It is a record of how I build an Nginx with Brotli compression and TLS 1.3 support.
I use it on my Linode VPS. It is a Nanon type of VPS at Fremont, CA, USA.
1GB RAM, 25GB storage, 1 CPU.
Ubuntu 18.04 LTS was installed on it.
Tech geek. Life geek.
Tag: nginx (Page 1 of 2)
Complied a Nginx server to the latest version and also add Brotli support, but get the following error message:
$ sudo service nginx status * nginx.service Loaded: masked (/dev/null; bad) Active: inactive (dead) $ sudo service nginx restart Failed to restart nginx.service: Unit nginx.service is masked.
Solution
To fix the problem, or error, just unmask with the command:
$ sudo systemctl unmask nginx.service
I check the Nginx error log file regularly. I noticed that a lot of attempted accesses to favicon.ico coming from mainland China.
They come from different IP addresses and with different User Agents. Each of these IPs is only doing this, sometimes repeatedly.
They are just waste my server’s time and CPU. How to stop them or reduce the effect on my VPS.
I use a Nginx as the reverse proxy. Here is the scenario.
The original server is Server A. The reverse proxy is Server B. Web users are browser the website through Server B.
Wikipedia
The web log of Server A just received the IP address of server B. All users are shared one remote address. It is Server B.
To pass the real IP address of client to the Web server, or server A.
- Set up on Server B.
Let server B add the X-Forwarded-For header to the request. It is the real IP of users. - Set up on Server A.
Add following in to Nginx server blockset_real_ip_from IP_Address_of_Server_B; real_ip_header X-Forwarded-For;
First I need to make sure my Nginx has the geoip module.
Check it by entering the command below.
nginx -V
My Nginx shown the results as below.
nginx version: nginx/1.14.1 built with OpenSSL 1.1.1 11 Sep 2018 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-urYIzg/nginx-1.14.1=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-echo --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-subs-filter
I found –with-http_geoip_module=dynamic
It is cool, I have the geoip module with my Nginx installation.
Second, I need GeoIP country database.
Here is the official site to download the database.
I use the commands in my terminal window.
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz gunzip GeoIP.dat.gz sudo mkdir/etc/nginx/geoip sudo copy GeoIP.dat /etc/nginx/geoip
It is easy to get an A+ on your website. But it is a little bit hard to make a 4 parts, Certificate, Protocol Support, Key Exchange, and Cipher Strength, to be 100%.
Most of time, I got A+ rating of my site. For individual scores, the last two are 90%.
Let me break down.
Certificate
It is preaty easy to get 100% here.
- Make sure your certificate and intermediate certificate and CA are in the correct order.
- Don’t use SHA1 for the signature algorithm. Use SHA256 instead. Actually all main CA are using SHA256 now.
- Use a trusted CA. Do not use WoSign, StartCom.
Protocol Support
- SSL 2.0 0%
- SSL 3.0 80%
- TLS 1.0 90%
- TLS 1.1 95%
- TLS 1.2 100%
So it is best to just use TLS 1.2.
Key Exchange
Make a strong DHE (Ephemeral Diffie-Hellman) paramaaters.
openssldhparam -out /etc/nginx/ssl/dhparam.pem 4096
It is not enough. Add following into Nginx settings.
ssl_ecdh_curve secp384r1;
Cipher Strength
- 0 bits (no encryption) 0%
- < 128 bits (e.g., 40, 56) 20%
- < 256 bits (e.g., 128, 168) 80%
- >= 256 bits (e.g., 256) 100%
So I just use 256 bit cipher suites.
Here is a test site, I tried it today, 2018-08-11. It is A+ with four 100% scores.
Here is the most important part of Nginx config file. I put them all together.
ssl_certificate /etc/nginx/ssl/whovpn.com/fullchain; ssl_certificate_key /etc/nginx/ssl/whovpn.com/key; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_dhparam /etc/nginx/ssl/dhparam.pem; # modern configuration. tweak to your needs. ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384'; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp384r1; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/nginx/ssl/whovpn.com/fullchain; resolver 8.8.8.8;
I have a site, which use nginx as web server and php-fpm as php interpreter. Most of the files use html extension name.
My nginx conf file has following section.
location ~ \.html|php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
But, when I enter the url such as https://example.com/sample.html, whose content is php script. It did not work.
The solution is to change the config of php.
SSH to the VPS.
Edit /etc/php/7.1/fpm/pool.d/www.conf
Find the security.limit_extensions and uncomment it, add html at the end.
security.limit_extensions = .php .php3 .php4 .php5 .php7 .html
After it, reload nginx, all done.
My new server uses Nginx as a web server. When I check the error log of it, I saw a lot of warnings.
2016/08/27 07:30:03 [warn] 11951#11951: *590544 an upstream response is buffered to a temporary file /var/cache/nginx/fastcgi_temp/3/28/0000008283 while reading upstream, client: 107.174.247.88, server: www.phpbbchinese.com, request: “GET /download/file.php?id=109 HTTP/1.1”, upstream: “fastcgi://unix:/run/php/php7.0-fpm.sock:”, host: “www.phpbbchinese.com”
I did the search and found some posts about this kind of warnings. OK, let record it and see what happened later.
Increase buffers.
Edit /etc/nginx/nginx.conf
fastcgi_buffers 32 8k;
Now, a lot of web site are going to add SSL for security purpose.
Just like my site here, the SSL Report is as below.
It is A+. The score is great. When I look at it close. There are four parts. Three of them are not 100%.
Can I make it all 100?
I use one test site to do my research and try to make it 100.
OK. Let me show you why and how to do it.
I have a web site, which was powered by Nginx 1.7. The SPDY 3.1 was enabled. Later last week, I upgraded it to Nginx 1.9.7 mainline version.
HTTP/2 already built with Nginx from version 1.9.5. Why not enable HTTP/2?
I just did a very rough test.
1. Pingdom testing tool
SPDY 3.1: Performance Grade 97/100, 18 request, load time 3.17s
HTTP/2: 97/100 18 request, 867ms
2. GTmetrix
SPDY 3.1: Pagespeed score A 98%, YSlow score A 95%, Pageload 1.0s,
HTTP/2: Pagespeed score A 98%, YSlow score A 95%, Pageload time 0.6s
3. Webpagetest
SPDY 3.1: Grade F A A n/a C Check
HTTP/2:
© 2020 David Yin's Blog
Theme by Anders Noren — Up ↑