also add Brotli support, but get the following error message:

$ sudo service nginx status
* nginx.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

$ sudo service nginx restart
Failed to restart nginx.service: Unit nginx.service is masked.

Solution

To fix the problem, or error, just unmask with the command:

$ sudo systemctl unmask nginx.service

 

How to pass the Real IP Address of client to Nginx Server

I use a Nginx as  the reverse proxy. Here is the scenario.

The original server is Server A. The reverse proxy is Server B. Web users are browser the website through Server B.

Wikipedia

The web log of Server A just received the IP address of server B. All users are shared one remote address. It is Server B.

 

To pass the real IP address of client to the Web server, or server A.

  1. Set up on Server B.
    Let server B add the X-Forwarded-For header to the request. It is the real IP of users.
  2. Set up on Server A.
    Add following in to Nginx server block

    set_real_ip_from IP_Address_of_Server_B;
    real_ip_header X-Forwarded-For;

 

Continue reading

How to use GeoIP database to block a country in Nginx

First I need to make sure my Nginx has the geoip module.

Check it by entering the command below.


nginx -V

My Nginx shown the results as below.

nginx version: nginx/1.14.1
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-urYIzg/nginx-1.14.1=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-echo --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-subs-filter

I found  –with-http_geoip_module=dynamic

It is cool, I have the geoip module with my Nginx installation.

Second,  I need GeoIP country database.

Here is the official site to download the database.

I use the commands in my terminal window.

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

gunzip GeoIP.dat.gz

sudo mkdir/etc/nginx/geoip

sudo copy GeoIP.dat /etc/nginx/geoip

Continue reading

How to get a perfect SSL Labs score

It is easy to get an A+ on your website. But it is a little bit hard to make a 4 parts, Certificate, Protocol Support, Key Exchange, and Cipher Strength, to be 100%.

Most of time, I got A+ rating of my site. For individual scores, the last two are 90%.

Let me break down.

Certificate

It is preaty easy to get 100% here.

  • Make sure your certificate and intermediate certificate and CA are in the correct order.
  • Don’t use SHA1 for the signature algorithm. Use SHA256 instead. Actually all main CA are using SHA256 now.
  • Use a trusted CA. Do not use WoSign, StartCom.

Protocol Support

  • SSL 2.0 0%
  • SSL 3.0 80%
  • TLS 1.0 90%
  • TLS 1.1 95%
  • TLS 1.2 100%

So it is best to just use TLS 1.2.

 

Key Exchange

Make a strong DHE (Ephemeral Diffie-Hellman) paramaaters.

openssldhparam -out /etc/nginx/ssl/dhparam.pem 4096

It is not enough. Add following into Nginx settings.

ssl_ecdh_curve secp384r1;

Cipher Strength

  • 0 bits (no encryption) 0%
  • < 128 bits (e.g., 40, 56) 20%
  • < 256 bits (e.g., 128, 168) 80%
  • >= 256 bits (e.g., 256) 100%

So I just use 256 bit cipher suites.

 

Here is a test site, I tried it today, 2018-08-11. It is A+ with four 100% scores.

Here is the most important part of Nginx config file. I put them all together.

ssl_certificate /etc/nginx/ssl/whovpn.com/fullchain;
ssl_certificate_key /etc/nginx/ssl/whovpn.com/key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384';
ssl_prefer_server_ciphers on;

ssl_ecdh_curve secp384r1;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

 

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/whovpn.com/fullchain;

resolver 8.8.8.8;

php-fpm can not use html as php

I have a site, which use nginx as web server and php-fpm as php interpreter. Most of the files use html extension name.

My nginx conf file has following section.

location ~ \.html|php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}

But, when I enter the url such as https://example.com/sample.html, whose content is php script. It did not work.

The solution is to change the config of php.

SSH to the VPS.
Edit /etc/php/7.1/fpm/pool.d/www.conf
Find the security.limit_extensions and uncomment it, add html at the end.

security.limit_extensions = .php .php3 .php4 .php5 .php7 .html

After it, reload nginx, all done.

Change directives of Nginx

My new server uses Nginx as a web server. When I check the error log of it, I saw a lot of warnings.

2016/08/27 07:30:03 [warn] 11951#11951: *590544 an upstream response is buffered to a temporary file /var/cache/nginx/fastcgi_temp/3/28/0000008283 while reading upstream, client: 107.174.247.88, server: www.phpbbchinese.com, request: “GET /download/file.php?id=109 HTTP/1.1”, upstream: “fastcgi://unix:/run/php/php7.0-fpm.sock:”, host: “www.phpbbchinese.com”

I did the search and found some posts about this kind of warnings. OK, let record it and see what happened later.

Increase buffers.

Edit /etc/nginx/nginx.conf

fastcgi_buffers 32 8k;

Continue reading

HTTP/2 vs SPDY 3.1

I have a web site, which was powered by Nginx 1.7. The SPDY 3.1 was enabled. Later last week, I upgraded it to Nginx 1.9.7 mainline version.

HTTP/2 already built with Nginx from version 1.9.5.  Why not enable HTTP/2?

I just did a very rough test.

 

1. Pingdom testing tool

SPDY 3.1: Performance Grade 97/100, 18 request,  load time 3.17s

HTTP/2: 97/100 18 request,  867ms

2015-11-23_110618

2. GTmetrix

SPDY 3.1: Pagespeed score A 98%, YSlow score A 95%, Pageload 1.0s,

HTTP/2: Pagespeed score A 98%, YSlow score A 95%, Pageload time 0.6s

3. Webpagetest

SPDY 3.1: Grade F A A n/a C Check

HTTP/2:

2015-11-23_110914

Continue reading

« Older posts

© 2020 David Yin's Blog

Theme by Anders NorenUp ↑