Category Archives: Linux

Nginx global config

Nginx global config for you sites-enabled in Ubuntu / Debian.

Every time when you have the same config per vhost then it is better to work with global settings.

Here is an example with the SSL config in Nginx. When you have one global config it is easy to don’t forget something.

/etc/nginx/global/ssl.conf

	ssl on;

	ssl_trusted_certificate /etc/nginx/ssl/ca.pem;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:10m;

	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 10s;

	add_header Strict-Transport-Security max-age=63072000;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
	ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
	add_header Strict-Transport-Security max-age=15768000; # six months
	# use this only if all subdomains support HTTPS!
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

/etc/nginx/sites-enabled/www_safematix_com

server {
	listen [2a01:4f8:210:3101::12]:443 ssl spdy;
	listen 443 ssl spdy;
	spdy_headers_comp 5;

	server_name www.safematix.com safematix.com;

	root /srv/www/www_safematix_com/htdocs;
	index index.php index.html index.htm;

	access_log   /srv/www/www_safematix_com/log/www.safematix.com_ssl.access.log;
        error_log    /srv/www/www_safematix_com/log/www.safematix.com_ssl.error.log;

        ssl_certificate /etc/nginx/ssl/safematix/www.safematix.com.crt;
        ssl_certificate_key /etc/nginx/ssl/safematix/www.safematix.com.key;

        ssl_dhparam /etc/nginx/ssl/safematix/www.safematix.com-dhparam.pem;

	set $siteport 9001;

	include global/ssl.conf;
	include global/restrictions.conf;
	include global/wordpress.conf;
	include global/php.conf;
}

Unattended upgrades Ubuntu / Debian

The system can automatically install updates. If you want this, install unattended-upgrades package.vYou never miss a security update.

aptitude install unattended-upgrades

You must edit this file. Make a reconfiguration and select yes.

vi /etc/apt/apt.conf.d/50unattended-upgrades
....
Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}-security";
	"${distro_id}:${distro_codename}-updates";
	"${distro_id}:${distro_codename}-proposed";
	"${distro_id}:${distro_codename}-backports";
};
....
dpkg-reconfigure unattended-upgrades

Multiple IPv6 addresses per interface Debian / Ubuntu

To set multiple IPv6 addresses on one interface in Linux, you can use the tool ip.

ip addr add first_ipv6_address dev eth1
ip addr add second_ipv6_address dev eth1

When you like to set this on the system boot, you must do this in /etc/network/interfaces

auto eth0
iface eth0 inet6 static
address first_ipv6_address Adress
netmask 128
gateway ipv6_gateway
up ip addr add second_ipv6_address/128 dev eth1
down ip addr del second_ipv6_address/128 dev eth1