Currently Viewing Posts Tagged nginx

Nginx : Unit nginx.service is masked

Complied a Nginx server to the latest version and also add Brotli support, but get the following error message:

$ sudo service nginx status
* nginx.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

$ sudo service nginx restart
Failed to restart nginx.service: Unit nginx.service is masked.

Solution

To fix the problem, or error, just unmask with the command:

$ sudo systemctl unmask nginx.service

 

Lots of favicon.ico requests from Mainland China

I check the Nginx error log file regularly. I noticed that a lot of attempted accesses to favicon.ico coming from mainland China.

They come from different IP addresses and with different User Agents.  Each of these IPs is only doing this, sometimes repeatedly.

They are just waste my server’s time and CPU.  How to stop them or reduce the effect on my VPS.

Continue reading “Lots of favicon.ico requests from Mainland China”

How to pass the Real IP Address of client to Nginx Server

I use a Nginx as  the reverse proxy. Here is the scenario.

The original server is Server A. The reverse proxy is Server B. Web users are browser the website through Server B.

Wikipedia

The web log of Server A just received the IP address of server B. All users are shared one remote address. It is Server B.

 

To pass the real IP address of client to the Web server, or server A.

  1. Set up on Server B.
    Let server B add the X-Forwarded-For header to the request. It is the real IP of users.
  2. Set up on Server A.
    Add following in to Nginx server block

    set_real_ip_from IP_Address_of_Server_B;
    real_ip_header X-Forwarded-For;

 

Continue reading “How to pass the Real IP Address of client to Nginx Server”

How to use GeoIP database to block a country in Nginx

First I need to make sure my Nginx has the geoip module.

Check it by entering the command below.


nginx -V

My Nginx shown the results as below.

nginx version: nginx/1.14.1
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-urYIzg/nginx-1.14.1=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-echo --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-subs-filter

I found  –with-http_geoip_module=dynamic

It is cool, I have the geoip module with my Nginx installation.

Second,  I need GeoIP country database.

Here is the official site to download the database.

I use the commands in my terminal window.

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

gunzip GeoIP.dat.gz

sudo mkdir/etc/nginx/geoip

sudo copy GeoIP.dat /etc/nginx/geoip

Continue reading “How to use GeoIP database to block a country in Nginx”

How to get a perfect SSL Labs score

It is easy to get an A+ on your website. But it is a little bit hard to make a 4 parts, Certificate, Protocol Support, Key Exchange, and Cipher Strength, to be 100%.

Most of time, I got A+ rating of my site. For individual scores, the last two are 90%.

Let me break down.

Certificate

It is preaty easy to get 100% here.

  • Make sure your certificate and intermediate certificate and CA are in the correct order.
  • Don’t use SHA1 for the signature algorithm. Use SHA256 instead. Actually all main CA are using SHA256 now.
  • Use a trusted CA. Do not use WoSign, StartCom.

Protocol Support

  • SSL 2.0 0%
  • SSL 3.0 80%
  • TLS 1.0 90%
  • TLS 1.1 95%
  • TLS 1.2 100%

So it is best to just use TLS 1.2.

 

Key Exchange

Make a strong DHE (Ephemeral Diffie-Hellman) paramaaters.

openssldhparam -out /etc/nginx/ssl/dhparam.pem 4096

It is not enough. Add following into Nginx settings.

ssl_ecdh_curve secp384r1;

Cipher Strength

  • 0 bits (no encryption) 0%
  • < 128 bits (e.g., 40, 56) 20%
  • < 256 bits (e.g., 128, 168) 80%
  • >= 256 bits (e.g., 256) 100%

So I just use 256 bit cipher suites.

 

Here is a test site, I tried it today, 2018-08-11. It is A+ with four 100% scores.

Here is the most important part of Nginx config file. I put them all together.

ssl_certificate /etc/nginx/ssl/whovpn.com/fullchain;
ssl_certificate_key /etc/nginx/ssl/whovpn.com/key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384';
ssl_prefer_server_ciphers on;

ssl_ecdh_curve secp384r1;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

 

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/whovpn.com/fullchain;

resolver 8.8.8.8;

php-fpm can not use html as php

I have a site, which use nginx as web server and php-fpm as php interpreter. Most of the files use html extension name.

My nginx conf file has following section.

location ~ \.html|php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}

But, when I enter the url such as https://example.com/sample.html, whose content is php script. It did not work.

The solution is to change the config of php.

SSH to the VPS.
Edit /etc/php/7.1/fpm/pool.d/www.conf
Find the security.limit_extensions and uncomment it, add html at the end.

security.limit_extensions = .php .php3 .php4 .php5 .php7 .html

After it, reload nginx, all done.

Change directives of Nginx

My new server uses Nginx as a web server. When I check the error log of it, I saw a lot of warnings.

2016/08/27 07:30:03 [warn] 11951#11951: *590544 an upstream response is buffered to a temporary file /var/cache/nginx/fastcgi_temp/3/28/0000008283 while reading upstream, client: 107.174.247.88, server: www.phpbbchinese.com, request: “GET /download/file.php?id=109 HTTP/1.1”, upstream: “fastcgi://unix:/run/php/php7.0-fpm.sock:”, host: “www.phpbbchinese.com”

I did the search and found some posts about this kind of warnings. OK, let record it and see what happened later.

Increase buffers.

Edit /etc/nginx/nginx.conf

fastcgi_buffers 32 8k;

Continue reading “Change directives of Nginx”

How to make the SSL site 100 in all four fields of SSLLAB Server Test

Now, a lot of web site are going to add SSL for security purpose.

Just like my site here, the SSL Report is as below.

ssl-report-yinfor

It is A+. The score is great. When I look at it close. There are four parts. Three of them are not 100%.

Can I make it all 100?

I use one test site to do my research and try to make it 100.

OK. Let me show you why and how to do it.

Continue reading “How to make the SSL site 100 in all four fields of SSLLAB Server Test”

HTTP/2 vs SPDY 3.1

I have a web site, which was powered by Nginx 1.7. The SPDY 3.1 was enabled. Later last week, I upgraded it to Nginx 1.9.7 mainline version.

HTTP/2 already built with Nginx from version 1.9.5.  Why not enable HTTP/2?

I just did a very rough test.

 

1. Pingdom testing tool

SPDY 3.1: Performance Grade 97/100, 18 request,  load time 3.17s

HTTP/2: 97/100 18 request,  867ms

2015-11-23_110618

2. GTmetrix

SPDY 3.1: Pagespeed score A 98%, YSlow score A 95%, Pageload 1.0s,

HTTP/2: Pagespeed score A 98%, YSlow score A 95%, Pageload time 0.6s

3. Webpagetest

SPDY 3.1: Grade F A A n/a C Check

HTTP/2:

2015-11-23_110914

Continue reading “HTTP/2 vs SPDY 3.1”

  • Archives